Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

IExplorer seems highjacked!


amnmaddox
 Share

Recommended Posts

Hello All,
I have recently encountered an issue with Explorer and all my avenues to handle it have failed, so here we go! confused.gif
A week or so ago, I noticed a ton (Very long list) of weird ads and sites in my browser history. I cleared my history and closed Explorer. 5 minutes or so later, after not opening Explorer at all, I opened my browser, and bam!, full of bookmarks for weird sites even random IP addresses. Ive run several scans with Malewarebytes with no luck. I ran AV and spyware scans, nothind detected. Litterally, while typing this email, (in Firefox, IEplorer close and history cleared) Ive been to 6 sites!

 

Its worth mentioning, I downloaded a program a few months ago and had some strange programs pop up in my programs list when it installed. I tried removing these programs from windows but it seems they may still be lurking some where. I ran a registry fix from CCleaner and this is what popped up. I underlined the programs suppossedly remove a while back from this report below. So, since i cannot disable Explorer from windows Im stuck visiting Lipo-suction sites and random IP addrersses for now. Any ideas?

 

Unused File Extension    JavaPlugin.10712    HKCR\JavaPlugin.10712
Unused File Extension    mk    HKCR\mk
Unused File Extension    res    HKCR\res
Unused File Extension    .    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
Unused File Extension    .TMP    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TMP
Unused File Extension    .xbel    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbel
ActiveX/COM Issue    deal2dealit.deal2dealit - {A962C495-44DD-CACA-1DE6-C7EF410EDF76}    HKCR\deal2dealit.deal2dealit
ActiveX/COM Issue    deal2dealit.deal2dealit.2.0 - {A962C495-44DD-CACA-1DE6-C7EF410EDF76}    HKCR\deal2dealit.deal2dealit.2.0
ActiveX/COM Issue    saferweab.saferweab - {D0FAF2D5-24EA-6217-7FE1-E07A3C389DFC}    HKCR\saferweab.saferweab
ActiveX/COM Issue    saferweab.saferweab.1.8 - {D0FAF2D5-24EA-6217-7FE1-E07A3C389DFC}    HKCR\saferweab.saferweab.1.8
ActiveX/COM Issue    saveron.saveron - {3B1E42DA-658D-3288-D62B-796733861F2D}    HKCR\saveron.saveron
ActiveX/COM Issue    saveron.saveron.4.5 - {3B1E42DA-658D-3288-D62B-796733861F2D}    HKCR\saveron.saveron.4.5
ActiveX/COM Issue    SaverPro.SaverPro - {2c0d5904-b80e-40b7-a34f-1c494af92e98}    HKCR\SaverPro.SaverPro
ActiveX/COM Issue    SaverPro.SaverPro.9 - {2c0d5904-b80e-40b7-a34f-1c494af92e98}    HKCR\SaverPro.SaverPro.9
ActiveX/COM Issue    SoFttCoup.SoFttCoup - {ED470894-FF7A-D3C7-560B-A866EC5B409D}    HKCR\SoFttCoup.SoFttCoup
ActiveX/COM Issue    SoFttCoup.SoFttCoup.3.12 - {ED470894-FF7A-D3C7-560B-A866EC5B409D}    HKCR\SoFttCoup.SoFttCoup.3.12
ActiveX/COM Issue    WOuwCoupon.WOuwCoupon - {5C514B78-3D4E-3F27-76A7-7749F9858846}    HKCR\WOuwCoupon.WOuwCoupon
ActiveX/COM Issue    WOuwCoupon.WOuwCoupon.4.7 - {5C514B78-3D4E-3F27-76A7-7749F9858846}    HKCR\WOuwCoupon.WOuwCoupon.4.7
ActiveX/COM Issue    InProcServer32\C:\Program Files (x86)\Java\jre7\bin\wsdetect.dll    HKCR\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}

 

Link to post
Share on other sites

Hello and welcome,

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Post those logs to next reply, also give an update on any remaining issues or concerns....

 

Kevin...

Link to post
Share on other sites

Hello,

WOW, quick response! Attached are my logs. I did notice a few found and removed stuff. Still no luck. Its worth metioning I did roll back IExplorer from v11 to v10 and did a full browser reset. Also, MBAM occasionally blocks sites and notify's me on my desktop, all of which are "outbound" from explorer.exe.

AdwCleanerS0.txt

FRST.txt

mrt.log

JRT.txt

MBAW.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Click Scan
 
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thanks,

 

Kevin...

Fixlist.txt

Link to post
Share on other sites

Run the following and post the produced log, let me know if the issue is still present...

 

51a612a8b27e2-Zoek.pngScan with ZOEK

 

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

 


Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
Wait patiently until the main console will appear, it may take a minute or two.
In the main box please paste in the following script:

 

services_list;standardsearch;autoclean;emptyclsid;emptyfolderscheck;deleteiedefaults;firefoxlook;chromelook;FFdefaults;CHRdefaults;

 

 


Make sure that Scan All Users option is checked.
Push Run Script and wait patiently. The scan may take a couple of minutes.
When the scan completes, a zoek-results logfile should open in notepad.
If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

 

Please include its content in your next reply. Don't forget to re-enable security software!

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Go here: http://windows.microsoft.com/en-in/internet-explorer/reset-ie-settings#ie=ie-10-win-7 follow the instructions and reset Internet Explorer..

 

Next,

 

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review



****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

*EXTRA NOTES*


  •    
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
       
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Post the log in next reply please...

Kevin
 

Link to post
Share on other sites

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

C:\Programdata\RogueKiller\Logs <-------- W7/8

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

 

Next,

 

Scan with Gmer rootkit scanner

 

Please download Gmer from Here by clicking on the "Download EXE" Button.

 

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
     
            Sections
            IAT/EAT
            Show All ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

 

Please post the content of the ark.txt here.

 

 

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

**If GMER crashes** Follow the instructions here and disable your security temporarily…

 

Thanks,

 

Kevin..

Link to post
Share on other sites

Ran both scans, I get errors with GMER. One says:

C:\Windows\system32\config\system: The process cannot access the file because its being used by another process.

 

the other says:

C:\Users\%myname%\ntuser.dat: The process cannot access the file because its being used by another process.

 

See logs below

ark.txt

RKreport_SCN_11302014_161745.log

Link to post
Share on other sites

Please read carefully and follow these steps.

  • Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
  • Doubleclick on tdssk.jpg to run the application.
  • The "Ready to scan" window will open, Click on "Change parameters"  


    tda.png

  • Place a checkmark next to Verify Driver Digital Signature  and Detect TDLFS file system, (Leave "Service & Drivers" and "Boot Sectors" ticked. Click OK.
     


    td1.png

  • Select "Start Scan"


    tdb.png

  • If an infected file is detected, the default action will be Cure, click on Continue.


    td2.png

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    td3.png

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    td4.png

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


 

Thanks,

 

Kevin...

Link to post
Share on other sites

mmmm, we not make much progress.. One more scan for me..

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


      Internet access
      Windows Update
      Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites

LOL, you're telling me. Still nothing detected. Its worth mentioning that the sites that appear are always the same i think. With the exception of the random IP addresses. I aslo notice in my task manager, 2 seperate Explorer.exe's running at the same time. one that seems stagnant ( ie doesnt do much in the way of memory) the other constantly ticks up up and away. Here are the logs.

mbar-log-2014-11-30 (17-57-10).txt

system-log.txt

Link to post
Share on other sites

You tell me you see two explorer.exe in task manager, is it not two iexplore.exe that you see?

 

Run this for me...

 

Please download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe     <<-   64 bit….

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe  <<-  32 bit

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefindexplorer.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
 

Link to post
Share on other sites

MD5 identification for explorer.exe is clean, no issues.... System is 64 bit so you will see two explorer.exe in Taskmanager, If you open Internet Explorer you will see Two iexplore.exe in Taskmanger, if you open another tab there will be three, one more tab there will be four ond so on...

 

What issues/concerns remain? recent scanners are not finding anything obviously wrong... Try offline tool, see if we find anything that way:

 

Do you have access to another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.  It can also be run from a CD, just change to that option in the instructions…

It can be created from the PC with issues, but a different clean PC is preferred!

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

 

WD2.png

 

In the new window accept the agreement:

 

WD2a.png

 

In the new window select your USB Flash Drive, then select "Next"

 

WD3.png

 

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

 

WD3a.png

 

In the new window accept the formatting alert by selecting "Next"

 

WD3b.png

 

Files will be Downloaded:

 

WD4.png

 

Files will be processed and created

 

WD5.png

 

Flash drive will be formatted and prepared

 

WD6.png

 

Files will be added to the Flash Drive and the tool will be created.

 

WD7.png

 

The procedure is finished and the Tool created, click on "Finish" to complete.

 

WD8.png

 

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...

As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.

When complete do a full scan, deal with what it finds.

When finished, remove the USB stick then press the Esc key to boot into regular windows.

Navigate to the following file:

 

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

 

Open with notepad and copy and paste it into a reply.

 

Thank you,

 

Kevin...

Link to post
Share on other sites

Hello again. So let me explain whats going on a little bit better and for some reason the log file you requested was not saved ( I attempted the scan 2 times, nothing found)

 

About 3 weeks ago I ran CCleaner as I always do about once a week, to clean up my system. Its worth noting that this machine is dedicated to 1 or 2 programs exclusively, and I rarely, if ever, surf the web on it. I do not use torrent sites or any junk like that on it. The only reason I runn CCleaner on it is, the programs I use build temporary system files and I clean that regularly to keep the machine fast and lean.

 

When I ran CCLeaner, 3 weeks ago or so, it took an extremely loooooooong time. Longer than normal (normal= 30sec, this time = 5mins).

I noticed when it was done that it had cleaned approx. 1 GB of temp internet files from Internet Explorer. This was confusing since as stated earlier, i rarely surf on this machine. also if I do surf, its on Firefox, not InternetExplorer.

 

So, I began monitoring IE 11 and its history after that. I noticed, with Internet Explorer CLOSED, after wiping the history clean, after 10 or so minutes, IE 11 had visited 15 to 20 sites, ON ITS OWN. It visited everything form Twitter to momthis.com to random IP Addresses in France. Without being opened. I also monitored my task manager and no intsances of iexplorer were found.

 

The last time I was on the internet on this machine was on the 1st of November. I bought a new gaming headset and downloaded the drivers from Corsair.com. Other than that, this thing, whatever it is, just popped up out of nowhere.

 

The reason why i posted all this is not to drone on. I just felt like I should explain my issue a little better since it seems to be an issue thats a pain in the neck to isolate. I've also seen a few posts go up on other sites and this one about a similar issue with IE11. I hope we arent chasing our tails , LOL.

 

I senceirly appreciate your help and look foward figuring this out!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.