Solved Iexplore.exe, clicking sounds, unfocused windows, ad noises

Status
Not open for further replies.
T

twang7888

Posts: 53   +0
I have read other posts concerning iexplore.exe, and I seem to have a similar problem.

About two week ago, I started seeing iexplore.exe in Windows Task Manager and getting IE pop-ups. I never use Internet Explorer. Lately, it seems to have disappeared.

However, I hear the "click" sound of the Internet Explorer browser. Occasionally, I hear the "Lysol cleaning product" and the "Congratulations, you've won!" advertisements. Every time I hear the clicking noise, the window that I am currently using unfocuses. However, iexplore.exe is not running and I no longer get pop-ups.

It seems that yadaying.com and sometimes arcadegames.com is running on an IE browser because I can sometimes see them when I hit Alt + Tab.

I have scanned my computer using AntiMalwarebytes, Microsoft Security Essentials, and Panda Cloud Antivirus. I have gotten all the Windows Updates, but I still have this problem. Could someone tell me what's wrong and how I could fix this?
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
 
Hello again!

The Malwarebytes Anti-Malware showed 0 infections, but I'll post the log anyway:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4378

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/1/2010 10:35:40 PM
mbam-log-2010-08-01 (22-35-40).txt

Scan type: Quick scan
Objects scanned: 171531
Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The GMER crashed in the middle, so I couldn't get anything from that.


The DDS.txt and Attach.txt were too large for the post, so I attached them instead.

Thank you!!
 

Attachments

  • Attach.txt
    21.1 KB · Views: 0
  • DDS.txt
    25.9 KB · Views: 0
If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
Click to expand...
 
Before I proceed, running GMER scared me because I ran it twice and the wretched blue screen appeared saying the system had undergone a physical dump of memory. This isn't bad for my computer is it? I just wanted to check before I try again...
 
So I ran GMER with Devices unchecked and I think it worked.
Before I went to bed, I saved a copy of the logs just in case. When I woke up, however, GMER had disappeared and I was greeted with a series of error messages from various .exe files. I'm not sure what happened, but here's what I have:
 

Attachments

  • gmer.log
    110.6 KB · Views: 3
Don't worry about those errors.
GMER is a very powerful scanner, so strange things may happen, especially with infected computers.
Your computer is infected with a bootkit.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix ran smoothly and quickly :)
Here's the log (attached).

Thanks again for you help!
 

Attachments

  • ComboFix.txt
    29.5 KB · Views: 1
Ran it smoothly. I got a dialogue saying I'm infected with Whistler Bootkit, and then the computer rebooted due to rootkit activity. This is probably in the logs, but I'm telling you just in case ;)

Logs attached:
 

Attachments

  • ComboFix.txt
    25.5 KB · Views: 1
Good :)
How are the issues?

You're running two AV programs, McAfee and Panda. One of them has to go. Your choice.

=======================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

========================================================================

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- c:\windows\system32\HIPIS0e011aa.dll
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
 
Got rid of Panda (by the way, for future reference, do you know if Panda is good?)

Yes, I use AIM, that's probably where that came from. Uninstalled the Media Player


VirusTotal produced 0/42

Results:

Antivirus Version Last Update Result
AhnLab-V3 2010.08.04.00 2010.08.03 -
AntiVir 8.2.4.32 2010.08.03 -
Antiy-AVL 2.0.3.7 2010.08.03 -
Authentium 5.2.0.5 2010.08.04 -
Avast 4.8.1351.0 2010.08.03 -
Avast5 5.0.332.0 2010.08.03 -
AVG 9.0.0.851 2010.08.03 -
BitDefender 7.2 2010.08.04 -
CAT-QuickHeal 11.00 2010.08.04 -
ClamAV 0.96.0.3-git 2010.08.04 -
Comodo 5639 2010.08.04 -
DrWeb 5.0.2.03300 2010.08.04 -
Emsisoft 5.0.0.36 2010.08.04 -
eSafe 7.0.17.0 2010.08.03 -
eTrust-Vet 36.1.7763 2010.08.04 -
F-Prot 4.6.1.107 2010.08.04 -
F-Secure 9.0.15370.0 2010.08.04 -
Fortinet 4.1.143.0 2010.08.02 -
GData 21 2010.08.04 -
Ikarus T3.1.1.84.0 2010.08.04 -
Jiangmin 13.0.900 2010.08.03 -
Kaspersky 7.0.0.125 2010.08.04 -
McAfee 5.400.0.1158 2010.08.04 -
McAfee-GW-Edition 2010.1 2010.08.04 -
Microsoft 1.6004 2010.08.03 -
NOD32 5338 2010.08.03 -
Norman 6.05.11 2010.08.03 -
nProtect 2010-08-03.01 2010.08.03 -
Panda 10.0.2.7 2010.08.03 -
PCTools 7.0.3.5 2010.08.04 -
Prevx 3.0 2010.08.04 -
Rising 22.59.02.00 2010.08.04 -
Sophos 4.56.0 2010.08.04 -
Sunbelt 6682 2010.08.04 -
SUPERAntiSpyware 4.40.0.1006 2010.08.04 -
Symantec 20101.1.1.7 2010.08.04 -
TheHacker 6.5.2.1.330 2010.08.04 -
TrendMicro 9.120.0.1004 2010.08.04 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.04 -
VBA32 3.12.12.7 2010.08.02 -
ViRobot 2010.8.3.3969 2010.08.04 -
VirusBuster 5.0.27.0 2010.08.03 -
Additional information
File size: 39816 bytes
MD5...: 775489e09ca5aa6f0bc324f8bb0412b9
SHA1..: 04f6656e65db67637b876587b424050739f48a90
SHA256: d0c7685ee78af289f0340a115f53ba3ac0feda9b121ac057d44e7f251290a9de
ssdeep: 768:87qKe0jrrveoJnVBujq3RcqSIVXgJKzeVL2b3my:87qp0frhJ/ujkREIma2y
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5448
timedatestamp.....: 0x4a0c605f (Thu May 14 18:18:07 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4bab 0x4c00 6.26 6599f5b98a870ebb419925532eb4426b
.rdata 0x6000 0x1c30 0x1e00 4.34 1f7fbe32c4432c9df76a046083ee80b1
.data 0x8000 0x794 0x400 6.78 2128e4f120f45473e99e29fec4f4d44f
.rsrc 0x9000 0x358 0x400 2.89 8859207fdfa6192c0927456b1b91bc74
.reloc 0xa000 0x81a 0xa00 3.83 f62fcbf8a2e3ea48b1fa95e4d634fb2c

( 5 imports )
> msvcrt.dll: _onexit, __dllonexit, _lock, _unlock, _adjust_fdiv, _amsg_exit, _initterm, _XcptFilter, toupper, towupper, malloc, free, strrchr, strncpy, _stricmp, wcscpy, wcsrchr, wcscat, memcpy
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegCloseKey
> PSAPI.DLL: EnumProcessModules, GetModuleFileNameExW, GetModuleFileNameExA
> VERSION.dll: VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
> KERNEL32.dll: QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, InterlockedCompareExchange, InterlockedExchange, RtlUnwind, FindFirstFileW, CompareFileTime, FindClose, LoadLibraryW, FreeLibrary, GetSystemDirectoryW, GetLastError, InterlockedIncrement, SetLastError, GetTickCount, TlsGetValue, TlsSetValue, TlsFree, TlsAlloc, VirtualFree, VirtualProtect, GetModuleFileNameA, GetModuleHandleW, IsBadReadPtr, GetModuleHandleA, GetProcAddress, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, GetCurrentProcess, WriteProcessMemory, GetCurrentProcessId, OpenProcess, CloseHandle, VirtualQuery, Sleep, InitializeCriticalSection, DisableThreadLibraryCalls, DeleteCriticalSection, GetModuleFileNameW, GetCurrentThreadId, GetSystemTimeAsFileTime, InterlockedDecrement

( 10 exports )
Exp_FinalizeStub, Exp_GetAPIInfoListHead, Exp_GetAPIListForUpgrade, Exp_GetAgentVersion, Exp_HookAPI, Exp_HookAddress, Exp_HookAddress_000, Exp_InitializeStub, Exp_RegisterKevlarAPIBaseHandlerAddress, Exp_UnhookAllAPIFunctions
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: McAfee, Inc.
copyright....: Copyright(c) 1995-2009 McAfee, Inc. All Rights Reserved.
product......: HIPSCORE.14.1.0.426.x86
description..: HIPSCore Injected Stub
original name: n/a
internal name: n/a
file version.: HIPSCORE.14.1.0.426.x86
comments.....: n/a
signers......: McAfee, Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 8:09 PM 5/15/2009
verified.....: -
 
I've never tried Panda, so I have no opinion.

You didn't say how the computer is doing.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Sorry about that, my computer is doing better. I have not gotten any pop-ups, clicking noises, or ad sounds appearing. Thanks! :)

Just a question, I know I'm not supposed to download anything while you're helping. Is it okay to install Windows Updates or should I just wait?

Here are the OTL logs:
 

Attachments

  • OTL.Txt
    136.2 KB · Views: 1
  • Extras.Txt
    46.6 KB · Views: 1
Good news :)

Wait with Windows updates until we're done, please.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
IE - HKCU\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKCU..\Run: [Aim6]  File not found
[2010/08/01 09:02:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\pandasecuritytb
[2010/07/29 20:57:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dqwang\Application Data\Panda Security
[2010/07/29 20:56:04 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/07/29 20:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2010/07/29 21:30:43 | 000,002,509 | ---- | M] () -- C:\Documents and Settings\dqwang\Desktop\Panda Cloud Antivirus.lnk
[2010/08/04 01:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Cool :)

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Step 3 will take a while, so I'll just post step 1 first to get it out of the way.

Both step 1 and 2 were really fast. Things are looking great!! Step 3 to come
 

Attachments

  • checkup.txt
    1.1 KB · Views: 1
I'm glad to hear good news :)

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
 
The Kaspersky test yielded 0 results!!! :)

I left the test on to run through the night. However, I was not aware that my computer is set to automatically install Windows Updates at 3:00 AM everyday. So the update installed itself while I was asleep.
 
Excellent :)

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
539
Mark Fuller
M
midian182
OneDrive users must justify why they are closing the app before exiting (Updated)
Replies
17
Views
543
Nobina
Nobina
midian182
Microsoft revives aggressive Windows 11 upgrade campaign with intrusive popups for Windows...
2
Replies
46
Views
740
Ecurb
Ecurb

Latest posts

Back