Iexplore.exe, clicking sounds, unfocused windows, ad noises

By twang7888 · 30 replies
Jul 31, 2010
  1. I have read other posts concerning iexplore.exe, and I seem to have a similar problem.

    About two week ago, I started seeing iexplore.exe in Windows Task Manager and getting IE pop-ups. I never use Internet Explorer. Lately, it seems to have disappeared.

    However, I hear the "click" sound of the Internet Explorer browser. Occasionally, I hear the "Lysol cleaning product" and the "Congratulations, you've won!" advertisements. Every time I hear the clicking noise, the window that I am currently using unfocuses. However, iexplore.exe is not running and I no longer get pop-ups.

    It seems that and sometimes is running on an IE browser because I can sometimes see them when I hit Alt + Tab.

    I have scanned my computer using AntiMalwarebytes, Microsoft Security Essentials, and Panda Cloud Antivirus. I have gotten all the Windows Updates, but I still have this problem. Could someone tell me what's wrong and how I could fix this?
  2. Broni

    Broni Malware Annihilator Posts: 54,262   +383

  3. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Sorry about that. I'll get back to you later then :)
  4. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    OK :).............
  5. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Hello again!

    The Malwarebytes Anti-Malware showed 0 infections, but I'll post the log anyway:

    Malwarebytes' Anti-Malware 1.46

    Database version: 4378

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    8/1/2010 10:35:40 PM
    mbam-log-2010-08-01 (22-35-40).txt

    Scan type: Quick scan
    Objects scanned: 171531
    Time elapsed: 9 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    The GMER crashed in the middle, so I couldn't get anything from that.

    The DDS.txt and Attach.txt were too large for the post, so I attached them instead.

    Thank you!!

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 54,262   +383

  7. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Before I proceed, running GMER scared me because I ran it twice and the wretched blue screen appeared saying the system had undergone a physical dump of memory. This isn't bad for my computer is it? I just wanted to check before I try again...
  8. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Not at all....
  9. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    So I ran GMER with Devices unchecked and I think it worked.
    Before I went to bed, I saved a copy of the logs just in case. When I woke up, however, GMER had disappeared and I was greeted with a series of error messages from various .exe files. I'm not sure what happened, but here's what I have:

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Don't worry about those errors.
    GMER is a very powerful scanner, so strange things may happen, especially with infected computers.
    Your computer is infected with a bootkit.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  11. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    ComboFix ran smoothly and quickly :)
    Here's the log (attached).

    Thanks again for you help!

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Delete your Combofix file and download fresh copy from HERE
    Run it and post resulting log.
  13. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Ran it smoothly. I got a dialogue saying I'm infected with Whistler Bootkit, and then the computer rebooted due to rootkit activity. This is probably in the logs, but I'm telling you just in case ;)

    Logs attached:

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Good :)
    How are the issues?

    You're running two AV programs, McAfee and Panda. One of them has to go. Your choice.


    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.


    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to for security check:
    - c:\windows\system32\HIPIS0e011aa.dll
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
  15. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Got rid of Panda (by the way, for future reference, do you know if Panda is good?)

    Yes, I use AIM, that's probably where that came from. Uninstalled the Media Player

    VirusTotal produced 0/42


    Antivirus Version Last Update Result
    AhnLab-V3 2010.08.04.00 2010.08.03 -
    AntiVir 2010.08.03 -
    Antiy-AVL 2010.08.03 -
    Authentium 2010.08.04 -
    Avast 4.8.1351.0 2010.08.03 -
    Avast5 5.0.332.0 2010.08.03 -
    AVG 2010.08.03 -
    BitDefender 7.2 2010.08.04 -
    CAT-QuickHeal 11.00 2010.08.04 -
    ClamAV 2010.08.04 -
    Comodo 5639 2010.08.04 -
    DrWeb 2010.08.04 -
    Emsisoft 2010.08.04 -
    eSafe 2010.08.03 -
    eTrust-Vet 36.1.7763 2010.08.04 -
    F-Prot 2010.08.04 -
    F-Secure 9.0.15370.0 2010.08.04 -
    Fortinet 2010.08.02 -
    GData 21 2010.08.04 -
    Ikarus T3. 2010.08.04 -
    Jiangmin 13.0.900 2010.08.03 -
    Kaspersky 2010.08.04 -
    McAfee 5.400.0.1158 2010.08.04 -
    McAfee-GW-Edition 2010.1 2010.08.04 -
    Microsoft 1.6004 2010.08.03 -
    NOD32 5338 2010.08.03 -
    Norman 6.05.11 2010.08.03 -
    nProtect 2010-08-03.01 2010.08.03 -
    Panda 2010.08.03 -
    PCTools 2010.08.04 -
    Prevx 3.0 2010.08.04 -
    Rising 2010.08.04 -
    Sophos 4.56.0 2010.08.04 -
    Sunbelt 6682 2010.08.04 -
    SUPERAntiSpyware 2010.08.04 -
    Symantec 20101.1.1.7 2010.08.04 -
    TheHacker 2010.08.04 -
    TrendMicro 2010.08.04 -
    TrendMicro-HouseCall 2010.08.04 -
    VBA32 2010.08.02 -
    ViRobot 2010.8.3.3969 2010.08.04 -
    VirusBuster 2010.08.03 -
    Additional information
    File size: 39816 bytes
    MD5...: 775489e09ca5aa6f0bc324f8bb0412b9
    SHA1..: 04f6656e65db67637b876587b424050739f48a90
    SHA256: d0c7685ee78af289f0340a115f53ba3ac0feda9b121ac057d44e7f251290a9de
    ssdeep: 768:87qKe0jrrveoJnVBujq3RcqSIVXgJKzeVL2b3my:87qp0frhJ/ujkREIma2y
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x5448
    timedatestamp.....: 0x4a0c605f (Thu May 14 18:18:07 2009)
    machinetype.......: 0x14c (I386)

    ( 5 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x4bab 0x4c00 6.26 6599f5b98a870ebb419925532eb4426b
    .rdata 0x6000 0x1c30 0x1e00 4.34 1f7fbe32c4432c9df76a046083ee80b1
    .data 0x8000 0x794 0x400 6.78 2128e4f120f45473e99e29fec4f4d44f
    .rsrc 0x9000 0x358 0x400 2.89 8859207fdfa6192c0927456b1b91bc74
    .reloc 0xa000 0x81a 0xa00 3.83 f62fcbf8a2e3ea48b1fa95e4d634fb2c

    ( 5 imports )
    > msvcrt.dll: _onexit, __dllonexit, _lock, _unlock, _adjust_fdiv, _amsg_exit, _initterm, _XcptFilter, toupper, towupper, malloc, free, strrchr, strncpy, _stricmp, wcscpy, wcsrchr, wcscat, memcpy
    > ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegCloseKey
    > PSAPI.DLL: EnumProcessModules, GetModuleFileNameExW, GetModuleFileNameExA
    > VERSION.dll: VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
    > KERNEL32.dll: QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, InterlockedCompareExchange, InterlockedExchange, RtlUnwind, FindFirstFileW, CompareFileTime, FindClose, LoadLibraryW, FreeLibrary, GetSystemDirectoryW, GetLastError, InterlockedIncrement, SetLastError, GetTickCount, TlsGetValue, TlsSetValue, TlsFree, TlsAlloc, VirtualFree, VirtualProtect, GetModuleFileNameA, GetModuleHandleW, IsBadReadPtr, GetModuleHandleA, GetProcAddress, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, GetCurrentProcess, WriteProcessMemory, GetCurrentProcessId, OpenProcess, CloseHandle, VirtualQuery, Sleep, InitializeCriticalSection, DisableThreadLibraryCalls, DeleteCriticalSection, GetModuleFileNameW, GetCurrentThreadId, GetSystemTimeAsFileTime, InterlockedDecrement

    ( 10 exports )
    Exp_FinalizeStub, Exp_GetAPIInfoListHead, Exp_GetAPIListForUpgrade, Exp_GetAgentVersion, Exp_HookAPI, Exp_HookAddress, Exp_HookAddress_000, Exp_InitializeStub, Exp_RegisterKevlarAPIBaseHandlerAddress, Exp_UnhookAllAPIFunctions
    RDS...: NSRL Reference Data Set
    pdfid.: -
    trid..: Win64 Executable Generic (59.6%)
    Win32 Executable MS Visual C++ (generic) (26.2%)
    Win32 Executable Generic (5.9%)
    Win32 Dynamic Link Library (generic) (5.2%)
    Generic Win/DOS Executable (1.3%)
    publisher....: McAfee, Inc.
    copyright....: Copyright(c) 1995-2009 McAfee, Inc. All Rights Reserved.
    product......: HIPSCORE.
    description..: HIPSCore Injected Stub
    original name: n/a
    internal name: n/a
    file version.: HIPSCORE.
    comments.....: n/a
    signers......: McAfee, Inc.
    VeriSign Class 3 Code Signing 2004 CA
    Class 3 Public Primary Certification Authority
    signing date.: 8:09 PM 5/15/2009
    verified.....: -
  16. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    I've never tried Panda, so I have no opinion.

    You didn't say how the computer is doing.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.


    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:

    drivers32 /all
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  17. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Sorry about that, my computer is doing better. I have not gotten any pop-ups, clicking noises, or ad sounds appearing. Thanks! :)

    Just a question, I know I'm not supposed to download anything while you're helping. Is it okay to install Windows Updates or should I just wait?

    Here are the OTL logs:

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Good news :)

    Wait with Windows updates until we're done, please.

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      IE - HKCU\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O4 - HKCU..\Run: [Aim6]  File not found
      [2010/08/01 09:02:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\pandasecuritytb
      [2010/07/29 20:57:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dqwang\Application Data\Panda Security
      [2010/07/29 20:56:04 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
      [2010/07/29 20:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
      [2010/07/29 21:30:43 | 000,002,509 | ---- | M] () -- C:\Documents and Settings\dqwang\Desktop\Panda Cloud Antivirus.lnk
      [2010/08/04 01:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  19. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Nice and fast: Logs:

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Cool :)

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  21. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Step 3 will take a while, so I'll just post step 1 first to get it out of the way.

    Both step 1 and 2 were really fast. Things are looking great!! Step 3 to come

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    I'm glad to hear good news :)

    Update Adobe Reader

    You can download it from
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
  23. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    The Kaspersky test yielded 0 results!!! :)

    I left the test on to run through the night. However, I was not aware that my computer is set to automatically install Windows Updates at 3:00 AM everyday. So the update installed itself while I was asleep.
  24. twang7888

    twang7888 TS Enthusiast Topic Starter Posts: 53

    Adobe Reader 9.3.3 Updated
  25. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Excellent :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!:

    9. Please, let me know, how is your computer doing.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...