Help with suspected malware/iexplore and Comodo...?!!

Greetings and thank you for being here. This is my first post in this forum, I'm a novice computer user, I may have a malware problem, and I'm not sure how or if I am even to proceed, so here it goes:

I received a call from my bank three weeks ago, alerting me that some fraudulent purchases using a credit card of mine have been attempted online, but luckily, the bank blocked those attempts (... thank god...). the account was closed and I looked into ways my computer may have been unprotected.

I had been running Ad-Aware SE; AntiVir PE Classic, and AVG AntiSpyware, using the firewall that came with Windows XP. When the fraudulent activity happened, I decided to reinstall PC Spyware Doctor who found two Trojans I believe, but I wasn't smart enough at the time to save a record of said scan; so it wouldn't help to ask. Going into this a bit further, I did a bit of reading and thought a firewall would be in order (better late than never?), and I installed Comodo.

Upon running Comodo, I got moderate level warnings about "iexplore.exe" and "svchost.exe" files attempting to do something (contact the internet, I think...), but I wasn't savy with the use of Comodo, didn't really understand it, and it blocked my access to the internet, so I uninstalled it and did some more reading about iexplore and it's possible links with malware and this is why I'm here.

Aside from the two trojans being fixed and the account number stolen (not sure if this was done via my computer, but I'm guessing it may have been...) my computer acted funny. It would "hang up" for short amounts of time (4-5 seconds at a time, frequently enough to be annoying); this happened especially when I was actively browsing the internet, on YouTube. This added to my suspicion that some malware may still be affecting my computer.

To start the process of correcting my problems, I have done the following:
-I have attempted to follow the Read & Run steps as outlined in the forum, in order, trying not to omit any steps.
-While following the above, the CounterSpy site would not let me scan while I was in safe, so I used AVG AntiSpyware.
-I also ran BitDefender, GetRunKey, Spybot, and eventually, HiJack this.

Hardware: AMD Athlon 64 Processor (emachines) 3200+; 1.99 Ghz, 1.37 GB ram;
Software: Windows XP (home, with sp2).

My logs are as follows (see attachments).

I am primarily concerned about the following:

-Is there some evidence that there may be a stubborn Trojan still lurking in my system?
-Is iexplore.exe a "normal" process that should be allowed by Comodo, or in fact is this some type of malware.
-Where should "iexplore.exe" be located in my system, if it's not malware?

I mainly want to get my machine more secure than it is now... I'd like to be able to use Comodo, but as stated above, I'm not sure what to allow or what to deny... any help with these matters are much appreciated.

 

Hi ffspiel!
Welcome to Major Geeks!

In order to post all of the logs, including AVG Antispyware, BitDefender and the missing Panda scan, you have to post a second time.

Thanks.
abri

 

Thanks Abri... will do so...

 

Here's Panda and AVG; BitDefender did not let me link to their online scanner despite me adjusting my security settings....

 

Abri,
Also ran CounterSpy... could not print a scan result, but it said nothing detected.

 

Hi ffspiel!
I don't find any signs of infection still remaining in your computer. I believe the problems you're having are more a problem of too much helpful software rather than not enough. You have a large file from Norman antivirus in your temporary files. Did you run something with Normans? There are a couple of things we can fix, but I will also ask you to uninstall (at least on a temporary basis) some of the programs you have running that I think may be conflicting with one another and causing the strange delays you're having.

iexplore needs access to the internet. It's located in a folder called ie7 (or ie6) under C:\WINDOWS. The svchost.exe's are all valid and you need them. Your credit card problem may have been the result of trojans, but there don't seem to be any left now. There are a number of ways that someone could have gotten your credit card number and I hope that problem is over now.

Please do the following:

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

2) We need to stop a service:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Lic NetConnect service (CLTNetCnService)
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste CLTNetCnService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and wait to reboot until I tell you to.

3) Now we will Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


4) Please go to add/remove programs and uninstall the following, but before you do, check for any information on activation keys for paid versions.. If Spyware Doctor and Registry Mechanic require an activation key, please find out how to re-install these programs before you uninstall them. The key may simply need to be reentered or it may be stored in a file which you will need to move before they are uninstalled. Once you know this, please uninstall these. The same for the following: Sophos Anti-Rootkit 1.3.1 and TrendMicro or A-Squared. Please uninstall only what is in your add/remove programs.

If you are no longer using Microsoft Works, please go to add/remove programs and look for the button (usually along the left side) which is called add/remove windows components. Click on that and find Microsoft Works in the list and uncheck it. It will not uninstall MS Works. You can turn it back on at any time, but it is one less thing to have running if you don't need it.

5) Once you've done the above, I would like for you to run CCleaner, reboot your computer and post fresh logs for HijackThis and for ShowNew (newfiles.txt). Please let me know how your computer is doing.

Thanks.
abri

 

Abri, I've received your directions; thanks for the reply. I'm at work for the next two days, so I'll take care of the issues on Sunday. Many regards to you, the service you provide, and MajorGeeks in general. See you Sunday!

 

Chaslang....
Copy!..... Q: If Iexplore is anywhere else, should I suspect changed files (like changed host files once a trojan has done it's damage). I'm a novice, so I appologize for the incorrect symantics.... rob

 

Understood, will look at my C:\; C:\Program; and other files... thanks for the support, really. - rob

 

Chaslang,
My rational for peering into the iexplorer.exe files (or at least their paths, I guess) stems partly from my recent issues with malware, this in conjunction with what I learned about host files being changed sometimes when Trojans infect and my experience (below), with Comodo, giving me a moderate level warning the iexplore as attempting to do something it wasn't meant to... I guess this could be a combo of shellshock AND misinformation my my part... also, curiosity... seeking knowledge... that kind of stuff.

 

.... I'm just kinda paranoid right now at the thought of something being in my files that shouldn't be there, and a bit put out because it takes a level of knowledge to diagnose this problem, a level of knowledge that I don't have. I definitely WONT delete files that I don't know about (... well... at least not intentionally).

 

Hi ffspiel!
From a more philosophical point of view, we're living at the beginning of a technological era. It's a bit like it was when cars were in their earlier stages and it was not uncommon to see people at the side of the road with the hood up, peering inside. Computers are that much more complex and so there is a lot of "peering inside" going on right now. Having a brush with any kind of crime is a disturbing internal experience and it often leads people to take steps to protect themselves from it happening again. The statistic I read yesterday on the number of people who've suffered identity theft was shocking. At this point, any possibility of keeping financeal and computers separate is a good idea, because there are neither adequate laws to protect people nor mechanisms in place to implement them. Please let me know if reducing some of the software you had running did anything to improve the symptoms you were experiencing? If your computer is running correctly, I would ask you to read our "How to protect yourself from malware" thread and do our final cleaning instructions in the box. The thread will tell you the best combination of antivirus, firewall and anti-malware programs to protect you without running into conflicts caused by having too much protective software.

abri

 

Abri,

I've removed Spyware Dr., Reg. Mechanic and Sophos; I didn't see Trend Micro or A-Squared in "add-remove programs," altough I do remember seeing Trend Micros home page (... I think I tried to use its scanner and it didn't work... i also don't recall specifically removing and/or uninstalling it either. If TM and A2 is still on the computer, I'm not sure where they are). Also, I didn't see MS Works in the add/remove section of MS programs (!?!).

I've ran the HJT and ShowNew scans; here are the logs...

Q: Is is possible to have removed all malware and yet have a zombie comupter on my hands? Thanks again, Abri (and Chaslang)... hope you two have a good day. - rob

 

Also... in the finalization of the clean, you mention "Pocket Killbox"... I've never used it.... (DISREGARD... I used Combofix... I'll read on...). Thanks, Abri.

 

Chaslang,

Followed the directions in reply #6, per Abri, and sent the scan files as directed. Will re-do six, then follow your directions; seriously, I'm not a dip-s***, just a novice... Thanks guys...

 

Chaslang & Abri,

Chaslang: 1. Followed your directions (as I interpreted them) and disabled Windows Messenger.
2. In your directions, reply #19, when fixing the malware service, NDVOAG was already stopped (but not disabled); I disabled.
3. When running HJT, prior to fixing, noted that:
"R3-URLSearchHook: Yahoo! Toolbar... etc., was not there. Fixed the other two as directed, rebooted, ran ATF ran HJT and ShowNew, attached logs.

We'll see what happens. Thanks. - rob

(As far as reporting back to you regarding how things are working; the computer reboots as normal, access to internet is normal, desktop is there...)

 

Chaslang,

I noticed that the computer is hanging up again at times, for about 10-15 seconds at a time, happening at a frequency of about once every minute; it happened twice in the time it took me to write this sentance. This started after my last round of cleanup. My double-click also doesn't work; when navigating through my computer, moving from start to my computer and so on, I have to click, the menu box pops up giving me options (to include open) which is what I now need to use to open files, move back and forward now in windows.....

Incidently, my daughter got on YouTube watched music videos; I've not accessed any other sites and neither has she. I haven't fixed the line nor have I begun the final steps. This is in part what I've been concerned about, as though the machine is trying to do something (zombie style?!) while we're on the net or some internal setting keeps getting re-set. I'm considering system restore at this point, which will bring me back to earlier today. Thoughts on the cause of this?...

 

I decided to run my Ad-Ware (found some minor stuff) and then Spy-Bot, which found five items (doubleclick; fastclick; mediaplex; advertise.com; and another...). Seems like the hanging stopped. I'll go through some of the general cleaning stuff again... rob

 

Before I ran Spy-Bot, the computer was disconnecting even while not on the internet; after the cleaning, no disconnection. Will run Sophos. Also, I'm not sure if it occurs in safe mode... didn't try it as the cleaning took care of the disconnection. Finally, this may be important (?), Safe Mode took a LONG time to boot... frankly, I didn't even get it to my desktop even after waiting about 5 minutes; I waited longer than I had ever, then aborted the operation. This took place after following what I'd done in comment 22 I believe.

 

Yes, Chaslang, no longer have the disconnection problem after the Spy-Bot cleaning... will forward Sophos log in a minute...

 

Here's the Sophos log. Also, was able to get onto Safe Mode within a normal amount of time; may have been a glitch when the computer rebooted last time... don't know, no problem now with disconnection or lengthy times with booting in Safe Mode.

 

Chaslang,
A quick question, in the midst of all this: is it still bossible that an earlier Trojan may have changed files, been erradicated, and those files are still onboard, doing their thing (i.e.... zombie computer?) despite us having gone through our paces? Inquiring minds what to know....

 

(Chaslang, disregard this reply)

 

Chaslang,

I'm using the phrase "zombie computer" to describe a computer that's been infected and for whatever reasons following the infection has had files changed that allows other computers to access it remotely. The remote computer would then use my computer to run spams... to take financial information....infect other computers within their system. My computer, for example, would act as a remote hub when the I had no knowlege of it doing so, automatically from what I can gather.

I'm not sure what the professional definition of such a computer is, but popular culture and news media has used the phrase "zombie" lately. I've come across the term quite a few times in PC forums and informative articles during my research into what could be ailing my computer; I used the phrase because I thought that was the proper slang that describes the activity I felt my computer is suspect of. If you haven't seen the word or have heard the pharse, then I suggest you google it and see what you come up with...

The gist of my initial question was this: if the computer got infected with a "bot" or virus or whatever, I was wondering about the feasibility of some program being created (like a "fake" iexplore.exe type file) despite the malware having been taken care of. This would be analagous to someone getting a flesh-eating bacteria infection, killing the infection with antibiotics (taking care of the initial problem...), but be left with the physical repurcussions of the damage: continuing tissue death, skin grafts, organ damage and physical debilitation requiring rehabilitation. My use of Comodo, in relation to how my computer is acting, especially with the number of times iexplore.exe is asking to be used, just leaves me suspect that there's maybe something still going on with my computer. Maybe my computer is acting normal... maybe not... the truth is I have no idea and at this point I'm not quite sure what's "normal" is; I'm mainly hesitant to "allow" the wrong circumstance of iexplore.exe to do the wrong thing while Comodo is going through its initial paces, I'm afraid that by doing this I'm giving some hacker in Romania keys to my personal information at his or her whim...

I understand your answer, and understand the remedy, but I feel my concern (and my question...) are legitimate given what my computer's been through, the information I've lost, and the current state of computer security in general. I feel that for every one of me, your common user without a lot of technical knowledge, there's others out there who have the same questions or concerns, going through the same steps to remedy the problem. In the technical world of computers, we (novices) look to you for the technical answers we need to get us out of our pickles. That's why we're both here, I guess...

Thanks for your and Abri's help, your expertice to this forum is invaluable. I'll go through the steps to do the final cleaning, see how Comodo does it's thing thereafter, probably contact Comodo for some advise, and keep you posted on the outcome... Thanks again, I really do appreciate your help and time.

 

hi ffspiel!
did you try and delete the following which Chaslang asked you to do in post 19? I'm wondering, because it's still showing in your newfiles log. If it's still there, please try and delete it.

Also, what is in this folder? I don't like this one either, but at the moment, I only want to know what's in it:

If delay problems developed and you want to go back to an earlier restore point, you can. Did running Spybot take away the problem of the computer disconnecting or of the computer being slow to boot into safe mode or both? If you go back to an earlier restore point, you will lose whatever steps you did up to that point and you can then repeat them or not, and see if you end up with the same delays. Either way, please post us new HJT and newfiles logs so we can see where your computer stands.

Microsoft Works is showing in your uninstalls list in the newfiles.txt log. It should be in the list of add/remove Windows Components, which is a separate list from add/remove programs. You get to the Windows Components list by going into add/remove programs and then clicking on the button called add/remove Windows components. If it's not there, then it doesn't matter.

abri

 

Hi Abri,

Welcome back! I did do what was requested in #19; my response to the actions taken was mentioned in #22. As stated, a couple of things weren't there, so I did what I could.

As far as the SecTaskMan file, I looked at it and have no clue what it is, but given the files around it, it doesn't look familiar to me or that important for that matter. It has sixty two files within the folder and is 35.6 Kb in size with each file being anywhere from 519-622 bytes. When the main folder is opened, the first file is identified as such: icn_0A0CBF02061341F438DEA347BBB6C813; the other files are similar in identification. The icons are generic Windows icons. When an individual file is opened, an "Open With" Windows box pops up. I've tried to open with a number of programs given, won't work. Googling this folder name pops up as a possible malicious file on other informational web sites apparently.

Running SpyBot both corrected the disconnection problem and the lengthy (or at least severly lengthened boot in Safe).

 

Hi Abri,

Welcome back! I did do what was requested in #19; my response to the actions taken was mentioned in #22. As stated, a couple of things weren't there, so I did what I could.

As far as the SecTaskMan file, I looked at it and have no clue what it is, but given the files around it, it doesn't look familiar to me or that important for that matter. It has sixty two files within the folder and is 35.6 Kb in size with each file being anywhere from 519-622 bytes. When the main folder is opened, the first file is identified as such: icn_0A0CBF02061341F438DEA347BBB6C813; the other files are similar in identification. The icons are generic Windows icons. When an individual file is opened, an "Open With" Windows box pops up. I've tried to open with a number of programs given, won't work. Googling this folder name pops up as a possible malicious file on other informational web sites apparently.

Running SpyBot both corrected the disconnection problem and the lengthy (or at least severly lengthened boot in Safe).

Will run HJT and newfiles... will post next response....

 

Abri,

Here are the logs as requested.

I found and removed PC Tools folder. SecManTask folder is pending removal per your review. I can remove MS Works in my Add/Remove programs, but tell me again, why do you want me to do? I'm a little leery to remove MS Works: I've got kids that use it daily; first I have to find the original disc (... now where did I put it?!!!!....); and then contact MS each time I reload it as it's a version ment for teachers/students and is limited to the number of computers it can be placed on at home (... or whatever the criterial MS uses to have me do it...)... but I'll remove it if you want. Thanks! -rob

 

When you ran SpyBot, did it find things that needed fixing and, if so, did you have it fix anything? If it found anything, what did it find? The delay you mentioned and the grinding sound you mentioned Spybot making seem to be a problem with a recent update of Spybot. Mine's doing that too. It sounds to me like it might be activating the diskette drive briefly. Do you have a diskette drive? Or doing something similar with the harddrive. I haven't had time yet to check their forum about it. It's not something that will damage your computer. Just annoying.

In the past few days, each time we have you remove a piece of security software, another one appears. Now I see webroot in your Application Data:

This application is part of SpySweeper. It was not on your computer on Monday. Did you install SpySweeper or maybe go back to an earlier restore point where it had been installed? If SpySweeper and the Security Task Manager are in add/remove programs, please uninstall them. If they aren't there, please tell me, but don't do anything further about them.

What we would like to achieve is for you to have an adequate number of security programs on your computer without having too many. At the moment, you should have Comodo as your firewall and AVG for your antivirus and antispyware. Additionally, it's all right for you to leave Spybot in there. Everything else that is related to security should be out of your computer now so we can see how it's running with just those three things. Your logs look good. There's no evidence that anything is amiss except that these security programs keep appearing. If they are being reinstalled by you or coming back in because of returning to an earlier restore point, that's an acceptable explanation. If they are appearing without explanation, that is not okay.

If you are using MS Office on your computer, you may not be using MS Works anymore. By unchecking it in the add/remove Windows components list (gotten to through the add/remove programs list and then by clicking on the add/remove Windows Components button), you do not uninstall MS Works, you simply turn it off. If you find there is something in MS Works you still need, you simply go back to the add/remove Windows components list and check it back on. It is a feature offered by Microsoft which allows you to make a piece of their software inactive without removing it.

abri

 

Abri,

Thanks for your dilligence.

When I ran SpyBot, it did remove a number of cookies or ad-ware, I believe; their names are listed were listed in reply #19. The disconnection/hanging problem is no longer plauging me and I believe it was the ad-ware that was causing it; I got the ad-ware in response to my daughter having picked it up while she was either on MySpace or YouTube.

I installed Webroot (Webroot SpySweeper, specifically) because my AVG didn't protect me from the adware my daughter picked up during her browsing. My version of AVG is the free version and doesn't have the resident shield; it seems to only act as a passive scan to clean after the fact, no preventative action as it is.

MS Works is my the software suite that holds: MS Office, MS Word, MS Excel. We use MS Word all the time, but frankly, we don't use the other components nearly ever. One thing you might be seeing on your log is the MS Office update/patch (number 3?) which my be on que for updating in my computer.

MS sent the update notification about a week ago, and I downloaded 2 of three things MS sent in the update, but I haven't gotten to move through the third and last step because it's asking for the original disc; I'm having a tough time finding it.

I'll continue looking for the MS Works disc, update the file, and see if that takes care of what you're seening on my log. Will keep you posted. Thanks Abri....

Incidently, do you want me to lose SpySweeper and try another spyware version of your familiarity in lieu of keeping SpySweeper; I really don't have any active protection with AVG currently, as stated above. I'd like a recommendation for a spyware that you like (if not, I can look at your software download section... I know you guys have got stuff there, if SpySweeper isn't really preferred). Thanks, rob

 

Hi ffspiel!

You are probably right about me seeing MS Works wrong.

YouTube and MySpace carry pretty much the same risks with them as p2p programs. AVG free gives adequate protection as long as you follow the regular cleaning procedures outlined in "How to protect yourself from malware". It runs well with the firewalls. Spyware Blaster is a good background tool. Please read through that sticky and see if you find tips in there that are helpful for you. Those recommendations are our best ones.

abri

 

Abri,

I've removed the SpySweeper and added Spyware Blaster; I really had no active protection as far as spyware was concerned, so I'm happy that I now have something that's compatible with firewalls, prevents spyware AND is free.

Just noticed something: I re-installed Comodo, this being the original plan when all this started, it doesn't seem to be acting up with my initial installation as it has in the last week or two... maybe whatever was plaguing my computer is now gone?!! (Note: I didn't have Webroot SpySweeper installed when the initial problems with my Comodo were noted, but I have removed and cleaned stuff per your direction... with success apparently!).

I'm not cutting the umbilical yet..., I'll look for Works disc and begin to finalized the cleanup per Chaslangs instructions, back in #23, I believe... Thanks, Abri!

 

Hi ffspiel!
If your computer is working well at this point, this would be a good place to set a new restore point (if we haven't done that already), so you can always come back to this known state. At that point when things are working, I try to do as little as possible. If things seem to work well for a week or so, that would be a good point to defrag after all the recent installations and deinstallations.
abri

 

Things seem to be working at the present, Abri. I've been at work the last couple of days, so I haven't been able to check things out. Comodo seems to be working well, so I think thinks are pretty much mended. I'll email you with a final follow-up in a couple of days.

Your work here (yours and Chaslangs, and everyone elses...) is so valuable to us here in our homes, dormatories and places of employment. I really want to thank you for your time and valuable service.... thanks again for your patience and your dilligence with making my computer problems so personal on your end. Thanks again... rob

 

Your welcome!

Don't forget to put in a clean restore point: Disable and Enable System Restore!


After that, create a new one every so often (like before you install a piece of software) without going through the disable and enable process. That will give you several to choose from.

abri