Some sort of malware has hijacked my Internet Explorer and there are constantly several iexplore.exe processes running in the background. I tried uninstalling and disabling IE in the control panel to no effect. When I terminate these iexplore.exe processes, they automatically reappear instantly. Every once in a while, I get a popup ad on my screen in an IE window.
None of the anti virus programs can identify this malware. I normally have running avast free, windows defender, spyblaster, zonealarm firewall and none of them caught this. I also regularly run spybot S&D and windows update. I also did avast free boot time scan, panda, MBAM. Came up with nothing.
The only system to seem to find anything at all was panda. It said I had browser vulnerabilities (no kidding!), but the only suggested solution was an old windows update that had been done long ago. I reinstalled the suggested update with no effect.
I have been searching the web forums and finding very recent reports (many of them this week) of a new possible “root kit” that affects iexplore.exe.
My log files are attached, any help would be greatly appreciated!!
Do you have any of these symptoms besides multiple IE processes? Such as:
Volume control randomly mutes the wave setting.
Random clicking noises.
Random voice ads playing in the background.
If you have any or all of these symptoms, then you are infected with the “Black Internet Trojan” (Win32:Cycler). Where there’s the Black Internet infection, there’s a bootkit (MBR rootkit).
Please download Bootkit Remover by esage lab onto your desktop.
Note: This is a rar file. If you don’t have a extraction program, you can use 7-zip or Peazip.
After extracing remover.exe to your Desktop, double-click the remover.exe file to run the program.
Attach or post inline here, the output from remover.exe
Note:The Command prompt window text can be copied to the clipboard by right-clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.
Please attach remover.exe output along with the below requested logs.
Yes, it did mute my volume multiple times, which I noticed when I was watching a video. However, I didn’t notice #2 and #2 because I usually keep my headset plugged in, I don’t use speakerphones. This sounds like the right one.
I had tried remover.exe before (I must have found some instructions somewhere to do this) but it didn’t work when I tried it. However, running it this time, it did find something.
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit…
How do I follow the instructions (what should I enter for device name and output file?)
[edited]
Ok I followed the readme instructions and here’s what I get for a dump
C:\Documents and Settings\TC\Desktop>remover.exe dump \\.\PhysicalDrive0 dump.tx
t
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com
Dumping master boot sector of \.\PhysicalDrive0…
SPTI_Read(): DeviceIoControl() ERROR 1
ERROR: Can’t read first sector of disk by SPTI.
The MBR is corrupted. Looks like we will have to fix the MBR with a Windows XP boot CD, if you have it. So back up all of your personal files before proceeding to fix the MBR.