IE browser opening automatically. Registry infected with Trojan; recre 1

[KornFuse]

The issue I am facing is, even though I use Google chrome as my default browser, Internet Explorer browser (v7) automatically opens up. I am running Window XP SP 3.

Nothing was detected by scans via Norton Antivirus. Then I ran SpyBotSD (v1.6.2) and it detected an infected registry key. The problem is even after deleting this key, it re-creates itself and is again detected in subsequent SpyBot scans.

The infected key is - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

Under no circumstance do I want to re-load the OS. Is the infected key the cause of IE automatically opening up, or are these two isolated issues? Any help in a permanent fix for the issue(s) would be greatly appreciated.

Thank you.
Rumaz

 

[sggaunt]

Just to check, have you made sure that you don't have IE set to run at startup either with the Task Manager or msconfig.

I am not working on an XP computer at the moment so I cannot check that the registry format you are seeing is not normal.

I say this because It would be pretty poor malware that let its operation be so visible! Especially as Norton fails to detect anything.
Have you installed any software that coincides with the effects you see.
There are plenty of applications that might want to bring up a IE window for updates, adverts etc etc.
I think which web page opens in IE might be a clue to what is happening.


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[goombawaho]

1. Run MalwareByte's Anti-Malware (Quick Scan first). Remove what it finds.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

2. If that doesn't do it, try Combofix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[edfair]

Your problem re: registry key reloading is due to some program monitoring the existence of that key. Generally it can be found by MWB as noted by goombawaho but be aware that these things can be a real problems to remove.

Some of the rogue programs show up in the startup tab in msconfig and you can see them in taskmgr. Once you have the suspect files identified you can shut them down in taskmgr then watch them come back to life.

Worst case is generally a reload, then a restore to a backup before the infection.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[2ffat]

A couple of other things to look at. One, may sure your System Restore is turned off. Nefarious things like to hide there.

Second, look for rootkits, (see faq760-6534. It's old, I know.)

You might also try to run some of the anti-virus/anti-spyware in safe mode, too.

BTW, that registry key does NOT exist on my machine.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[goombawaho]

Post a HijackThis log IF the first two products don't fix you up.

 

[KornFuse]

@sggaunt; edfair: I haven't installed any program that would auto-initiate IE. I've also checked the Startup (via MSCONFIG) and IE is not in the list.

@goombawaho: Ran Malwarebytes' Anti-Malware's quick and full scans. Neither detected any malware. I ran SpybotSD again to confirm if the Trojan still existed, and it did detect it.

I did read this article on Tek-tips form, but didn't understand the solution

http://forums.malwarebytes.org/index.php?showtopic=23972

 

[KornFuse]

goombawaho: Following is the highjackThis log. (Sorry, couldn't figure out the attachment utility)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:41:32 AM, on 6/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Documents and Settings\hormuz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\hormuz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\hormuz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\hormuz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\hormuz\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.in/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\hormuz\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {EBE67253-D4EA-11D3-845A-00500483D287} (ImageViewer Class) - file://D:\vwr_data\dcm_vwr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

 

[sggaunt]

You can try ticking and fixing this entry.

O16 - DPF: {EBE67253-D4EA-11D3-845A-00500483D287} (ImageViewer Class) - file://D:\vwr_data\dcm_vwr.cab

But I am doubtful about that solving the problem.

Look in your installed programs list for
SweetIM For Internet Explorer WhenUSearch
Uninstall it if its there, if you see anything else that looks like a direct marketing Addon, but you are not sure about it post the names here.

I can see several legitimate entry's in there that could try to start up IE, but that might just be me?

I know you don't use it but which version of IE is installed on your computer?

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[KornFuse]

@sggaunt:

I looked in my installed programs list and did not find SweetIM for IE. I don't think I see anything alluding to a marketing addon.

I have IE v 6. Never bothered to upgrade as I don't use it.

 

[goombawaho]

I don't suspect malware at all now. This may sound dumb, but upgrade to IE8 and see if the problem goes away. You should ANYWAY for the security benefits even if you use Chrome.

The other thing you could try (keeping IE7) is to reset IE7 options back to "stock".
From this article:

http://support.microsoft.com/kb/936213

To do this, follow these steps:

1. Open Internet Explorer.
2. Click Tools, and then click Internet Options.
3. Click the Advanced tab.
4. Under Reset Internet Explorer Settings, click Reset.

 

[sggaunt]

Goombawaho, he has IE6 not 7 !!
As you say that really not good at all.

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[BadBigBen]

If all fails:

SuperAntiSpyware

http://www.filehippo.com/download_superantispyware/

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[goombawaho]

In the OP, it says he has "v7". But YES, that would be worse. Nobody should be running IE6 or IE7 at this point UNLESS there is some corporate reason for not moving ahead.

The potential list of browser and operating system vulnerabilities patched by moving to IE8 is a MUST regardless of whether you ever open IE or not.

 

[kjv1611]

Another thought:
Disable/Remove/Uninstall/Delete all Internet Explorer Add-Ons. You can always go back and reinstall any that you actually need after the fact.

Another thought:
Check your Start-up folder just to be sure it's clear: Start Menu - All Programs - Startup - see what's listed there.

In any case, when working with this sort of thing, it's best to at least make all hidden folders viewable:
Open Computer/Windows Explorer, and go to Tools - Folder Options, View Tab, under Advanced Settings, then under Hidden files and folders, make sure "Show hidden files and folders" is selected, then OK you're way out.

You can also look at MSConfig for startup items and services that might be questionable. If you see anything you're unsure of, look it up or ask here.

Or you can use a 3rd party tool. CCleaner can be downloaded from

http://www.download.com,

and under its tools section, you can go to StartUp, and actually delete entries you know you never want starting up, and otherwise disable entries you're not sure about, or think you might possibly want later.

Also, if the problems go away at some point with Internet Explorer, but Spybot is still finding something, make sure it's not a false positive.

Oh, and I see this system is Windows XP based. In that case, I'd highly recommend downloading this little app, run it, delete everything it finds, reboot, and see how the issues are standing:
RegScrubXP

Another tool that may be helpful when "all else fail" is MWAV antivirus. You can run it for free to detect things, and then manually fix them, by finding where the specific items are, and deleting/modifying them:
Actually, it's apparently now called eScan:

http://download.cnet.com/eScan-Anti-Virus-amp-Spyware-Toolkit-Utility/3000-2239_4-10625644.html

And it also would not hurt running DrWeb CureIt if nothing else zaps it.

Innevitably, if it gets to be too much, and you'd rather just wipe, reinstall and start over, then I'd suggest this route:
(well, very first, make sure you have the correct Windows CD for your computer, and that you have the product ID handy for the reinstall - either the sticker on your computer case, or on a retail Windows package, or on a piece of paper if you wrote it down at some point)

1. Back-up Your data to a USB drive, external hard drive, whatever.
2. Download The Ultimate Boot CD under "Mirror Links"
3. Boot from that CD and run Active Kill Disk under "Hard Disk Wiping"
4. After that is complete - it'll only do one run in the "free" version.
5. Install Windows.
6. Get Windows up to date
7. Install whatever applications you prefer. For many of the best ones, just go to

http://ninite.com,

click what programs you need/want, and click "get installer".. download the file, run it, and go take a break or sit there and watch it work. It's great for personal use. You don't have to understand anything about the program installers, as they pretty much always pick the best options for you. You can then go back later and change what you want. If you go this route, download Essentials, Malwarebytes, and SuperAntiSpyware from the Security section - Essentials is Microsoft Security Essentials, which I think is one of the 2 best AV products, especially the free ones, on the market - I'd say far better than any Norton or McAfee home product, at least.
8. If you downloaded Auslogics from ninite (Auslogics Disk Defrag), then once it's all done, it'd be good to run one good defrag and optimize.
9. If you don't have a router, then get one - you need a router with broadband computing, for the firewall part.
10. Download a 3rd party firewall, if you don't mind dealing with pop-ups as far as "do you want to allow.." - I highly recommend Comodo Internet Security as well as Tall Emu Online Armor. But Online Armor is not quite yet, I think, 64 bit compatible.

Now I've said too much in one post. I will hush.

 

[KornFuse]

Downloaded and installed IE v 8 - still have that key show up in SpyBot scans. And the problem regarding automatically opening IE browsers also still persists.

At this point the auto-opening of IE browser is few and far between, hence manageable/not very annoying. What I fear is that this issues blows out of proportion and messes my machine.

Any advice?

 

[goombawaho]

Did you try running ComboFix? It's pretty powerful and if it doesn't come up with any bugs, I wouldn't worry at all. In other words, live with it.

Did you try the Registry Repair within CCLeaner. It won't hurt your PC, but back up/save the changes before fixing.

 

[sggaunt]

KornFuse: Looking back through the posts, you still haven't said which web site IE tries to open (if any) when it auto starts, and that could be important.


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

 

[KornFuse]

Hello everyone

A big apology for not responding earlier. I'm happy to inform that the problem of IE initiating automatically has been fixed.

Outside of all the Sypbot and Malwarebytes scans etc., what also, I believe, did the trick was upgrading to IE v8.

Thank you all for your expertise, diligence and patience in walking me out of the woods. Thanks again. Cheers!

 

[Jagerbomb71]

My daughter was playing an online game and some how picked up a spy ware or malware virus which has disabled all my .EXE files. I can't run any of my scans or open control panel or download any other virus protection. Am I screwed and better off wiping the disk clean and re-installing the OS. Or is there something I can do to get rid of the virus. Any suggestions. I can't run any programs any scans or any downloads. I keep getting an error message that the file I am trying to run is infected and shut down. I can't even open add/remove programs or try and do a system restore......