TechSpot

WinXP, multiple IE instances without auth

By RatBreath
Jan 1, 2005
  1. This has been happening for about 6 months now. I have done everything I can do, I have followed every thing that I could find on the net for BHO's and spyware/malware. According to Spybot S&D, AdAware SE, AVG, SpywareBlaster, CWShredder, and BHODemon 2.0 my system is clean. I have follow the sticky on removing coolweb and only had to fix one thing the rest of my sytem was clean. At the bottom I will post my log from HJT.

    My prolem is that IE opens itself up while I'm playing a game or working in a text doc(website building). It begins with a small window and then opens another larger window with an ad in it, if I don't close the second window fast enought it will open a third window with yet another ad in it. this causes a loss of focus on anything I am working on, lines it down and looks at the new IE windows that opened up on their own. Also I don't have to be doing anything for the IE instances to begin. When I leave my system on during the day(I work nights), when I come back I have about 10 seperate IE windows open on my desktop. It's not really a problem just more of an annoyance. Currently I use Mozilla Firefox as my default browser and I have IE locked down with zonealarm so that it cannot reach the internet. As I stated above, I have ran out of options of things I can do on my own, tis why I ask any of you for help.

    HJT log:

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech2\iTouch\iTouch.exe
    C:\WINDOWS\system32\drivers\SndMon32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Logitech2\MouseWare\system\em_exec.exe
    C:\Program Files\BHODemon 2\BHODemon.exe
    C:\Downloads\software\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    R3 - Default URLSearchHook is missing
    O1 - Hosts:
    O1 - Hosts:
    O1 - Hosts:
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech2\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SndMon32] C:\WINDOWS\system32\drivers\SndMon32.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to filterlist (WebWasher)
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O15 - Trusted Zone:
    O15 - Trusted Zone:
    O15 - Trusted Zone:
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  2. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,345   +11

    Have you tried setting IE's security options to 'custom' and disable everything (except popup blocker) ?
     
  3. RatBreath

    RatBreath TS Rookie Topic Starter

    Yes I have done so. But IE is not open when these occurances happen. No internet browser is open, usually just a game or other program running. Since I have IE locked off from accessing the net, there should be no way a script from a page would be running causing the multiple windows to open up. Right now I am running as a limited access user account, without access to internet explorer and yet the windows still open in the background.

    Dunno, still have no idea.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode. Run HJT with NO other programs open and let it "fix":
    (I assume YOU deleted the URLs because of having less than 3 posts here)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    R3 - Default URLSearchHook is missing
    O1 - Hosts:
    O1 - Hosts:
    O1 - Hosts:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted Zone:
    O15 - Trusted Zone:
    O15 - Trusted Zone:

    For more info on spyware removal, Hijacking etc., see How to remove Begin2Search / Coolwebsearch
     
  5. RatBreath

    RatBreath TS Rookie Topic Starter

    Thanks RBS, I've read you're whole coolwebsearch post already lol. I will try what you have suggested and post the results here. Thanks again =)
     
  6. RatBreath

    RatBreath TS Rookie Topic Starter

    Nope didn't help at all =(.
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Post a HJT-file with a .txt extension as an attachment, so we can have a look at the "real" stuff.

    Did you install Firefox? If not, do so immediately, and set it as your DEFAULT browser.
     
  8. RatBreath

    RatBreath TS Rookie Topic Starter

    Been running firefox for around 6-7 months. And will do a hjt logfile as soon as possible. Editing Eddy murphy's delirious right hogging alot a cpu hehe.

    hmmm ok should be attached
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  10. RatBreath

    RatBreath TS Rookie Topic Starter

    Scanned file: SndMon32.exe
    SndMon32.exe - packed with UPX
    SndMon32.exe - OK


    tis what kapersky's site said =(

    I appreciate your assistance rbs =)

    But online malware scan came up with:

    AntiVir
    TR/Spy.Wungmo (0.34 seconds taken)

    hmmm. Get to do more research =)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...