Two Problems That Are Killing My Ie11

Hello there! First let me say thanks to everyone who recently attempted to help me out with my issue in this thread: http://forums.majorgeeks.com/index.php?threads/my-google-has-gone-rogue.296520

After running through the "Malware Removal Guide" and confirming it was not malware related, I've been advised o start fresh here and see if I can get answers to the problem. I'll recap everything I'm experiencing with my original issue, and the new issue that popped up as a result of the steps from the "Malware Removal Guide." Hopefully I can nip this in the bud once and for all.

ISSUE #1:

Last week during a routine Google search, I noticed something extremely strange. When trying to find out a good port to make outgoing calls with Skype, I found my results returned from Google were completely erratic. The first several at the top of the page we're almost as if the system had returned some kind of hi-jacked adware page. However, if you scrolled down just a bit, it would pick up the normal search results. I did some tests and found this happens in the BOTH Internet Explorer and Google Chrome, but not in Firefox (also using other search quarries besides the one relating to Skype).

I know this may be hard to follow from the description above, so allow me to illustrate things.

When typing the phrase "best port for Skype" into the Google search bar using Firefox, it gives me a normal results page like so:

http://i288.photobucket.com/albums/ll185/mrbucket_bls/google_firefox_zpswejipj8o.jpg

Now, if I were to type that exact phrase into the same Google search via either Internet Explorer or Google Chrome, I get the following results instead (also note Google itself is not functioning properly, with the colorful "Gooooogle" icons at the bottom going missing for some reason):

http://i288.photobucket.com/albums/ll185/mrbucket_bls/google_ie-chrome_zpsp3muuwmx.jpg
http://i288.photobucket.com/albums/ll185/mrbucket_bls/google_ie-chrome2_zpsmsgcjbti.jpg

The first suggestion was to reset Internet Explorer, which I did, and that removed all my tracking protection and disabled all my add-ons. It seemed to help at first, but not it's right back to doing the same thing as depicted above and everything's still off. So it must be something else. I'm sure this must be traceable down to some root cause, I just need to dig down and figure it out (with your help of course)!

ISSUE #2:

After following the "Malware Removal Guide" and taking the suggestion to reset IE11 as described above, things later went haywire. When I did this it for some reason completely FUBARed most of the webpages I now visit. I'm not sure what happened, but page layouts are completely broken and don't load correctly anymore since then (even though they did before). Take a look at these two examples to see what I mean:

http://i288.photobucket.com/albums/ll185/mrbucket_bls/IE11_probs_zpsyyi2uvnz.jpg
http://i288.photobucket.com/albums/ll185/mrbucket_bls/IE11_probs2_zps5smp1t4f.jpg

This new problem (as a result of my time in the malware forum), combined with my original, has rendered this browser completely inoperable. It's pretty important to my job and several big projects, so I'm willing to do whatever it takes to get this back up and running. Please let me know what my next steps should be.

Thanks!

 

Possibly someone here has better advice than I can offer but you can try Tweaking.com Windows Repair. You can download it here at Major Geeks. Is can fix many things.
http://www.majorgeeks.com/files/details/tweaking_com_windows_repair.html

 

Thanks for the response. I actually already have Windows Repair from Tweaking.com on my computer and use it quite regularly (to clear out things like my temp files and repair the occasional corrupted icon here or there). But I'd need a little more info on how exactly to target it towards this specific issue before I can run it. Any thoughts?

 

It has been a long time since I have used Tweaking.com and I am no expert by any means. If there is an eperienced user here please reply. I do know it was user friendly and I had no issues. I know you should make sure you are using the latest version Version 3.8.1 as it will have fixes older versions may not have. Follow the instructions to the letter that appear on the screen. It should tell you everything you need to do as you go through the process. But if you have already used it before you probably know this already.
Good luck.

 

In the interest of leaving no stone unturned (and knowing I'm doing everything on my part to help resolve this issue and carry my wait here), I decided to give your suggestion a try. I updated to the latest version of Windows Repair and ran all the pre-scans/file system checks/checkdsk scanners suggested by the program, finally repairing Internet Explorer from Safe Mode (even running it twice as Tweaking.com suggests). Unfortunately, there was no change. There was a CMD prompt dialogue that popped up saying it "...couldn't find the specified registry key or value", but when I went back and checked the Windows Repair post-scan log, it didn't seem to return any errors and appeared to have ran the fix to completion. I'm doubting I'll get many more answers from Windows Repair.

I even thought there might be an issues with Adobe Flash, so I completely uninstalled it and did a complete re-install. But that had no impact either. So I'm still in a holding pattern awaiting guidance from the Geeks.

 

Sorry it did not fix it. Hopefully someone here will be able to advise you on the matter.

 

What version of Windows are you using?

 

Have you tried re-installing Internet Explorer?

 

No, but I'm certainly willing to try. The problem is, anything relating to Internet Explorer (IE 11 to answer the question above) either came pre-packaged with my Windows 7 install disc or was updated through the Windows Update service. Where would I even obtain a stand alone installer for IE11 from Microsoft? Also, I assumed I'd need to do a clean install by removing all the traces of the browser first (or could I just do an install over it and see what happens)?

 

Windows 7 shipped with Internet Explorer 8.
I suggest you just re-install Internet explorer 11.
https://www.microsoft.com/en-us/download/Internet-Explorer-11-for-Windows-7-details.aspx

Ensure you download the correct version - 64-bit.

 

Yeah, that's what I meant. Windows auto-updated it to IE11 over the summer I believe.

As for the version, should I not download the 32-bit version and install that since that's what I'm currently using as my default browser? I've never used the 64-bit version as I've read that there is better compatibility overall with the 32 bit vs. 64. However, could I just install both to ensure I have access to both bowers and that they are simultaneously cleanly installed (since this problem is also present in both, I tested that today)? Also, do I need to do a clean install and try to wipe IE from the system first or will just installing over it hopefully fix things?

Thanks for the info!

 

Try launching Internet Explorer with all add-ons disabled.
Open the Run box (windows key + R) and enter: iexplore -extoff
Do you still have the same problem when browsing to sites?

 

Yes, we unfortunately ruled that out long ago in my first thread I linked to above. I just tried it again to double check, but to no avail.

 

You're using Windows 7 64-bit. I would go with IE11 64-bit.
First try to install it without uninstalling the current version.

 

In your MGlogs I noticed an entry for Internet Explorer that would act as a proxy. Did you knowingly set the following entry?

Code:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost.world/localhost.local

localhost.local

Code:

function FindProxyForURL(url, host) {
   ba = /^https?:\/\/www\.google\.[a-zA-Z.]+\/?$/;if (ba.test(url)) { return "PROXY 69.197.188.122:8484" }
   bb = /^https?:\/\/www\.google\.[a-zA-Z.]+\/\?(.*)$/;if (bb.test(url)) { return "PROXY 69.197.188.122:8484" }
   bc = /^https?:\/\/www\.google\.[a-zA-Z.]+\/search\?(.*)$/;if (bc.test(url)) { return "PROXY 69.197.188.122:8484" }
   bd = /^https?:\/\/www\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bd.test(url)) { return "PROXY 69.197.188.122:8484" }
   be = /^https?:\/\/www\.google\.[a-zA-Z.]+\/s\?(.*)$/;if (be.test(url)) { return "PROXY 69.197.188.122:8484" }
   bf = /^https?:\/\/cse\.google\.[a-zA-Z.]+\/cse\?(.*)$/;if (bf.test(url)) { return "PROXY 69.197.188.122:8484" }
   return "DIRECT";
}

 

I gave this a shot but I ran into a speed bump right off. I started by trying to install the version marked "'Internet Explorer 11 for IT Professionals and Developers--Windows 7 64-bit Edition and Windows Server 2008 R2 64-bit Edition" (which is the one that was recommend by Microsoft). It said it couldn't run because another version was already in the process of being installed and that it detected a newer version already on my system. So I went back and gave the 32-bit download a whirl, but it said it was not compatible with my current build of Windows. Third times was a charm, as I downloaded just the plain version of IE11 for Windows 64-bit at the bottom of the list (without the extra server installer that came with the recommend option). I found it strange the install only lasted about 30 seconds, but it said it was successful and all I needed to do was restart to use my new browser. After high hopes and a reboot...there was no change I'm sorry to say. Any thoughts on my next move?

Thanks for looking at my logs. To answer your question, no I've never seen any of that before and didn't make those changes. I suppose one of the programs I've installed over the years could have tweaked it. Could that be contributing to my wonky search results and broken Google pages? If so, how do I remove/correct that issue? Thanks!

 

Close any running instances of Internet Explorer then do the following:

Open notepad and copy/paste the content of the following code box:

Code:

Windows Registry Editor Version 5.00

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-

Save as type: All Files (*.*)
File name: IEFix.reg

Double click and allow it to merge with the registry.

Next, go to Control Panel -> Internet Options, select the security tab and press the button at the bottom of the page 'Reset all zones to default level'
Empty the internet cache, then launch IE and see if anything has changed.

 

Edit to the above, the IEFix should be:

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-

 

BOOM! You're seriously epic my man! With one simple shot you just knocked out both my issues! I can't thank you enough, as this was becoming quite worrisome and causing all sorts of stress on my end.

Now that this fog has lifted, I would like to back track for a moment and attempt to get to the root cause here. I'm not sure how both my issues were related to this one fix (as the broken Google search happened first and the layouts didn't get broken until after I hit the "Reset Internet Explorer Settings" button in the advanced tab). I also only browse Sandbox online, as mentioned in my original thread. But I do know both problems were erased when that registry entry was merged.

Looking back at the part of my log you uncovered, I'm not seeing anything pointing to a specific source of how that got this way in the first place. I know that I've installed several new programs in the last few months, but all have been trusted. For example, I switched from BitDefender to some other security program I didn't quite like (a name brand, think it was AVAST), until finally settling on AVG Internet Security 2015 back in December. I also installed VyperVPN, which came as a part of a free trail I recently signed up for. I'd been hearing a lot of virtual protection networks, so I figured I'd give it a try. But I've since ran it a few times after this fix was implemented and it's not effected the results, so I can't see how that would have inserted these weird IE config settings into my registry. I know you can't give me specifics, but if I can have a general idea of where this sort of thing originates from, perhaps I can examine my setup and hunt down the culprit.

Thanks again and I really can't sing _nullptr's (and all the other geeks who attempted to help) praises enough! Promote that guy! He had a keen eye and a quick fix that saved the day.

 

UPDATE:

Pardon my French, but damn it...damn it...DAMN IT ALL TO HELL! Lol, I have to laugh to keep from crying.

It appears that we have treated the symptom but left the cause in tact. I was doing some Google searching tonight and noticed those weird ads popped up at the top again. Upon further inspection, the page is all broken once more and it's right back to doing the same thing as before. But that's OK, because I AM GOING TO BEAT THIS! As the Geeks as my witness, I'll get to bottom of this once and for all.

Now, I could just re-run the same registry fix above, but I figured I'd use this opportunity to see if we can track down the root of the problem. I know that as early as this morning things were fine. The computer has set all day pretty much unused, so it's almost like this had to been hi-jacked again but either a program currently running on my system in the background or something I ran today for work (I could give you a list if you want).

So, what's my next move. Any thoughts? Sorry to be such a burden rehashing the same old problem over and over.

 

http://www.speedguide.net/ip/69.197.188.122

http://krebsonsecurity.com/tag/wholesale-internet-inc/

 

Hi Bugballou, thanks for the info. I read the entire article about the IP address you posted above (the one my traffic apparently keeps getting re-routed to) and I've done my best to make sense of it. Best I can tell, it says 69.197.188.122 is part of a malicious IP address ring that Microsoft recently busted (or tried anyway). What I can't understand is how my traffic keeps getting re-routed there. When I check my IP address online it's completely different than the one listed above, and after applying the reg fix to reset my registry settings above, my traffic was completely fine for a while. What do you recommend I do based on this data? Contact Time Warner about my IP address and how I connect? Should I disconnect my router and try to reset my cable modem (I did just by a brand new Motorola surfboard and connect it last month, if that's relevant).

That also doesn't explain why things were just fine for like a day or two after the fix and then BOOM, it all went downhill again. What is the root cause of that so I can zero in and eliminate it so my next fix actually sticks. Any guidance would be much appreciated!

Thanks!

 

techtitan when you started this thread you indicated your problems were with Google and IE 11, right? Are you now saying you are getting redirected going to other websites besides Google?

 

No, redirect is not exactly right. What I mean is that when things are working, my Google search results are all fine and the page layouts all work properly. But then suddenly (seemingly out of no where) that weird 69.197.188.122 IP address starts causing problems (not even sure what that is or where it came from, as it's not my current IP). I'm quite sure if I were to run the original registry fix _nullptr posted on the previous page, it would resolve the issue temporarily. But it keeps coming back.

Please see my attached Google images on the first page (with the weird ads at the top of the search results that don't normally appear there and the broken page buttons at the very bottom) for reference. Also, this same issue is breaking the layout of other pages as well, also seen in the images I attached on the previous page. When I merge _nullptr's fix, it all goes away. But then after a day or so, it mysteriously starts happening again. My goal is to zero in on how it wormed it's way back in in the last day or two when my activity has been very limited.

 

UPDATE

I just found another piece of the puzzle tonight. While setting up some things in Google Chrome tonight for work, I stumbled across the network settings (which just opens the standard config that ships by default with Windows which IE uses from the control panel). I noticed that in the LAN Settings under the Connections tab, the box for Use Automatic Configuration Script was checked and had the http://localhost.world/localhost.local there once again. I wasn't able to delete it for some reason (must be hardwired into some kind of file it's pointing back to somewhere) but I was able to uncheck the box. As soon as I did, BOOM! It fixes the page problems. If I recheck it, the problem comes back. So that's at least verification we've narrowed it down to this specific source.

The question now becomes, where is it coming from?

I got a tip from another staffer that he thought it was probably originating from some scheduled task running silently in the background that is reactivating it without my knowledge. I found this theory interesting and it makes sense. In looking back at the most likely window of when this could have happened, it would have probably be around mid-day yesterday. I checked in the scheduled task viewer under Admin Tools and sorted the most recently ran by time. Google Updater ran around that time yesterday, just before lunch (which is when I anticipate this occurred). Putting two and two together, would this make sense as the likely culprit since this only happens in IE and Chrome (not FireFox) and they both share the same Windows network info?

I think we're getting close. Just a few more threads to pull on!

 

I'll see if Autoruns can shed any light on the issue.

Download Autoruns, create an Autoruns folder and extract the content of the zip file.

• Right click on Autoruns.exe and select 'Run as Administrator'
• Accept the licence terms if prompted.
  
• As it begins to run, hit the Esc key to stop it.
• Select from the menu -> Options -> Scan Options, put a check mark in 'Verify code signatures' and uncheck the other boxes.
• Press the F5 key to refresh and allow Autoruns to run to completion.
• Go to File > Save and save Autoruns.arn to somewhere convenient like your Documents folder.

Zip the Autoruns.arn file and attach to your next post.

 

Here you are my good sir, as per your request. Hopefully it leads to some answers. Let me know if you need me to do anything else and I'll jump right on it.

 

I've found the culprit masquerading as a scheduled task for AVG.
Rerun Autoruns as administrator, select the scheduled tasks tab and right click -> delete the following entry:

Code:

\AVG Internet Security Update       c:\users\windows seven\appdata\roaming\avg internet security\settings.ini   14/09/2015 9:26 AM

Then navigate to c:\users\windows seven\appdata\roaming\avg internet security\settings.ini and delete the file.
That settings.ini file is actually an obfuscated vbscript file that modifies specifically IE and Chrome.

After that rerun the reg fix and also remove the rogue entry you found in Chrome.

 

I knew with a little time and patience (and faith in the Geeks), we'd be able to track down the root cause of this issue and eliminate it! Thanks again, _nullptr for your expertise and your keen eye (not to mention killer instinct). So I did everything suggested, reran the registry fix and things are once again back to smooth sailing. However, now that we've patched things up, I have high hopes this is the last we'll see if that nasty little annoyance.

However, this does bring me back to square one. I'm looking at this thinking "How the F$&K could this happen on my system! I keep it on lock down with real-time protection, firewall, security/maintenance programs and my oh-so precious sandbox I never browse without!" If nothing else, this only strengthens my resolve to dig into where exactly this breech occurred, so I can trace it back and examine it to guard against it for the future. If not, who knows if this couldn't slip past me again one day unless I know what to look for.

I hope you'll continue to give input on just two additional follow-up questions I have about this below, which I think will help me be more informed about what was/is going on with my system. They are as follows:

1) The most pressing question is where did this little bugger come from. I examined the INI file, and it had a "created on date" of September 13. However, the AVG folder it was residing in wasn't created until almost threes months later on December 27th (during the programs installation). Obviously that's not possible, unless it can run a script for a time-traveling Delorean we don't know about. Also, how did the scheduled task that ran the INI at startup get added to my background process in the first place? The same way and time as this INI was created I presume? If so, that still doesn't explain either of their origins. I've attached it in a zip if anyone wants to examine it.

2) Being that this is just an INI file and can't actually do anything on it's own, I checked the actions tab before we deleted it. Under "Start a Program" it lists C:\Windows\system32\wscript.exe and the "Add Arguments" say //nologo //B //E:jscript. Are these any leftover hazardous remnants used by this malicious bugger I should also clear out or are those just safe Windows items that should be left as-is?

Thanks again for everything! I always know I can count on this forum!

 

After deobfuscating the script, there's just another reg fix to run for complete removal.
Do as with the previous reg file and paste the content of the following code box.

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableAutoProxyResultCache"=-

[HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"=-

Regarding your questions:
(1) I'd only be guessing how it got on your system. The date of creation for any file can be easily spoofed. Just make sure no one executes any program cracks or plugs in an infected flash drive.

(2) wscript.exe (windows script host) is a legitimate component of the OS, so there's nothing to be concerned about.
//E:jscript just tells windows script host to use the javascript engine
//B tells it to ignore any script errors

 

Thanks for the info! I ran the other fix you suggested and that has now been added to the registry. I guess I'll just have to share that INI file around and see if I can get some answers on its origins elsewhere, as I don't want to give up my hunt for answers on that front. I feel knowing will help me guard against it in the future.

Just to wrap, there were a few others things that occurred to me this morning I was hoping I could pick your brain about while I still had you here (or anyone else who'd like to chime in). I'd appreciate any input if not to busy:

1) I've recently ran full system scans using the latest versions/definitions of SUPERAntiSpyware, Malwarebytes, Spybot and AVG Internet Security 2015 (I just did updates to all my security programs). How could this have slipped past detection on all fronts? I wouldn't even have know it was there had I not noticed the warning signs in Google. Any thoughts on that? I feel like they're giving me a false sense of security, and I'd like to know I'm legit clean when I run these scans and they return no threats (yet this clearly was one they didn't find).

2) This isn't really a question but more of a clean up step. When running the Autoruns.exe, did it change or edit anything on my system (other than when I deleted that one entry manually)? Or did it just generate a log and that's it? I know sometimes these kinds of apps will tweak/reset a setting here or there.

Thanks again!

 

The ini file was first seen at Virustotal over two months ago and still no AV engine is detecting it. I guess the 1.5 KB script buried amongst 297 KB of mumbo jumbo is enough to fool AV auto analysis.

No, though it saves its own configuration (scan options, GUI size etc) in the registry.