Internet Explorer on startup

[ronalan79]

I've just followed all the steps on 8-step Viruses/Spyware/Malware. Internet Explorer is initially starting up on startup and then closes itself. But according to comodo it runs in the background. I think it may be trying to contact an address and dl and install some malware. Any help is appreciated. Thanks

 

[Tmagic650]

These entries in the hijackthis log look suspicious:
"6 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216136222987"...
"O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216181536390"...
"O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')"...
"O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')"...

Delete these entries

 

[ronalan79]

I've deleted the items as suggested. Still no luck. Below is the updated log.

 

[momok]

These 2 are bad, btw.

O4 - HKLM\..\Run: [KOfcpfwSvcs.exe] C:\WINDOWS\system32\KOfcpfwSvcs.exe
O4 - HKLM\..\Run: [NetSoft] iexplore.exe

 

[ronalan79]

I've removed the iexplore entry. But every time i use internet explorer, it starts up the way it did on startup. It comes on closes the window and runs in the background seemingly trying to contact an address without my knowledge. then when i try to startup iexplorer I've noticed 2 instances of it running: the one hiding in the background and the active window I've opened. The original entry that i deleted has also reappeared. i've decided to just block the active process using comodo in the meanwhile. Any other ideas?

 

[Bobbye]

Ronalan, Welcome to TechSpot. I'll be glad to help you get rid fof the malware. I have seen a TroJan and a backdoor Trojan in your logs- neither being something you want. I advise you to change your passwords and monitor the online financial transactions.

I can't find any malware association with the [NetSoft]iexplore.exe entry. Netsoft is a Technology Search firm. Now if it is running using Internet Explorer and you are not aware of having this on the system, then maybe we should look into it. Malware can use the name of almost any process.

You have IEv7, so you shold only have 1 iexplore.exe entry in the Task Manager-unless- you are not using the tab but launching IE again everytime you want another site- but that is user caused, not malware caused.

Tmasgic cannot interpret the entries. He has asked you to remove 3 legitimate and needed entries- none of them should be removed.. An entry isn't removed because 'it looks suspecious'. It needs to be identified and then determined if it is a bad entry.

I cannot identify any parts of this entry, so please do this:
Please visit Jotti Online Malware Scan (http://virusscan.jotti.org/)
Copy the following line into the white text box:
C:\WINDOWS\zAdBho.dll
Click Submit.
Please post the results of this scan to this thread.
Note: If the server is busy at the above site, try this alternative site:

Go to Virus Total-Upload A File. (http://www.virustotal.com/)
Copy the following line into the white text box:
C:\WINDOWS\zAdBho.dll

Reopn HijackThis to 'do system scan only.' Check the following entries if present:

O4 - HKLM\..\Run: [KOfcpfwSvcs.exe] C:\WINDOWS\system32\KOfcpfwSvcs.exe

Close all windows and click on "Fix Checked.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Using Windows Explorer: Right click> Explore> My Computer> Local Drive (C)> Windows> System 32> find this file and do a right click> delete:
KOfcpfwSvcs.exe

If you get any error message: Open the Task Managed> find KOfcpfwSvcs.exe> End Task. Then use Explorer to delete.

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run this online virus scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

In next reply:
Attach Jotti ID
Attach Combofix report.
Attach EsetNod32 log
Paste in new HJT log.

 

[ronalan79]

http://virusscan.jotti.org/en-gb/scanresult/ca84d4d37cc5fdc748a9e0779318c354526f625c

 

[ronalan79]

I was unable to run Eset online scanner. It couldn't dl the update and I'm not sure how to make a proxy settings change.http://virusscan.jotti.org/en-gb/scanresult/ca84d4d37cc5fdc748a9e0779318c354526f625c

 

[Bobbye]

Then, we'll start over. And I ask that you please PASTE the HijackThis log. There is a reason for that.

Other logs can be attached.

I apologize- the problem might be do to my leaving out one direction. After the deletion from HijackThis, you should reboot back into Normal Mode, then run Combofix.

Please do this: Click on Start> Run> type in ComboFix /Uninstall> enter. NOTE: there is a space between the x in fix and the /. It must be in there.

When you have uninstalled it, Please reinstall according to instructions in Reply #6, then run the scan.

See if this online scan works better:

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesn't work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

When finished, attach the Combofix report and the Kaspersky log.

Follow with rescan with HijackThis and paste in new log.

 

[Bobbye]

Ah! We were posting at the same time! I was pretty sure it was malware- didn't know it was Heur. Isn't that an interesting process to identify an unknown?

 

[ronalan79]

I tried to see if there was anyway to salvage my install but i thought better of it after still having the internet explorer problem of trying to connect to an address out there somewhere. Thanks for everyone's help but after reading some more things about the Heur and Virut viruses which I had, i thought a clean install was the safest bet. And again thanks for the suggestions and patience.

 

[Bobbye]

Check this for Virut:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


(Courtesy Blind Dragon)

 

[ronalan79]

I've done the clean install and don't have the problem anymore. Thanks for the followup anyway.

 

[Bobbye]

You're welcome. Here are some pointers to keep the system safe:
(Be sure to Empty your Recycle Bin after the cleaning.

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP1
• Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and useed to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
back to the thread.