IE acting very weird

XP Pro, SP3, current updates, Comodo, A^2, Lenovo T60p Dual CPU - 2.1 ghz, 15.6" screen, 3 Gb computer memory, 3 cent operator memory

When I got my virus boogered system back to running, one thing I found was that Internet Explorer is behaving very badly.

1. I use Firefox, but something, apparently this IE thing keeps switching it back to IE.

2. IE keeps calling out and connecting to what looks like random web sites. And I mean sometimes it's as often as 2 or 3 times a minute if I close it right away.

3. A utility shows that IE opens as many as over 200 ports to the internet at once.

H-A-L-P ! !

I've scanned with my primary subscription anti-malware plus Malwarebytes plus SAS repeatedly and nothing is ever found.

I'm flabbergasted how this thing is just running wild. Maybe the virus attack set something that makes this happen. I just now thought I'll try uninstalling IE and re-installing it to see what happens. I'm not sure XP Pro will even let me remove it. Maybe it will back level it to 6 or something. I did do that once.

 

Hi mare , what is your IE version are you using now ? In many cases Firefox is better than IE , IE unistallation is not suggested because you have to go into the registry to delete keys perchaps you might create problems , you could follow this

http://kb.iu.edu/data/ahic.html

cleanning up IE , i am suggesting you to download a rescue cd like this

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001090715331006

testing your machine !! :wave

 

Look at your Firewall settings and disable IE from outbound traffic. (I'm not sure if Comodo allows this). I run a very old version of ZA and IE on my computers can not get out to the internet. When I fire up windows update, ZA pops up and asks if IE can connect to the internet. I temporarily allow rather than permanently allow.

 

You mentioned in another thread that you were infected with System Fix.

System Fix is a new Fake AV that comes bundled with a TDL rootkit/bootkit that places a hidden active partition on your hard drive and infects the Master Boot Record (MBR). This can cause browser redirects and IE to open on its own.

Review this post/thread if you'd like for more details: http://forums.majorgeeks.com/showpost.php?p=1683289&postcount=51

 

In the meantime, you may want to post a screenshot of your Disk Management.

Start > Run > diskmgmt.msc

Looking for any extremely small partitions around 1MB marked active.

 

Thanks. I did remove IE 8 upon which it automatically dug up IE 6 and activated it. But that version is doing the same thing, so it seems like it has to be something outside it, telling it to do it.

I finally upped the security level in Comodo so it would show me each attempt to get out. IE was pausing maybe 30 seconds then trying to open a port to get out. If I blocked the effort it switched to another port in a matter of seconds and tried again - up to 7 times, then it would pause half a minute and do it again.

Thanks for the addresses.

 

Yes, Comodo does pop up with attempts to get on the internet. My version apparently puts a block on each port individually, whereupon IE tries another one. I've gotten and blocked maybe 30 or 40 attempts, so now I'm not getting connections to unwanted web sites. Interestingly enough the web sites it connected to all turned out to be bottom rated on WOT (http://www.mywot.com/en/scorecard). Gotta be something feeding it those links.

 

Are we missing some key info here? What virus attack?

 

System Fix rogue. There's a good link about it back a few posts

 

Well, IE is still running amuck and still keeps getting selected as browser of choice.

I forgot how to do pictures and it would take my thinker 2 weeks to work it out. But there is (was) a small partition (1.27 mb) listed at the top of the window as hidden and active. Oddly enough it shows used space and free space the same - empty. Of course they could be using a language from Mars so the system doesn't see it.

I used GPARTED to get into it and unset the HIDDEN flag - to no real end.

The thing about all this is that I'm wondering if I have a vague memory of something up in that space from long ago. Maybe it was just listed as unallocated. But before I delete it I want to know for sure that that little 1mb partition isn't needed by the system for anything. Calling all experts!!

 

Today more stuff, this time calling itself Internet Explorer, popped up and said I STILL had a virus. I thought, 'you're telling me!' Fortunately I had all kinds of settings that weren't going to allow it to go online and grab more bugs.

I got an idea today. While they had my computer shut down to me, maybe they loaded some DLL(s) normally used by IE that they had simply turned into a program to do all this junk... It couldn't be IE itself, because it did the same thing while I was running IE 6.

I'm pretty sure there was more than one malware loaded. MalwareBytes took out a mess of stuff on one scan - multiple copies of one bug scattered in different places. But the "Ha Ha I Gotcha" thing still popped up after that.

This afternoon I ran SAS from and on that system and got some results I had never seen the likes of. After the scan of that system it displayed no bug or cookie list, but it showed me a list of 20 or 30 system resets it could do for me. Apparently it had discovered some of them were screwed up. Things are quieter since I told it to reset everything on the list. Hurray for SAS. Right after that I let windows reinstall IE 8, as it had been jumping up and down wanting to do that. Maybe a clean install helped. Of course it did its "malicious software" check while at it and never let out a peep. Bricks for M$.

I'm on here using the system that was junk a couple days ago. Unfortunately something is still setting the default browser back to IE. I tell Firefox to set it back every time I start it after a boot. Of course it isn't impossible that since FF has been acting up recently it could just be failing to actually set itself as default browser.

 

That 1 mb partition I found was for system use. I set it to inactive and Windows wouldn't even boot. I set it back to active and it booted OK.

 

That's because the TDL partition is set to active. If you remove it from being active alone, then you have NO active partition because your OS partition is already set not to boot -- which will result in the system not booting.

You do have to delete it (the 1 MB partition), but you should research more before you are comfortable with doing so.

Read the malware removal forums on here, we have about 8 threads with people with the same exact issue as you

It is a bit more involved than just deleting the partition though and marking the OS partition as active/boot again.

 

Didn't take long to do the research. I found the boot flag pointed to the tiny partition. I moved it to the MBR partition and everything booted fine. Then cautious me went back and deleted the tiny partition.

 

That that stop IE from acting up on its own? Glad you are getting it sorted out

 

It seems to have stopped, now I'm having trouble keyboarding with my fingers crossed all the time.