OK had a brief look yesterday eve and this morning (the main problem here is that I have almost no time to devote to solving this problem).

In safe mode, this is what Sophos comes up with:

Warning: Failed to query live registry key \HKEY_LOCAL_MACHINE. You may not have access rights to the whole registry.

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_LOCAL_MACHINE\SAM
Removable: No
Notes: (no more detail available)


As regards the 2 iexplore.exes, I took a look at them using ProcExp, and the properties are as follows


Path
C:\Program Files\Internet Explorer\iexplore.exe

Command Line
Removed as suggested below

Current directory
C:\Documents and Settings\Marc\Bureau\


Path
C:\Program Files\Internet Explorer\iexplore.exe

Command Line
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5460 CREDAT:79873

Current directory
C:\Documents and Settings\Marc\Bureau\

Looks like that blacboa URL is your first problem.
That page contains nothing but a script, according to web-sniffer.net

FWIW my properties show no URL after the iexplore program path.

It may be a problem that it is a clickable link above, and NOBODY CLICK ON IT!

mglinert, if you can still edit it, please remove it so nobody accidently clicks on it. It's a public link to an infected site.

Gosh sorry Bob -Sorry everyone. HOpe no one was rash enough to click on it.

I can see now that I will almost certainly have to reformat the drive.

In my BitDefender Firewall have just set the following rule

Path: c:\program files\internet explorer\iexplore.exe
Any command line
Deny access

Yes I can still use IE to access the web!

I guess my concerns now are more these:

Where else might this malware reside?
Is my external HDD, on which my data is backed up, also infected?
After a Windows reinstall is there still a risk that the malware will have survived?

Thanks everyone

Marc

Better safe than sorry. What you have sounds nasty if antimalwaremalware didn't find it. I'd update the antimalware and run again in safe mode. It keeps prett current and a couple days can make a difference; I've seen that happen on a firends machine.

Is there a chance the external drive is indected? Can't rule it out.
If the problem comes back that's one thing to suspect.

I'd unhook it for a couple days after fixing, see if everything seems OK, then pay attention after hooking it back up.. if it comes back you know there's an issue.

You don't show any unusual services running in task manager?
I often start looking for clues on what the infection is right there in taskmanager. Google the processes, and see what it is. Be careful where you go to check, as some of the sites that turn up will offer to run a 'free scan'... and you probably want to avoid that.

Personally I'd google that url too and see if others reported problems related to it.
Also, I'd search BitDefender support to see if there is a way to check that behavior.

Reformatting often results in a loss of a lot of data, and I try to avoid that first, even if time is a factor. Depends on how recent your backup was.

I looked at the main home page for that URL you showed previousy and it has a script to write the URL into favorites right away if IE is browser, then forcibly using a command common in other browsers using javascript before the page even loads. Then it runs some php commands I didn't want to try to follow. Pretty nasty site there for both pages I looked at the code for ..

I’ve been researching this a bit on the superspecialised web sites (majorgeeks, bleeping computer and what have you).
Apparently, the software protects itself from AV scans through changes it has made to the system at the registry level of even deeper.
One of the tools that is most frequently recommended for removing this protection in order to get at the malware is Kaspersky’s ‘TDSSkiller.exe’.
I can get this on to my machine, but it won’t run even when renamed (although it will on my other systems).

The standard procedure thereafter seems to involve the tools DDR, Gmer and Combofix and much expert analysis of the logs produced by these tools. The humble user is advised not to attempt to use these tools without supervision, so I have not.

Also, there are any number of support threads of this type which go on for pages (and weeks) and finish up with a still infected system.

The main symptoms I have are two bogus instances of iexplore.exe which start up shortly after bootup and without my having opened IE.
There seem to be a number of sites at the end of the command line that opens. If I close down one, the new process that opens to replace it is likely to have a different site in the command line, but they all appear to be equally suspect. These URLs are clearly written into the software (malware) as they appear when my connection is disabled.

The other symptom – which I appear to experience less frequently, if at all now – is URL redirect following searches with search engines.

When my internet connection is enabled, I note (from the BitDefender activity window) that data is being downloaded through these processes into my system; so far I have never seen any outbound data (i.e. data being uploaded from my system).

My guess now is that this infection pre-dated the installation of the ‘WindowsRepair’ virus, which must have been downloaded on to the PC through these processes. Indeed this kind of unwanted installation may be the very point of the iexplore.exe infection.

“Reformatting often results in a loss of a lot of data, and I try to avoid that first, even if time is a factor. Depends on how recent your backup was.”

Surely reformatting results in the loss of all data?
I can backup now (the system is still very much up and operational).
I have scanned my external drive (MalwareBytes, BitDefender) and it comes up clean, but then again so does my internal drive.

If there were just some failsafe way to stop any process called iexplore.exe from running, then that would help.

Thanks a lot Bob for your help

Marc,
I told you what to do. Why don't you do it?
Oren I guess he don't trust us Linux users. LOL

John,

I really appreciate your help and advice.

As Oren says above:

“If you have no previous experience with Linux and a live CD, think it over carefully. Success requires that you understand the fundamentals of your specific Windows release, plus a working knowledge of Linux and Live CDs - for instance, how to do an md5sum integrity confirmation of your download.”

I have never even seen a Linux system, let alone used one. And I have only the most cursory understanding of my own OS.

One of the principles I try to use in problem solving is not to make the situation worse than it is already.

While it is quite possible that a Linux- based clean up tool would take a look at my dormant Windows system, decide which file or files are the culprit and suitably eliminate them, I have no assurance of this scenario.

Also I am just a little surpised that this solution – if it is as risk free and effective as you suggest - is not more widely recommended in the specialist AV and PC support fora.

So, as Oren suggests, I am still thinking it over.

The solutions I plan to implement, in order, are as follows:
- continue Windows-based remedies and scans until I have reasonably exhaused them
- attempt to remount the image backup I have made with Reflect in the hope that it was made before any of this started occurring
- alternative OS based solution on bootable media (your recommended approach)
- reformat of internal HD and reinstallation of W XP (in the hope that my backed up data is not also infected)

All of these take a fair amount of time, which I do not have what with a FT job, a young family, a gigging band etc.

Because I have not performed your suggestion yet does not mean I have ruled it out.

Thanks again,

Marc

The Kaspersky rescue disc IS NOT A LIVE LINUX CD. It is a removal tool that if you follow my instructions will clean your mess up.

Marc, if I were in your shoes I'd back up valuable data and then zap the bloody lot and start over with a re-format clean install of Windows 7 64 bit. Your symptoms sound extemely scary to me and I wouldn't muck about trying to repair things. I trust you don't do online banking as I'd be petrified of key loggers stealing my passwords. Sorry to sound alarmist, but it sounds like you need to regain confidence in your system.
My PC became slow a couple of months ago and although I had none of the scary stuff going on which you describe I nevertheless lost confidence. I keep copies of my important stuff an an external drive, so reformatted and installed Windows 7 64 bit and have never looked back. It was a pain re-installing a lot of music apps like plugins, etc. but the PC runs smooth and fast now.

John

G'day Marc,
I would have no trouble with using either the Kaspersky or AVG disks. I suspect you do not have a root kit or the root kit killer you tried would have fixed it. Root kit killers do only that, kill root kits. They are not normal AV or Anti malware tools and do not look for anything other than root kits.

hmm, there's a lot of root kits there...

Whatever malware is left is clearly hiding from your AV software so a tool like the Kaspersky or AVG boot CD is a good tool to use.

Marc,
If you're worried about infections being on your backup, don't remount the image backup.
Just backup your data and reformat and do a clean install.
When you're done your machine will be like new. Clean and fast and then make an image backup.

Wayne,

THanks everyone for your concern and advice.

Am currently making a backup of my data on to my external HD- there shouldn't be any .exes in there but I know I will need to:
- scan this drive before retransfering the files
- refrain from connectng this drive to any othe system until I know its safe.

I'm currently having a look at the AVG disc but even that is way beyond what I am comfortable with technically.

I didn't realise these things could be so ingenious. My system can appear to be clean for a while. THen I reboot and the two iexplore.exes come back.


Lawrie does anyone in your team do Sunday house calls to Paris?

Thanks Bob. Sound advice.

I'm pretty sure I will have to finish up reinstalling, but in the meantime I have found a very handy tool on download.com (Process Blocker) which I am using to block any instances of iexplore.exe, whether launched by myself or the malware.
This tool seems to be effective and it tells me that iexplore.exe is trying to open every 2 minutes or so.
I guess the tool is so obscure that the malware writers didn't think to shortcircuit it.

Also I note that while iexplore.exe is blocked I am not getting any web search redirects.

at least this gives me some breathing space as I prepare the reinstallation (drivers, app. inventory, screenshots of settings, license keys etc..)