0

Hi, I have a problem with my computer where Internet Explorer keeps opening on it's own. I have tried:

AVG Anti-Virus
Ewido Anti-Spyware
Spybot: Search and Destroy

and so far no luck. I did solve the problem by forwarding the connection to a blank proxy. I am however concerned that I may have a keylogger on my computer. Is there a way to fix completely?

4
Contributors
12
Replies
13
Views
9 Years
Discussion Span
Last Post by crunchie
0

Sorry for not reading the sticky and posting a log. After reading it I followed all the steps but for some reason it would not let me save a log file. :S

I would also like to add it seems to go to random sites sometimes. For example if I google up "How to make soda" for example, it will open up a new window in some generic search engine with the word "make soda" searched up. Or it may go to a website about soda. Most of the time it's a blank window that never loads to anything.

0

It is difficult to help without that hijackthis log file as a starter.... run another scan if you must and just paste it in from that notepad.

0

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Henson\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] -RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] -"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Labs Licensing Service - Unknown owner - -"C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe" (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"C:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

--
End of file - 5700 bytes

0

It stops the IE from popping up. But I really want to remove the problem completely and not just partially.

0

Oh, okay, I thought you may have been behind a network server.
Your log shows nothing, perhaps try this:
Clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

0

Scan complete... here's the log.

Incident Status Location

Adware:adware/savenow Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.adserver.easyad.info/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.overture.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Henson\Application Data\Mozilla\Firefox\Profiles\a45l50kd.default\cookies.txt[.azjmp.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

0

That is a clean scan, Nightel [you didn't use the firefox tab in ATF...?], apart from the entry at the top re Savenow adware in Registry - the method you used to remove WhenUSave may have left something...
I assume that IE still pops open?
You could search your registry for these keys and delete them:
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xtractor Plus_is1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Free Software
HKEY_CLASSES_ROOT\WUSN.1
HKEY_CLASSES_ROOT\CLSID\{E2F2B9D0-96B9-4B25-B90C-636ECB207D18}

And use these as fields for searching registry;
72A836D1-BC00-43C0-A941-17960E4FB842
43382522-A846-46F4-AC57-1F71AE6E1086
AppID\127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB
WhenU
WUSN.1
FC327B3F-377B-4CB7-8B61-27CD69816BC3
FEE7FD53-3356-4D4D-8978-2C4AE3A7E109
E2F2B9D0-96B9-4B25-B90C-636ECB207D18
Tedious stuff; all I can think of though. What does IE do when it pops, where is it directed?

0

I did use the ATF scan on Firefox but for some reason my cookies were still there. Weird. :| Anyways I used a program yesterday my brother sent me that scans and deletes bad reg keys so all those you listed were deleted in the process. (assuming so since I couldn't find any of them)

IE still pops up and when it does it just says "Connecting..." but now it never connects to anything. This is a really odd problem, but if it isn't a virus or anything I'll probably settle with just disabling IE.

0

I understand, nightel.
The only way as far as I know that IE could be starting is for some process to be calling it. That process either has to be running from startup else is hooked into some other process so that when you or the sys starts the latter the hooking module is called and starts. Eg this key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Explorer \ShellExecuteHooks
For those that are set to start automatically with your sys, try this:
autoruns.exe: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Either Icesword [get the english version and help files] or RKUnhooker [RootkitUnhooker] give you a deeper look at what is running, what ports are open and connected to where, hooks, and of course check for rootkits.. :).
Just a few tools for you to examine your sys with...
Good luck.

0

the same thing has just started to happening to me it start last night when i was doing my sose assessment do you know a sure fire way to stop it

0

Hi skulblaka.

First of all- welcome to Daniweb :).

We ask that members not piggy-back questions on to a thread previously started by another member here in the Viruses, Spyware & other Nasties forum, (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/forums/faq.php?faq=daniweb_policies


Thanks for understanding.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.