Internet explorer popups, sluggish computer, and disabled sound

[Jobson]

Hello, A few days ago while I was on my computer my AVG antivirus gave me a notification that a threat had been blocked. I figured a virus had tried to attack my computer, but had been stopped by the antivirus so I didn't think anything of it at the time. A few minutes later, however, my sound stopped working completely, and I was unable to find a cause of the problem (I checked to make sure my soundcard was selected in the control panel, checked for mutings etc.)

About a day later I started getting internet explorer popups that were running in the background of my PC. This was odd for me because not only were they popups, but I don't run internet explorer (I use firefox). These hidden popups (showing up in task manager as iexpore.exe) have been slowing down my computer drastically and I believe I have been infected with some type of malware/virus.

I ran the 8-step removal instructions, my AVG antivirus and Malwarebytes found nothing. My first GMER scan resulted in my computer restarting itself/crashing, but I ran it a second time once I rebooted and attached the log. I also ran DDS and am attaching the logs for those as well.

I apologize if anything in my description is a little unclear, as I am an average joe in regards to computer knowledge and am not computer savvy.

Thank you very much for your time!

 

[Bobbye]

I notice you did 2 restores:
RP189: 7/12/2010 1:59:40 AM - Restore Operation
RP190: 7/12/2010 8:05:37 PM - Restore Operation

Were these System Restore to 2 different restore points on the same day? And did you run all of the scan after doing the restore?



Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
===================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Please do not use Azureus Vuze or any other files sharing program while we're cleaning.

 

[Jobson]

The two restores that I did were my attempt at trying to fix the problem when it first happened. I tried two separate days for the restore and neither worked. Also, these restores were performed before I ran all the scans.

 

[Jobson]

Here are the two reports from the scans that I did.

I really appreciate the help so far, thank you very much!

 

[Bobbye]

You have the McAfee Security Scan Scheduler being loaded from the Registry.It appears that you AV of choice is AVG. Please run this tool: McAfee Removal

You have 2 installations of the following programs, both downloaded and installed on 7/17/2010:
c:\program files\iPod(2)
c:\program files\iTunes(2)
c:\program files\QuickTime(2)
c:\program files\Apple Software Update(2)
c:\program files\Bonjour(2)
If you want to verify this: Use Windows Explorer (Windows key + E)> My Computer> double click on Local Drive (C)> Programs> you should see 2 folders for each. Suggest you remove the duplicate program by uninstalling in Add/Remove Programs as well as deleting one of the program folders for each.

Azureus/Vuze is also running from a tmp file in the background. You need to resolve these matters.

If you are still getting the pop-ups, please explain what IE is showing when it pops up.

 

[Jobson]

I ran the McAfee removal tool and took care of that, and I also uninstalled/deleted the program folders for the duplicate programs.

For Azureus/Vuze, should I just uninstall through Add/Remove programs to take care of the tmp file? I'm a little unsure of how I would take care of that.

In terms of the popups most of the time it is just iexplore.exe processes running in the background, but every 30 minutes or so I will get a random ad popping up. Every 30 seconds I also get notifications asking me if I want to change internet explorer to my default browser

 

[Bobbye]

For the default browser: Set whichever browser you want to be the default. Additionally, do this:
Control Panel> Internet Options> Programs tab> Uncheck 'do you want Internet Explorer to check if it's the default browser.'> Apply> OK.

What do you mean when you say running in the background? I think the unchecking will stop the default pop\-ups. You have duplicate AVG vaults also, so I'm removing the duplicate and taking a look in the other to make sure that what it is. This will remove the Azureus entries.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe
Folder::
c:\documents and settings\Administrator\Application Data\Azureus

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=-

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1123561945-329068152-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

FolderLook::
C:\$AVG

Folder::
C:\$AVG(2)

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
You system looks clean to me- please run the following to make sure no bad entries are left:

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[Jobson]

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:07:20 PM, on 7/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5979 bytes

I have also attached the combofix log, and went through the control panel to unchecked the option for Internet Explorer to check if it's the default browser, in addition to selecting firefox as my default browser. I'm still getting "do you want to change Internet Explorer to your default browser?" popups, however, and it doesn't recognize my selection of having firefox as my default browser for more than a day.

 

[Bobbye]

Did you go to Internet Options in the Control Panel to uncheck IE? Can you take a screen shot of the default IE message when it comes up, then attach the image here.

As for the system being sluggish, that isn't necessarily due to malware: number of programs loading on start, amount of RAM installed, type of connection to the internet are all contributors.

Have you noticed any improvement at all since getting the Azureus files off the system?

 

[Jobson]

Here is an example of one of the popups I'm getting randomly on my computer:

After getting all the Azureus files off my system, I've noticed a large improvement in regards to the speed of my computer, however my sound still disables itself and I keep getting these popups.

 

[Jobson]

In terms of the disabled sound, I've discovered that somehow my "wave" volume in my volume tab in sounds and audio devices keeps being set at "0". If I change the wave volume I can hear sound on my computer for a short time, but then after about five minutes it changes back to "0" and I can't hear anything.

 

[Bobbye]

I do not believe this is a legitimate warning. It may be coming through the Windows Messenger Service, so I want you to turn that off and rename the Service like this:

• Click on Start> Run> type in services.msc
• Scroll down to Messenger and double click to open
• Change Startup type to Disabled
• Stop the Service
• Exit Services

Use Windows Explorer: Windows key + E

• Click on My Computer> Click on Local Drive (C)
• Double click on Programs
• Look for Messenger: and right click on it
• Select Rename
• Add old to the end like this messengerold
• Exit Windows Explorer

Run TFC (Temporary File Checker) use this site for download as geeks2go is down today:

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Let me know if this handles the fake pop-up.

This is not the Messenger IM program. It is the Service for the Administrator to use to contact others systems on the network. It is frequently use as a 'mimic' to a Microsoft message unethically.

 

[Jobson]

I renamed and turned off the service, and ran TFC. Unfortunately, I am still getting popups and my sound is still disabling itself.

 

[Bobbye]

Okay, then check this:

Download Bootkit Remover and save to your Desktop

1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
3. You will see a Black screen with some data on it.
4. Right click on the screen and click Select All.
5. Press CTRL+C to Copy
6. Open a Notepad and press CTRL+V to Paste.
7. Include the report in your next post.

Credits to Broni

 

[Jobson]

Here is the report from Bootkit Remover

Once again I would like to thank you for all the help you have provided so far, Bobbye, I really appreciate the time and effort you have put into solving my problem.

 

[Bobbye]

You're very welcome. Have another step- let's hope this does it!

• Open Notepad
• Copy and paste the text in the codebox into Notepad:
  

  @ECHO OFF
  START 
  remover.exe fix \\.\PhysicalDrive0
  EXIT

• Go File > Save As
• Save as Type choose All Files
• For File Name type fix.bat
• Save In> choose Desktop
• Save
• Double click to Run fix.bat

(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!

 

[Jobson]

Here is the output from remover.exe

 

[Bobbye]

Okay, one more problem handled! And you are very welcome.

About the sound: did you open the Volume Control in the Notification Area and check the settings there? There is a gremlin that visits there, muting the sound and changing the settings. You might also want to look into a driver update.

What problems are you still having?

 

[Jobson]

I'm not quite sure how to check the volume control in the notification area - I checked it through the sounds and audio devices section of the control panel and re-enabled the sound from the advanced settings there, but I'm not sure if that's what you meant.

I also checked and made sure my drivers were up to date, and everything is fine in that regard.

In terms of the problems I'm still having, I haven't seen any popups so far, and my sound hasn't muted itself yet, although I will let you know if the sound starts acting up again!

Thanks for the assistance!

 

[Jobson]

It's been about an hour and I haven't had any popups appear on my computer, and my sound seems to be working properly. The problem that I'm still having is that I can hear the clicking sound of a window opening every once in a while, and I also occasionally hear an audio ad playing.

 

[Bobbye]

You should have the Volume icon in the Notification area. If you don't: right click on the Taskbar> Properties> Notification Area> check 'hide inactive icons'> click on Customize> find the Volume icon and set to 'Always show> Apply> OK.

Now whenever you want to check or change settings, right click on that icon> chose 'open Volume Controls' and you have all the setting available- plus you can check all the 'mute' boxes.

Can you tell me what you mean by hearing a clicking sound of a Windows opening? You might want to go to the Control Panel> Sounds and Audio Devices> Sounds tab. Everything in the Events box with a sound icon has some sound for it. Play around with those settings. It could be for something else but you are 'associating' it with a Windows opening.

If you change a sound, when finished, click on Apply> OK.

 

[Jobson]

In terms of the sound of the opening windows, I haven't heard anything in the last two days. If I hear anything I will let you know, but otherwise, things appear to be working fine.

Thanks for all the help!

 

[Bobbye]

You're welcome. If the problems have been resolved, you can remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have any more questions.