multiple iexplorer processes

[essexboy]

Yes accept the warning, I have run combofix with avast enabled to no ill effect

[smartpaul]

That all took about 40 minutes so presumably I'm 'heavily infected', as implied by the opening message?

The PC is still behaving the same, i.e. multiple iexplore.exe *32 processes utilising memory. One alert has come in, as before, quoting that process.

 Log attached.

[essexboy]

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 

Folder::
c:\users\Paul\AppData\Local\ciqulges
c:\users\Paul\AppData\Roaming\Anveuzne
c:\users\Paul\AppData\Local\Pnqamedia
 

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[smartpaul]

ComboFix log attached.

All seemed to be quiet and going well until I happened to be looking at Last Scanned Items in Avast stats. Please see attached screen shot where the iexplore script can be seen starting. Is that significant?

[essexboy]

That leads to a dead end...  Do you launch IE from a desktop/quick launch  icon ?   If so delete them and we will then get a fresh copy after confirmation as to whether or not that was a problem

[smartpaul]

There was not a desktop shortcut until I put one there last night after we got IE working (having disabled the Avast Security Addons).

I've deleted it now. What should I do next?

[essexboy]

Could you now use IE to visit a few sites and let me know how the computer is behaving now

[smartpaul]

IE works fine but otherwise the PC is behaving exactly as before, including a repeat appearance in Avast stats of that script starting in Last Scanned Items.

[essexboy]

Could you go to Control Panel > Internet options > Advanced Tab
Click the Reset button
Then try IE again to see if the script re-appears

[smartpaul]

Interestingly, it wouldn't allow a reset until 'all windows were closed' - there were none open. Only when I killed the iexplor processes in Task Manager would it allow a reset. I haven't seen the processes restart yet, but I'll keep checking.

Running IE does, of course, start the process but they disappear when IE is closed.

[essexboy]

Yes monitor it and if it restarts let me know and I will dig deeper

[smartpaul]

Unfortunately we are still left with all the same issues: multiple iexplor processes for no apparent reason, and Windows freezing or suddenly closing down once or twice each day. Avast alerts relating to those processes are still  a regular occurrence.

I think I've proved that those processes are related to IE (I couldn't do a reset of IE until I killed them), but why, on a 64-bit machine, are they occurring at all? A 32-bit version of IE is not even installed on this machine.

Is it significant that almost all viruses captured in the Chest (attached) are related to Win32?

[essexboy]

They are all showing as adware and a fair few are in your download/temp folder

Lets have another look with OTL as I can now see what avast is finding

Could you run a quick scan with OTL and ensure all users is checked.  There will only be one log

[smartpaul]

Log attached.

Windows suffered a shutdown during the first two attempts.

[essexboy]

OK let me know the result of this fix please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKU\S-1-5-21-3838763673-1115839168-2840729140-1000..\Run: [Akworks] C:\Windows\SysWow64\regsvr32.exe (Microsoft Corporation)
[2014/03/09 12:01:18 | 000,001,172 | ---- | C] () -- C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.