Problem with IE

Discussion in 'Malware Help (A Specialist Will Reply)' started by traveler9, Jan 26, 2009.

  1. traveler9

    traveler9 Private E-2

    Hello, I'm a newbie, so please bear with any mistakes of forum/thread etiquette.

    My problem(s) started about six months ago after attempting to download some torrent files. I'm sure I must have clicked on something that I should have known better, aside from the stupidity of merely sharing files with strangers. But, I don't recall the specifics anymore.

    Almost immediately I started getting pop-up ads in new windows when I was in Internet Explorer and in what appeared to be new IE windows even after closing IE. Additionally, my CPU performance would eventually be maxed out to 100% effectively freezing my laptop. However, all of this would not happen after re-start until I opened IE. (If I went right to Firefox, nothing would happen.) I checked the Task Manager Processes when it was happening and found many multiple processes of iexplore.exe running at significant usage rates driving the CPU to 100%. I tried ending these processes but they would typically comeback in seconds unless I got them all really quick... lol.

    I figured I had some kind of virus that was disguising itself as IE to get out and open these ads. In fact, I even watched what I guess were "command paths" appear for a split second before changing to iexplore.exe in the TM processes, but, not all of it would appear and I couldn't write it down fast enough. However, I did catch pieces of it which I saved. I think this was one of them:

    C:\Documents\\Bill\Applications\\ballab~TYPEMP-1.EXE

    I don't recall what was caps or lower case and I'm not even certain that is the right one. (I'm really new to computers.)

    Anyway, I ran AVG8, SAS, MBAM, and Spybot S&D all to no avail. I read some threads and went looking for false programs files and command paths and such, but, I didn't really know what I was doing. Finally, I gave up, ignored IE and stuck with using Firefox.

    Around November, right after the mid-cycle MS/Windows Update "emergency" patch for what was a highly publicized new exploit at that time, I noticed that the pop-ups and multiple iexplore.exe were no longer occurring. Instead a dialog box would open in IE informing me that "the current web page is trying to open a new site on the internet. Do you want to allow this?" (Click Yes or No). If I clicked NO, the box would close and I could continue. However, typically two or three dialog boxes would open and need to be closed before I could continue.

    Mildly annoying, however, there were no more multiple iexplore.exe processes overloading my CPU either and I'd made no other progress finding the nasty that was doing it so, I decided to live and let live for a while as I just didn't have the time or money to do anymore.

    Then I discovered this website and bleepingcomputer.com and noticed admin/helpers actually solving people's problems with HJT logs, etc. and decided to check it out. So, here I am.

    So far, I have followed all the instructions on your READ ME FIRST to the letter as best I could. I set up SAS, MBAM, AVG8 and S&D and ran them. unhide files, updated Java, etc etc etc. I have run ComboFix and created logs for all which I will attach hre. I have not run MGTools yet because I am not sure about how the computer needs to be configured, ie. firewall off, active scanning off, etc. like for ComboFix? And I have seen bleepingcomputer.com helpers tell folks to boot up in safe mode before running HJT, etc. So, should I keep my computer configured the same as for CF when running MGTools or what?

    Thank you in advance for your help.

    PS ~ For what it is worth, CF apparently deleted an "mdm.exe / Rbot" trojan/virus and no dialog boxes yet. However, they have gone dormant before. In any case, I know there are probably Registry entries, keys and values that need deleting as well, so, please let me know what to do.

    PPS ~ Please find CF log attached. However, I'm not sure how to browse for SAS, MBAM, AVG logs to attach so I will figure that out or create documents and attach on the next post with MGTools log.
     

    Attached Files:

    traveler9, Jan 26, 2009
    #1
  2. traveler9

    traveler9 Private E-2

    PPPS ~ All the other scans found NOTHING! (And they are all the latest updates and versions.) ComboFix is the only tool that seems to have found anything yet!
     
    traveler9, Jan 26, 2009
    #2
  3. traveler9

    traveler9 Private E-2

    Here are the rest of my logs.

    Thank you in advance for your help.
     

    Attached Files:

    traveler9, Jan 26, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why would you wait so long to get this fixed??? Doing this makes it much much harder for us to find and remove your problems. Many scans we use are looking for new files/folders. Something that is 6 months old is not going to show up since it is not new. Thus there may be things that we just are not going to see now.

    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Spybot - Search & Destroy 1.5.2.20

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 27, 2009
    #4
  5. traveler9

    traveler9 Private E-2

    Hi chaslang,

    Actually, upon reflection, it's been more like 3-4 months, not six. And, more to the point, I didn't "wait". To clarify: as I was getting ready to purchase a new laptop anyway, I decided to treat this as an opportunity to educate myself wrt to troubleshooting and attempt to address the issue(s) myself. I realize that probably sounds like trying to teach oneself brain surgery skills, but, I do have an EE degree and, typically, I'm fairly successful at teaching myself whatever I choose. That... and the company IT guy wouldn't return my calls for help with my personal computer. :(

    That said, although I studied BASIC, FORTRAN, COBOL & C in college, that was 30 years ago, before the advent of the WWW, and I joined the world of business after college anyway, hence, my computer skills are somewhat, erm... dated, to say the least. In fact, this machine is my first personal computer ever, which I use mostly for email and, more recently, downloading movies. Learning about Torrent protocol tricks on utorrent is pretty much the bleeding edge for me.

    And, to be fair, there's really only so much one can learn while able to devote all of 30 whole minutes a week to becoming a computer expert... lol. Discretion being the better part of wisdom, when I discovered your website three days ago, I chose to stop deluding myself and punt. In all honesty, had I realized the passage of time would make this/your job more difficult, I would have harassed my own IT guy more. However, at least this way I can still tell him I did it myself. rolleyes

    Ok, I've created shortcuts for everything on the Desktop (except IE and Recycle Bin). Is that what you meant by "links"?

    I guess I can move IE to a (Windows?) Programs folder since there is a quick-start shortcut at the bottom. It seemed logical to create sub-folders in the system Programs folder for everything else. Was that the best choice? Or should I put them under Windows Programs?

    Recycle Bin doesn't seem to offer me the option of creating a shortcut... ?

    I've also begun going through and deleting programs I don't use. I'm a pack rat at heart, so, that will be an ongoing process.

    Also, I've downloaded Spyblaster but haven't had a chance to install it yet. And apparently a Drivers program that I don't recall. I don't remember if the Drivers thing was something you recommended or something my inebriated brain thought sounded good one night. What do you think about the Drivers thing?

    Finally, please, what (free) Firewall do you recommend as best? All I have is what came on the machine.

    Alright, without further ado, please find the logs you requested attached below and thank you very much for all your help so far and any yet to come. Have a better one.

    Cheers,

    BH


    PS ~ As for how the machine is running now... the pop-ups/dialog boxes have not returned since the first time ComboFix ran and found the mdm.exe Rbot. Otherwise, I haven't noticed new "warp speed" boot ups or surfing. Maybe a little faster? The Smart Defrag program is definitely way better than MS/Windows. Even I could see that was a POS from day one. I'll have to let you know if tonight's tweaks make more of a difference after I get a chance to play around some.

    PPS ~ I'm assuming it is safe to leave these logs posted up here? Nothing private or that might be used against my machine?
     

    Attached Files:

    traveler9, Jan 29, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Most likely it would have been a waste of time since most of them do not have a clue when it comes to malware problems.


    No! I meant the below do not belong on your Desktop. Move them somewhere else if you wish to keep them and do not download things to your Desktop anymore.
    Code:
     "C:\Documents and Settings\Bill\Desktop\"
avg_ip~1.exe  Oct 26 2008    57949552  "avg_ipw_stf_en_8_196a1383.exe"
ccsetu~1.exe  Jan 25 2009      920792  "ccsetup215_slim.exe"
defrag~1.exe  Jan 25 2009     2558984  "DefragSetup.exe"
driver~1.exe  Jan 25 2009     3172744  "driverscanner.exe"
mb-setup.exe  Oct  8 2008     2189864  "mb-setup.exe"
regist~1.exe  Jun 23 2008      479488  "registry-defrag.exe"
smplay~1.exe  Dec 26 2008    12799855  "smplayer_0.6.5.1_setup.exe"
smplay~2.exe  Jan 24 2009     6949405  "smplayer_codecs_20071007.exe"
spybot~1.exe  Oct  8 2008    14968808  "spybotsd160.exe"
stella~1.exe  Feb 27 2007    17372875  "stellarium-0.8.2.exe"
supera~1.exe  Oct  8 2008     6637592  "SUPERAntiSpyware.exe"
vlc-09~1.exe  Jan 24 2009    16320472  "vlc-0.9.8a-win32.exe"
    You don't need to move IE or Recyle Bin as they were already shortcuts. An no you should not be saving anything in the C:\Windows folder nor in the C:\Program Files folder which is only for installed programs.

    Maybe an example of what I always do would better illustrate what I mean. I create a Downloads folder, like

    C:\Downloads

    Under this folder I create categories of subfolders, like:

    C:\Downloads\AntiVirus
    C:\Downloads\AntiSpyware
    C:\Browsers
    ..... etc

    And under those folders there are more category subfolders to contain the specific downloads. Like

    C:\Downloads\AntiVirus\AVG
    C:\Downloads\AntiVirus\Avast
    C:\Downloads\AntiVirus\McAfee

    And under them may even be more specifc folders like:

    C:\Downloads\AntiVirus\AVG\AVG AntiVirus Free Edition 8.0 Build 175a1382
    C:\Downloads\AntiVirus\AVG\AVG Anti-Virus Update December 15, 2008
    C:\Downloads\AntiVirus\AVG\AVG Internet Security 8.0.93.1283

    I think you get the point of the above. At any given point in time, I can always tell exactly what I have downloaded because the folder names (like a file cabinet) tell me exactly what I have. Even after months without looking at some file, I know exactly what is is because of where it is located. Example, if I had simply download and save WDC3Setup.exe to My Documents or to my Desktop and then a few weeks or months later see it. I would be wondering, what the heck is this..... is it safe to run it to find out what it is??? However by my method, it is not saved to My Documents, it is saved like this:

    C:\Downloads\Drive-Cleaners\Wise Disk Cleaner 3.7.4\WDC3Setup.exe

    That is rather self-explanatory on what it is. ;) And it is in a safe place where nothing will delete it my mistake.


    Uninstall Spybot - Search & Destroy 1.5.2.20 which is the old version and you now have the current version installed from running our procedures.

    Don't need it.

    In a link in my final instructions you will see a list of them.

    Startup speed is different issue and this is not a malware problem when no malware is present. Your logs are clean now. You need to decide which things that you really load at startup. I definitely would not allow the below to load at startup if it were my PC:

    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe


    No problems leaving the logs like tens of thousands before you. ;)





    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Feb 1, 2009
    #6
  7. traveler9

    traveler9 Private E-2

    Ok, I get the whole "what to do with downloads" deal. Good stuff. Thank you. However, I'm still missing the answer to my intended question. So, to restate and clarify... precisely what are you saying should be, or is ok to be, on my desktop?

    You said I should create 'links', I took that to mean "shortcuts". I am now tentatively qualifying my understanding as "shortcuts to installed programs" (as opposed to downloaded installer programs). But, are you saying I should remove everything but IE and Recycle Bin? I don't think you are saying that, but, it isn't really clear. So... what, in your opinion, should be, or is ok to be, on my desktop? Is it ok to have shortcuts to installed programs on my desktop?

    Long gone before my last post. ;)

    Yeah, I saw that. I was hoping for an opinion on the best one for me. I suppose I'll muddle through somehow. :p

    Done and done.

    However, a question please: that DNA program claims to increase downloading speeds even for non-torrent files/applications. What is the deal with that? True? And, is there some danger or merely slowing start-up or other operations?

    And, another... I have repeatedly deleted the WMPNSCFG entry and it seems to regularly reappear of its own accord, perhaps after updates? Previously I stopped the reg change with Teatimer, but, that's gone now, so...?

    Okee-dokee. I haven't completed the rest of the final steps yet, but, I will give you one last update or let you know of any difficulty. Thanks again for all your help.

    BH
     
    traveler9, Feb 5, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you can have shortcuts to installed programs on your Desktop. When you install most programs, they already create or may ask to if you want them to create a shortcut on your Desktop. Like Ccleaner, SUPERAntiSpyware, Malwarebytes, Spybot Search & Destroy all did when you installed them. These are okay to have on your Desktop if you want them there. If you don't want those shortcuts on your Desktop you can delete them and run them via the Start, All Programs selection when you want to run them. You should not be creating shortcuts ( or links) to the installer programs.

    Everyone has different opinions and also PC specs. So what may work fine for me may not fit into your needs. You could try Jetico or PC Tools (observe the notes/comments).


    False claims! And it leaves your PC open to connections from everyone in the world and thus slows down both your upload and download speeds and overall PC performance. Also, you stand the risk of your ISP shutting you down since you are using their connection as a server which is more than likely illegal according to the contract you signed with them. In addition downloading via torrents and P2P programs is the largest single cause of people coming here to have malware removed from their PCs.

    Software Forum would be a better place but there may be a way to configure it not to load. I rarely if ever use Windows Media Player so I could not say. All I know is on the 25 or so PCs I use, it does not load on any of them. You probably allowed it to configure the network sharing feature which most people have no need of using. You need to disable it. The service probably needs to be disabled using sevices.msc from the run box..... but as I said, this is something to discuss in the Software Forum.
     
    Last edited: Feb 7, 2009
    chaslang, Feb 7, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds