marcusironfist

Thank you very much for your help. I am sorry for any difficulties during this process. It is depressing that we were unable to find a complete fix.

Still the same. Still showing Explorer.exe with a 2nd entry in Task Manager, growing as high as 2.5gig of ram used, and still seeing the mbam pop-up warnings of blocked website access. I can understand the idea of advertisements being displayed while the ad-supported application is in use, but for explorer.exe to be accessing websites when no apps are open (beyond the system apps residing in the toolbar beside the clock) does not make any sense at all. At this point, I'm ready to just kill the Windows 7 completely and reformat with a copy of Linux (which I prefer to use on my other machines I've had over the years). I never had anything like this happen while running XP either.

I ran the cleaner, wait for the reboot, then re-installed the mbam package as instructed. Complete scan, including root kit testing, came out completely clean with 0 discoveries. mbam_scan_report_20141201.txt

Here is the screenshot image showing my IE window and the history list.

Well, that reset trick had a partial effect: after rebooting, I still have the 2nd explorer.exe showing in task manager, but it doesn't grow as fast (or as "fat" in memory usage) as before. And I still see websites appearing in the IE history that I did not visit. Also, for some reason the mbam protection icon is no longer showing on the task bar, and when I click to run the main app, it never opens.

Here is the fixlog. Fixlog.txt Just so we are on the same page, what you had seen in those previous logs (I took a moment to explore the contents of both log files after uploading them, while waiting for your reply) is that utorrent had an entry in the system's registry for two of the user accounts on the machine. At no time during the course of this process, nor more recently than the preceding week, has the utorrent app actively been running, and it was definitely never running while any of the requested scans were being processed. Also, the other night I completely uninstalled utorrent and peerblock in order to keep them from being an issue in further discussions. That being said, I still get the constant pop-up notices from mbam protection and constant entries in the Internet Explorer history list for pages I have not opened myself.

Here are the new logs. FRST.txt Addition.txt I am sorry that this is being a difficult process. It has me completely baffled and at times nearly ready to throw the laptop across the room.

I have not run utorrent in over a week. I am still getting the warnings, and my internet explorer history keeps filling up with names of sites i have not heard of or visited myself.

I do not get involved in piracy. I use the peerblock program solely to block unwanted advertisement and suspected malware sites from being accessed during browsing. My children have used this machine in the past and it has been helpful in keeping them from seeing or clicking on sites not appropriate for their ages. The only time i use torrents is when i am downloading a new linux dvd image, as it is faster than waiting for a download from a web page.

I don't know if this helps any, but I have another IP "watchdog" app that blocks access to IP addresses (called PeerBlock). It is showing even more IP's being contacted by my machine, even though this is the only webpage I opened personally. Blocked_IP_Address_list.txt

Here is the protection log. mbam_protection_log_20141127.txt Oddly enough, the hijack, whatever it is, seems to be directly linked to the wireless network driver. Everytime I disable the driver, the problem disappears. Everytime I enable the driver, even if I don't have the wireless connected to the router yet, the hijack goes crazy trying to connect to sites.

Here is the new fixlog. Fixlog.txt And I still get the pop-up warnings from MBAM about explorer.exe attempting to contact several sites (as well as it quickly bloating past 1g of memory used).

Here are the logs from the network-free runs. FRST.txt Addition.txt ComboFix.txt Disabling network access again after this is posted. I will receive notice through my email on my phone when you reply again.

Ok, I just got home from work. I am using my phone to enter this reply while my laptop is temporarily network nullified. Based on my minor discovery right before i left for work (lack of internet connection puts the "beast" affecting my machine to sleep), I am rerunning the FRST test then the combofix test with all network adapters in disabled mode, keeping the computer internet free (and hopefully unhindered) for the duration of the testings.

Unfortunately, the laptop I am using did not come with a master restore disk, instead the manufacturer used a restore partition method (the drive is sectioned as 3 partitions, the main boot, one for the restore data, and one with "tools"). I am worried that the restore patition may be infected as well. One thing I noticed right after posting those logs was that turning off the network connection to the router (and therefore all internet access), the process of explorer.exe that was so bloated actually reduces down to almost no activity or memory usage.

Here are the new reports. FRST.txt Addition.txt

Here is the log. Fixlog.txt As I was posting this reply, my screen went black several times, and task manager again shows explorer.exe at 2.7 gig of ram in use. Additionally, between the time I posted the logs from the re-run of FRST (around 12:15am my time) and the time I woke up this morning (around 9:30am my time), my internet explorer history list had several hundred entries for sites I did not visit myself...

Okay. Here are your updated reports. FRST.txt Addition.txt

Here are the scan results: ComboFix.txt zoek-results.log I am also seeing additional IP addresses being listed by the MBAM protection: 66.45.56.109, 193.169.245.163, 88.214.193.77, and 193.169.245.161

I've been having a lot of trouble with my laptop recently, in particular I have been seeing an entry of explorer.exe in Task Manager that uses more than 2gig of ram on a 4gig machine (see image posted at http://imagebin.ca/v/1hvsujNzvIQz ). After searching for info (an old friend always said "Google is your friend when you have questions"), I came across the Bleeping Computer website and ran the rkill app, which reported no findings. However, when I installed and ran MBAM, what started as a list of 52 items exploded into 847 by the time the heuristic scan completed. I have attached the xml version of the scan log since the log viewer function would not allow me to export the report as a normal text file. mbam-log-2014-11-24 (23-08-40).xml Since the completion of that major scan, I am getting pop-up notices regarding several ip addresses attempting to be contacted by explorer.exe (5.149.250.194, 193.169.244.219, and 195.42.102.24). mbam_protection_log_20141125.txt After reading some other posts from this forum, I have already run scans with TDSSKiller: TDSSKiller.3.0.0.41_24.11.2014_23.55.34_log.txt (run without loaded modules option) TDSSKiller.3.0.0.41_25.11.2014_00.05.08_log.txt (run with loaded modules option) And also with FRST64: FRST.txt Addition.txt Any assistance you can provide would be much appreciated.