Internet Explorer issues

Status
Not open for further replies.
Ussually once a day when I try to close my browser ... it will try to open 10 plus more browser windows. I also can not use copy/paste function in internet explorer any more. I will attach log files requested.

Thank you for your time and any help provided.
Scott
 

Attachments

  • hijackthis.log
    8.3 KB · Views: 5
Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end.

Another run indicated!
OK there were found/removed items in both MBAM and SAS so we need to run them both again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan with both will likely find more. So UPDATE run again.

Mike
 
BEARASS, please update and scan with AVG. Attach the log when through. NOW.

Both Mbam and SAS found and removed entries for Win32 Backdoor Trojan. I'd like to see if AVG picks it up.

A backdoor Trojan differs from a Trojan in that it also opens a backdoor to your system. They’re also sometimes call Remote Access Trojans (RAT). These are the most widespread and also the most dangerous type of Trojan. They are so dangerous because the have the potential to allow remote administration of your system. As if a hacker were sitting at your keyboard, only worse. There’s almost no limit to what they can do. There’s almost no limit to what they can do. Some common uses:
* Use your system and Internet connection to send spam (yes, the majority of spam is now generated by infected systems).
* Steal your online and offline passwords, credit card numbers, address, phone number, and other information stored on your computer that could be used for identity theft, or other financial fraud.
* Log your activity, read email, view and download contents of documents, pictures, videos and other private data.
* Use your computer and Internet connection, in conjunction with others to launch Distributed Denial of Service (DDoS) attacks.
* Modify system files, disable antivirus, delete files, change system settings, to cover tracks, or just to wreak havoc.
http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan/

In the meantime, I suggest you change your passwords, temporarily offload any credit cards numbers on the system, offload and personal or identifying information. We will need to check the system completely for any files this might have changes and find and remove all entries.

Edit: Unless you did this, something has place restrictions on the system:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

SAS found it in a temp file and in a video download:
Trojan.Agent/Gen-Keygen: SAS
C:\TEMP\APZZ\VSO CONVERTXTODVD 3.4.8.123+KEYGEN\KEYGEN\KEYGEN.EXE
M:\DOWNLOADS\AUDIO-VIDEO\VSO CONVERTXTODVD 3.1.3.40+KEYGEN\KEYGEN\KEYGEN.EXE
VSO ConvertXtoDVD converts and burns all your videos to DVD.
It looks like you downloaded this from a file sharing site to get the key.

Mbam also found it in a download:
M:\DOWNLOADS\mirc\mirc6.34\keygen.exe (Backdoor.GF)
NOTE: mirc6.34 is a source for Game Downloads available on torrent (file sharing) sites.
 
BEARASS, please update and scan with AVG. Attach the log when through.
That's strange, I usually say:

Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Install (the much better) Avira free AntiVirus

AVG8 has always left Viruses still on the system, every single time I've seen it.
 
kimsland, every antivirus program available-stand alone or suite has let malware through! I do nor agree with your telling users to uninstall whatever their AV is, whether they've paid for it or not, then install Avira, right at the beginning of a cleaning!

Let's get them to handle what they have THEN suggest other programs.These users have enough to handle without switching the AV up front. They may not have the best AV program and a change might be indicated, but I wish you would stop doing this at the beginning of all the cleanings! You've been telling users to zap Norton, McAfee, AVG and maybe others

FYI, I'm looking for a more clear name of the Trojan. It's possible this user hasn't even scanned with it since the malware got on.

No offense meant, but I think your timing could be better.
 
Antivirus software is the first thing stated on the 8-Step removal

I find:
Norton
McAfee
Trend Micro
f-secure
AVG8

To be so bad, that when users change to Avira and do a scan, many Viruses (not detected before) are removed.

But I take what you said into consideration anyway, not exactly sure if this should wait, or the User should attempt removal instructions of specific items first (I find that threads are more quickly resolved if a good Antivirus is installed originally )
 
Thank you for the quick responces. I ran HJT and removed the lines that ended with (no file). I updated and ran quick scans with both malwarebytes and super anti-spyware. I am attaching the log files. I am at present running AVG full scan and will post the log.

Judging by your conversations, Avira a better Anti-virus program. I will remove avg when it's done and install Avira. Is it good to be running spybot with all these other programs?

I, at least not knowingly, did not put any restrictions on Internet Explorer. Is there a way to reverse this action?

Just to clarify ... C:\TEMP\... is a folder I have created. Not a windows folder.

Thanks again for your time and help!
SCOTT
 

Attachments

  • mbam-log-2009-03-16 (16-00-57).txt
    833 bytes · Views: 5
  • SUPERAntiSpyware Scan Log - 03-16-2009 - 16-23-25.log
    584 bytes · Views: 5
Bobbye has already done quite a bit of work (help) on this thread, and I don't think it's ideal that I interrupt that.

But I believe a good next move would be to run Combofix then restart then scan with HJT again. I won't interrupt after that, as I believe the next step after that (or even before) would be to uninstall AVG8 and install Avira, and do a full scan

Disable AVG real time protection before running combofix by right clicking it in the system tray and unchecking the real time monitoring

Combofix Instructions

  • Download Combofix to your desktop.
  • Double click Combofix & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
Also attach a fresh HiJackThis scan ran afterwards
 
I can't figure out how to get a log file from AVG. But it stated at the end that no infections were found. It had a few warnings that were tracking cookies.

I had removed AVG before I got the post. I ran combofix and hjt ... log files are attached

Combofix stated I had no recovery console .. and installed it ... ???

I will install avira now.

Thanks again
SCOTT
 

Attachments

  • ComboFix.txt
    17.4 KB · Views: 6
  • hijackthis.log
    7.6 KB · Views: 5
Hi Scott

Run SAS and then ComboFix and if they are clean we may be finished.

How are your symptoms, is computer OK?

But i must sleep so in the morn i will check.

Mike

EDIT:

Your last SAS had a removed entry so UPDATE and run SAS again and hopefully get a clean log.

Same for ComboFix run again to confirm it finds no more and brings us a clean log!

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end and the below...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\

These entries are related to the uninstalled AVG, did you run the AVG remover after uninstalling AVG as posted by Kim in Post #4. If not do so.
Run this AVG remover also, you will see nothing it just runs and exits: Download extract and run Kleaner http://support.kaspersky.com/downloads/products2009/avg8.zip

Answer to your question about C:\temp. It is not a Windows folder!

Forget the AVG8 log do a full scan now that you have Avira and post that log. This is very important as it will find all AVG missed.

The Recovery Console is a good thing.

This should finish you up but wait for our confirmation after you do this post!

Mike
 
kimsland, one more note on the AV. Step 1 states:
Antivirus scanning
If you're NOT running any antivirus or firewall software, you should install one ASAP If you already have an Anti-virus program - please be sure to check for updates and run a full scan of your system - Please note anything that it finds in your thread.
It does not rate the AV programs or suggest the user remove one and install another. As you well know, we do open logs and see that NO AV programs is installed- I believe Step 1 is to cover that situation. It also happens that the user might have 2 or more AV programs installed. Then we help them uninstall all but one and Avira might be the one left.

Bearass, the one malware file in SAS shows the malware got into the System Restore points- we will have remove the old restore points at the end. In the meantime, do NOT do a System Restore or you will reinfect the system.

Please disable TeaTimer and then update and rescan with Combofix and HijackThis. Attach the new logs:
SPYBOT TEATIMER
* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
To prevent the Tracking Cookies:
Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Since there is a system folder with the "Temp" name, I suggest you rename the folders you set up with the 'temp' designation. It looks like you downloaded a lot of movies on 3/9/09:
c:\temp\Lakeview.Terrace[2008]DvDrip-aXXo
2009-03-09 19:55 . 2009-03-09 19:56 <DIR> d-------- c:\temp\Keith.2008.LiMiTED.DVDRip.XviD-XanaX
2009-03-09 19:53 . 2009-03-09 19:54 <DIR> d-------- c:\temp\Happy.Go.Lucky.[2008.Eng].DVDRip.DivX-LTT
2009-03-09 19:53 . 2009-03-09 19:53 <DIR> d-------- c:\temp\Cleaning Windows XP For Dummies - allfreebooks.tk
2009-03-09 19:52 . 2009-03-11 17:07 <DIR> d-------- c:\temp\Twilight.2008.DVDRIP.XviD-ZEKTORM
2009-03-09 19:52 . 2009-03-10 21:55 <DIR> d-------- c:\temp\Transporter.3[2008]DvDrip-aXXo
2009-03-09 19:50 . 2009-03-09 19:50 <DIR> d-------- c:\temp\Taken 2008 DVDRip Xvid AC3-FLAWL3SS
which may be what you use the c:\temp\VIDEO>> 2009-02-22 you set up for.

c:\temp\APZZ
2009-02-22 13:41 . 2009-03-05 07:26 <DIR> d-------- c:\temp\APZZ
could be for DVDs from the torrent sites:
DVD APZZ DIVERSE torrent - Windows - Other torrents - Software ...
I will let Mike finish reviewing the logs- just wanted to bring the above to your attention.

Mike will have you remove:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
(the entry i not complete. If t was, it would have "- C:\Program Files\AVG\AVG8\avgpp.dll" at the end instead of (no file)

I, at least not knowingly, did not put any restrictions on Internet Explorer. Is there a way to reverse this action?
Yes, you can have HijackThis remove the entry.
 
Bearass

Don't miss my edit in post #10, it covers the HJT removals via removing (file missing) and (no file).

But go carefully thu Bobbye's post especially in relation to the C:\Temp folder.

Mike
 
OK .. so what have i done ...

I changed my Temp folder name....

I removed two lines as stated with hjt

I installed Avira and ran complete scan. It found issues ... will post log.

Updated and ran sas .. found one issue .. will post log.

I ran combofix .. it deleted one file .. will post log

I will post new hjt log.

I would like to say that my computer is running much faster and I have copy\paste funtion again in Internet explorer (which is what lead me to believe I had a problem)
Judging by past replies ... I am going to run SAS, COMBOFIX, and Avira once again in that order and will post the results along with HJT, later tonight

I would like to say you people are the best! I hope everyone that you help appreciate your time and knowledge as much as I do!
SCOTT
 
HJT Scan only remove
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

You can run again if you want but you are clean!

Thanks for your kind words, but you can pat yourself on the back also as you did a great job!

Consider this...

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.


Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike
 
Just for reference:
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP44\A0007812.exe
[0] Archive type: NSIS
--> [TempDir]/lsass.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49ef3e50.qua'!
Begin scan in 'D:\' <RECOVERY>
Begin scan in 'K:\' <outside>
K:\QuickTax.2008.Canadian Residents.Inc.Keygen.and.Counter.Reset-iNTUiT\keygen.exe
[DETECTION] Is the TR/Agent.733184.B Trojan
[NOTE] The file was moved to '4a38a697.qua'!
K:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP48\A0008371.exe
[DETECTION] Is the TR/Agent.733184.B Trojan
[NOTE] The file was moved to '49efa685.qua'!
Begin scan in 'L:\' <SCOOBYSTUFF>
Begin scan in 'M:\' <MUFFANDSTUFF>
M:\readme.bat
[DETECTION] Is the TR/Agent.CKF Trojan
[NOTE] The file was moved to '4a20a866.qua'!
M:\DOWNLOADS\Pearl.Mountain.Soft.Picture.Collage.Maker.v1.9.0.1311.WinAll.Incl.Keygen-CRD-TTS\Keygen.zip
[0] Archive type: ZIP
--> Keygen/keygen.exe
[DETECTION] Contains recognition pattern of the WORM/Small.Y.3 worm
[NOTE] The file was moved to '4a38abc4.qua'!
M:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP44\A0008001.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49efabda.qua'!
M:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP48\A0008372.bat
[DETECTION] Is the TR/Agent.CKF Trojan
[NOTE] The file was moved to '49efabdf.qua'!


End of the scan: Tuesday, March 17, 2009 09:56
Used time: 8:17:25 Hour(s)

The scan has been done completely.

6740 Scanning directories
520375 Files were scanned
7 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
7 files were moved to quarantine
Where was AVG8 when these Viruses were about?

The proof is in the pudding, as it were. And you want me to not recommend removing AVG8 ?! That would be madness.

AVG8 is Not Good and I will continue to help others know this (including the other useless ones: Norton and McAfee) so as they will be clean.

Continue on, I've had my rant :)
 
Status
Not open for further replies.
Back