TechSpot

Internet Explorer issues

By BEARASS
Mar 16, 2009
  1. Ussually once a day when I try to close my browser ... it will try to open 10 plus more browser windows. I also can not use copy/paste function in internet explorer any more. I will attach log files requested.

    Thank you for your time and any help provided.
    Scott
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.

    Another run indicated!
    OK there were found/removed items in both MBAM and SAS so we need to run them both again as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan with both will likely find more. So UPDATE run again.

    Mike
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    BEARASS, please update and scan with AVG. Attach the log when through. NOW.

    Both Mbam and SAS found and removed entries for Win32 Backdoor Trojan. I'd like to see if AVG picks it up.

    In the meantime, I suggest you change your passwords, temporarily offload any credit cards numbers on the system, offload and personal or identifying information. We will need to check the system completely for any files this might have changes and find and remove all entries.

    Edit: Unless you did this, something has place restrictions on the system:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    SAS found it in a temp file and in a video download:
    Mbam also found it in a download:
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That's strange, I usually say:

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Install (the much better) Avira free AntiVirus

    AVG8 has always left Viruses still on the system, every single time I've seen it.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kimsland, every antivirus program available-stand alone or suite has let malware through! I do nor agree with your telling users to uninstall whatever their AV is, whether they've paid for it or not, then install Avira, right at the beginning of a cleaning!

    Let's get them to handle what they have THEN suggest other programs.These users have enough to handle without switching the AV up front. They may not have the best AV program and a change might be indicated, but I wish you would stop doing this at the beginning of all the cleanings! You've been telling users to zap Norton, McAfee, AVG and maybe others

    FYI, I'm looking for a more clear name of the Trojan. It's possible this user hasn't even scanned with it since the malware got on.

    No offense meant, but I think your timing could be better.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Antivirus software is the first thing stated on the 8-Step removal

    I find:
    Norton
    McAfee
    Trend Micro
    f-secure
    AVG8

    To be so bad, that when users change to Avira and do a scan, many Viruses (not detected before) are removed.

    But I take what you said into consideration anyway, not exactly sure if this should wait, or the User should attempt removal instructions of specific items first (I find that threads are more quickly resolved if a good Antivirus is installed originally )
     
  7. BEARASS

    BEARASS TS Rookie Topic Starter

    Thank you for the quick responces. I ran HJT and removed the lines that ended with (no file). I updated and ran quick scans with both malwarebytes and super anti-spyware. I am attaching the log files. I am at present running AVG full scan and will post the log.

    Judging by your conversations, Avira a better Anti-virus program. I will remove avg when it's done and install Avira. Is it good to be running spybot with all these other programs?

    I, at least not knowingly, did not put any restrictions on Internet Explorer. Is there a way to reverse this action?

    Just to clarify ... C:\TEMP\... is a folder I have created. Not a windows folder.

    Thanks again for your time and help!
    SCOTT
     

    Attached Files:

  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Bobbye has already done quite a bit of work (help) on this thread, and I don't think it's ideal that I interrupt that.

    But I believe a good next move would be to run Combofix then restart then scan with HJT again. I won't interrupt after that, as I believe the next step after that (or even before) would be to uninstall AVG8 and install Avira, and do a full scan

    Disable AVG real time protection before running combofix by right clicking it in the system tray and unchecking the real time monitoring

    Combofix Instructions

    • Download [​IMG]Combofix to your desktop.
    • Double click Combofix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
    Also attach a fresh HiJackThis scan ran afterwards
     
  9. BEARASS

    BEARASS TS Rookie Topic Starter

    I can't figure out how to get a log file from AVG. But it stated at the end that no infections were found. It had a few warnings that were tracking cookies.

    I had removed AVG before I got the post. I ran combofix and hjt ... log files are attached

    Combofix stated I had no recovery console .. and installed it ... ???

    I will install avira now.

    Thanks again
    SCOTT
     

    Attached Files:

  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Scott

    Run SAS and then ComboFix and if they are clean we may be finished.

    How are your symptoms, is computer OK?

    But i must sleep so in the morn i will check.

    Mike

    EDIT:

    Your last SAS had a removed entry so UPDATE and run SAS again and hopefully get a clean log.

    Same for ComboFix run again to confirm it finds no more and brings us a clean log!

    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end and the below...
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\

    These entries are related to the uninstalled AVG, did you run the AVG remover after uninstalling AVG as posted by Kim in Post #4. If not do so.
    Run this AVG remover also, you will see nothing it just runs and exits: Download extract and run Kleaner http://support.kaspersky.com/downloads/products2009/avg8.zip

    Answer to your question about C:\temp. It is not a Windows folder!

    Forget the AVG8 log do a full scan now that you have Avira and post that log. This is very important as it will find all AVG missed.

    The Recovery Console is a good thing.

    This should finish you up but wait for our confirmation after you do this post!

    Mike
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kimsland, one more note on the AV. Step 1 states:
    It does not rate the AV programs or suggest the user remove one and install another. As you well know, we do open logs and see that NO AV programs is installed- I believe Step 1 is to cover that situation. It also happens that the user might have 2 or more AV programs installed. Then we help them uninstall all but one and Avira might be the one left.

    Bearass, the one malware file in SAS shows the malware got into the System Restore points- we will have remove the old restore points at the end. In the meantime, do NOT do a System Restore or you will reinfect the system.

    Please disable TeaTimer and then update and rescan with Combofix and HijackThis. Attach the new logs:
    To prevent the Tracking Cookies:
    Reset Cookies:
    Since there is a system folder with the "Temp" name, I suggest you rename the folders you set up with the 'temp' designation. It looks like you downloaded a lot of movies on 3/9/09:
    I will let Mike finish reviewing the logs- just wanted to bring the above to your attention.

    Mike will have you remove:
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    (the entry i not complete. If t was, it would have "- C:\Program Files\AVG\AVG8\avgpp.dll" at the end instead of (no file)

    Yes, you can have HijackThis remove the entry.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Bearass

    Don't miss my edit in post #10, it covers the HJT removals via removing (file missing) and (no file).

    But go carefully thu Bobbye's post especially in relation to the C:\Temp folder.

    Mike
     
  13. BEARASS

    BEARASS TS Rookie Topic Starter

    OK .. so what have i done ...

    I changed my Temp folder name....

    I removed two lines as stated with hjt

    I installed Avira and ran complete scan. It found issues ... will post log.

    Updated and ran sas .. found one issue .. will post log.

    I ran combofix .. it deleted one file .. will post log

    I will post new hjt log.

    I would like to say that my computer is running much faster and I have copy\paste funtion again in Internet explorer (which is what lead me to believe I had a problem)
    Judging by past replies ... I am going to run SAS, COMBOFIX, and Avira once again in that order and will post the results along with HJT, later tonight

    I would like to say you people are the best! I hope everyone that you help appreciate your time and knowledge as much as I do!
    SCOTT
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    HJT Scan only remove
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

    You can run again if you want but you are clean!

    Thanks for your kind words, but you can pat yourself on the back also as you did a great job!

    Consider this...

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.


    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
     
  15. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Just for reference:
    Where was AVG8 when these Viruses were about?

    The proof is in the pudding, as it were. And you want me to not recommend removing AVG8 ?! That would be madness.

    AVG8 is Not Good and I will continue to help others know this (including the other useless ones: Norton and McAfee) so as they will be clean.

    Continue on, I've had my rant :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...