Ie11 Contacts 11,000+ Sites On Opening

What causes IE11, on opening, to contact 11,000+ sites momentarily and leave evidence of contacts in Cryptnet, but not in IE history?

AVG PC TuneUp manual scan on Win7 PC shows more than 11,000 browser items after opening IE11 into Yahoo for approx 2 minutes, then closing IE11.

Found IE11 connects to thousands of spurious sites and deposits evidence in Cryptnet, --almost as soon as IE11 is opened--.

PC TuneUp indicates browser items were located in C:\Users\***\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content -and- C:\Users\***\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData.

Number of spurious sites connected by IE11 remains nearly the same each time IE11 is opened.

The 11,000 contacts are believed to be momentary because TCP Viewer and Cport show no evidence of 11,000 continuous contacts, LAN traffic does not slow, LAN traffic volume does not increase, as would be expected from continuous contact with 11,000 sites, and PC's CPU usage is comparable to Asus laptop running IE11, without the issue, on the same network.

Spurious browser items do not appear as extra web pages.

Selected web pages do not seem to require extra time to load.

PC otherwise operates normally.

AVG PC TuneUp manual scan on laptop with same OS, same programs, same network shows -no- browser items after opening IE11 into Yahoo for approx 2 minutes, then closing IE11.

Issue also appears in Safe mode with networking option selected (PC TuneUp disabled in Safe Mode).

*****************************************
(All programs and command lines were executed in Administrator mode.)

Opened IE11 without add-ons. Same results, IE11 contacts same number of spurious sites.

Scanned computer in live and safe modes with AVG Antivirus, MalwareBytes, Spybot, Microsoft Malware Removal Tool full scan (MRT), Adware Cleaner, Hitman Pro, C-Cleaner, Zemana Anti Malware, and cleared CryptNetcache. No viruses or malware found.

Ran CheckDisk, Kaspersky Rootkit killer. Nothing found.

Ran HijackThis on affected PC. Compared results with HijackThis on laptop with same OS (Win7), same programs, same network. Evaluated with HijackThis.de Security website. No obvious malware entries were found.

Ran DDS (Ver_2012-11-20.01). Results indicate nothing obvious.

Verified AVG firewall operated correctly.

Verified Data Execution prevention option 3 with wmic OS Get DataExecutionPrevention_SupportPolicy.

Ran Process Explorer, Wireshark, Cport, and Task Manager on the PC; no evidence that PC TuneUp opened any process or port to cause the problem.

Wireshark and Cport suggest a problem by indicating much more internet traffic tied to the same PID (IE11) on the PC than on the laptop.

Uninstalled AVG Internet Security and PC TuneUp with Revo. Removed program artifacts with C-Cleaner and manual inspexion of folders.

Reinstalled AVG Internet Security and PC TuneUp. Verified updates and configurations.

Ran PC Tuneup manual scan. Results showed no browser items.

Opened IE11 to Yahoo.com. approximately 1 minute, closed same, exited IE11.

Ran PC TuneUp manual scan. Results showed 11,378 browser items.

Executed PC TuneUp "Fix and Clean" which returned the 11,381 to zero.

Ran Webcache Killer, checked, cleared certificate revocation list, Online Certificate Status Protocol responses, and CryptNet cache with "certutil -urlcache CRL delete", "certutil -urlcache

OCSP delete", and "certutil -URLcache * delete".

Opened IE11 to Yahoo.com. approximately 1 minute, closed same, exited IE11.

Ran PC Tuneup manual scan. Again, results showed 11,381 browser items located in C:\Users\JoelG\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content -and- C:\Users\JoelG\AppData\LocalLow\Microsoft \CryptnetUrlCache\MetaData.


Your help would be greatly appreciated.

 

chaslang,

Thanx for your note.

Agree... may be time to strop Occam's razor...

Seems significant the similarly configured laptop does not show the same issue, and the PC apparently contacts the 11,000 only momentarily.

Just ran this month's version of Microsft's malicious software removal tool (MRT), no malware reported, no effect on number of IE11 browser items.

Since last post, installed Firefox on affected PC (did not remove IE11),
ran PC TuneUp to purge browser items,
ran Firefox (loaded Yahoo web page quicker than did IE11),
exited Firefox,
ran PC TuneUp,
found approx 350 (versus 11,000+ in IE11) browser items.

Would not expect this result if malware were present.

Wonder whether uninstalling IE11 with "Revo" and reinstalling IE11 would be helpful.

Am as much interested now in the cause as the cure.

 

chaslang,
will do cleaning process...
off now due to unexpected (non-computer) issue...
returning about March 5...
thanx for your patience...

 

chaslang,
completed cleaning process...
will delete no files until advised...
attached 5 files...

 

chaslang,
reports show UAC was not deactivated properly...
will proceed with re-do...

 

chaslang,
your "hitman pro" seems aptly named...
unbeknownst to this neophyte follower of instructions, it was set to start "scanning" when the computer restarted...
now, all Microsoft word files are unreadable, AVG PC Tuneup is completely inoperative, and goodness knows what else is hors de combat...
so it's me versus your bloody pc djinn...
best wishes in your future endeavours...

 

Hitman Pro appears, by default, to operate in background and scan on startup.

Startup scan corrupted all Microsoft Office elements, PC TuneUp, Mozilla Maintenance Service, and Flash Player.

Luckily, very luckily, normal operation resumed after System File Checker run and fallback to previous days' restoral point.

Question remains: Absent malware, what makes IE11, at opening, establish momentary contact with thousands of sites worldwide, then close those contacts, while appearing to operate normally.

Research indicates what PC Tune Up displays in Crypt Cache is simply evidence that IE11 contacted sites.

Clue, being researched, might lie in what initiates the normal process that causes IE11 to contact sites in background, and what may have prompted IE11 to contact so many sites in background, rather than display these contacts in History, or as open web pages.

 

Suspect you're right, especially about IE11 startup delay.
They're probably not issues, but one does wonder why this behavior differs so much from a similarly configured laptop on the same network.
Can you explain the process, or point me to an explanation of the process by which an application or script becomes aware IE11 just opened and calls home?
What do you recommend for packet capture?

 

Just acquired Wireshark...
Saw what looked like the activity on TCPview, a momentary mass of activity when IE11 opened, then settled down when Yahoo was connected...
Clue is the laptop does not show the same momentary mass activity before settling down when Yahoo is connected...
Next task is learning how to capture and inspect packets...
Thanx again for your help...
Cheers...

 

Checked Caches and databases list, nothing was shown.
Reset IE11 to default settings, same effect.
Restored IE11 settings to same as on laptop (same OS, software), same effect.
Executed "Webcache Killer", observed PC Tune Up reflected empty crypt cache, re-opened IE11, same effect.

More clues:

Downloaded Mozilla Firefox, configured with add-ons, opened to Yahoo: PC Tune Up showed the PC did -not- contact 11,000+ sites.

One might think each instance of opening IE11 to Yahoo would cause PC Tune Up to show the PC contacting 11,000+ sites.

Opened 3 instances of IE11 concurrently to Yahoo, but PC Tune Up showed the PC contacted 11,000+ sites, not 3 x 11,000+ as might be expected.

Opened and closed IE11 sequentially 3 times, again PC Tune Up showed the PC contacted 11,000+ sites, not 3 x 11,000+.

Observed when IE11 is exited on the PC screen, the PC apparently requires extra time to stop running IE program. Routinely use CCleaner after IE11 sessions, now CCleaner prompts user to force IE closure prior to cleaning. This behavior does not happen on the laptop.

Observed Mozilla Firefox opened and closed more quickly than IE11, comparable to IE11 performance on the laptop.

During IE11 session, Wire Shark and TCP View do -not- show continuous contact with 11,000+ sites.

Question... What, if anything, controls maximum number of sites that IE11 may contact?

If it's a registry value, it may be worth comparing to the laptop's registry.

 

Agreed...
See no evidence of 11,000+ packets going anywhere...
Nor a corresponding spike in LAN traffic...
Intrigued with possibility of Spybot/SpywareBlaster artifacts...
Will attempt to find and excise same...

"...when you have eliminated the impossible, whatever remains, however improbable, must be the truth." Sherlock Holmes

 

MGclean.bat does not exist in MGtools folder.
Windows Explorer shows no MGclean.bat file in computer.

Please advise whether MGclean.bat is available separately, or if not, what files other than MGtools folder should be removed manually....

Reenabled UAC...
Use Malwarebytes regularly, along with Malwarebytes Junk Removal and Microsoft's malware removal tool (mrt)...
Will run these today in "safe" mode...

Still concerned with forensics... rather like a brand-new ticking in one's airplane engine, when at altitude.
Discovered certain Win7 registry keys/values control maximum number of IE connections...
(https://www.eightforums.com/tutoria...r-download-connections-per-server-change.html)
Found these keys/values do -not- exist in PC registry, and that a process exists for creating them...
Will compare with laptop registry...

Thanx again for your help and patience.
Will advise if issue solved...

 

Viewing of file extensions is enabled...
Good call! Reinstalled MGtools.exe, MGclean appeared, executed successfully...