TechSpot

Unwanted IE

By Corax
Apr 9, 2007
Topic Status:
Not open for further replies.
  1. Hello,

    I have a very annoying problem, while working with Mozilla Firefox, suddenly, once for a while, for no reason, Internet Explorer opens and starts connecting to some website (broadcaster.com). My firewall says then, that IE tries to connect to the internet and a system32 file called svchost.exe is its parental application. Furthermore there is also some kind of a popup with some ads and a search bar after sites such as google.

    Scanning for viruses, spyware, cookies and deleting the stuff I found didn't do the trick :(

    http://aycu17.webshots.com/image/13056/2005181705256698291_rs.jpg
    http://aycu38.webshots.com/image/14797/2005130504176697294_rs.jpg

    Thank you for help beforehand.
     
  2. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Please read this thread HERE before you decide to clean or reformat your computer.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer. After you have done so, please post a fresh log of HijackThis, AVG Anti-Spyware and Combofix.

    The logs will enable us to understand more about the problems on your computer. (please do not copy and paste the logs, rather attach the files)
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Go and read this thread HERE, then post a HJT log as an attachment into this thread.

    Regards Howard :wave: :wave:

    This thread is for the use of Corax only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. Corax

    Corax TS Rookie Topic Starter

    Thanks for the brief :) Here is the log from HijackThis (renamed the executable to Analyze as posted):
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean as a whistle.

    However, something doesn`t sound quite right.

    Before diving in to the instructions in the sticky thread, please do the following.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Regards Howard :)

    This thread is for the use of Corax only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Corax

    Corax TS Rookie Topic Starter

    Here is the log from Autoruns with hidden Microsoft entries:
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I`ve found one nasty entry in your Autoruns log. This is only the second time I`ve come across this file and it appears to be some kind of unidentified trojan/worm. The file in questions is core.sys.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Corax only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Corax

    Corax TS Rookie Topic Starter

    Dear Howard, let me just say, that I feel lucky, that you already had anything to do with core.sys file. So far so good! After reboot, when this thingy was deleted, no IE opening while using Firefox, also no search bar after googles. I made few more reboots after some time, just to be sure. Everything seems fine now.

    Thank you very much for help!

    Best regards! :D

    Oh, and just to finish the formalities, here is the log from Avenger:
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Corax only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.