Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iexplore.exe Runs In Background On Startup And Starts Visiting Sites


  • Please log in to reply
10 replies to this topic

#1 NeilH

NeilH

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 March 2008 - 09:08 PM

Hello,

I have Windows XP Pro SP2.
I have run a complete system scan with Avast, Registry Mechanic, Ad-Aware, and superantispyware with no luck.

As the title states when I startup and log in, iexplore.exe is running in the background and sucks up a fair amount of my CPU.
I watch the Avast Web Shield and it shows me ie hitting a bunch of sites I have never been to before, mostly TV sites. I can also here the clicking links sound in my speakers and occasionally some noises when it hits a site with audio.
Once I just kill iexplore.exe in the task manager everything goes back to normal.

I'm not sure how it all started, but I initially noticed it because the task manager was disabled from my account! I figured out how to re-enable it, but now I'm stuck with this thing...

Your help is greatly appreciated,

Neil.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:58 AM

Posted 03 March 2008 - 09:39 PM

Hello NeilH and welcome to BC :flowers:

I see that you ran registry mechanic. The writers of registry tools don't know what specifically you have on your system, and if you don't know what you are doing, you can create real havoc with your computer or programs. One of the most important things to do when changing things in the registry is to back it up so you can reverse it if necessary. I completely hosed my Adobe products by using a registry cleaner. Fortunately, I was able to reverse what I'd done because I'd backed it up.
-------
It would be helpful if you posted the log from SUPERAntiSpyware. Did you run it in Safe Mode? Please indicate whether it was safe mode or normal mode when you post the log. In order to find the log double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log and choose the appropriate date.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 NeilH

NeilH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 03 March 2008 - 10:41 PM

I ran it in normal mode not safe mode...


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/02/2008 at 03:45 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 04:34:27

Memory items scanned : 620
Memory threats detected : 0
Registry items scanned : 5621
Registry threats detected : 0
File items scanned : 39612
File threats detected : 53

Adware.Tracking Cookie
C:\Documents and Settings\Neil\Cookies\neil@ehg-foxsports.hitbox[1].txt
C:\Documents and Settings\Neil\Cookies\neil@ehg-ripedigitalentertainment.hitbox[2].txt
C:\Documents and Settings\Neil\Cookies\neil@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Neil\Cookies\neil@pro-market[1].txt
C:\Documents and Settings\Neil\Cookies\neil@doubleclick[1].txt
C:\Documents and Settings\Neil\Cookies\neil@apmebf[2].txt
C:\Documents and Settings\Neil\Cookies\neil@msnportal.112.2o7[1].txt
C:\Documents and Settings\Neil\Cookies\neil@2o7[2].txt
C:\Documents and Settings\Neil\Cookies\neil@toseeka[1].txt
C:\Documents and Settings\Neil\Cookies\neil@hitbox[1].txt
C:\Documents and Settings\Neil\Cookies\neil@findwhat[1].txt
C:\Documents and Settings\Neil\Cookies\neil@hitbox[2].txt
C:\Documents and Settings\Sally\Cookies\sally@2o7[1].txt
C:\Documents and Settings\Sally\Cookies\sally@6091.ron.clickshield[1].txt
C:\Documents and Settings\Sally\Cookies\sally@ad.yieldmanager[2].txt
C:\Documents and Settings\Sally\Cookies\sally@adecn[2].txt
C:\Documents and Settings\Sally\Cookies\sally@adlegend[1].txt
C:\Documents and Settings\Sally\Cookies\sally@adrevolver[2].txt
C:\Documents and Settings\Sally\Cookies\sally@ads.revsci[1].txt
C:\Documents and Settings\Sally\Cookies\sally@advertising[2].txt
C:\Documents and Settings\Sally\Cookies\sally@atdmt[2].txt
C:\Documents and Settings\Sally\Cookies\sally@bizrate[1].txt
C:\Documents and Settings\Sally\Cookies\sally@casalemedia[2].txt
C:\Documents and Settings\Sally\Cookies\sally@countercentral[1].txt
C:\Documents and Settings\Sally\Cookies\sally@dealtime[1].txt
C:\Documents and Settings\Sally\Cookies\sally@doubleclick[2].txt
C:\Documents and Settings\Sally\Cookies\sally@ehg-foxsports.hitbox[1].txt
C:\Documents and Settings\Sally\Cookies\sally@ehg-players.hitbox[2].txt
C:\Documents and Settings\Sally\Cookies\sally@ehg-ripedigitalentertainment.hitbox[2].txt
C:\Documents and Settings\Sally\Cookies\sally@enhance[2].txt
C:\Documents and Settings\Sally\Cookies\sally@findwhat[1].txt
C:\Documents and Settings\Sally\Cookies\sally@hitbox[2].txt
C:\Documents and Settings\Sally\Cookies\sally@jamster[1].txt
C:\Documents and Settings\Sally\Cookies\sally@kanoodle[1].txt
C:\Documents and Settings\Sally\Cookies\sally@linksynergy[2].txt
C:\Documents and Settings\Sally\Cookies\sally@media.adrevolver[1].txt
C:\Documents and Settings\Sally\Cookies\sally@msnportal.112.2o7[1].txt
C:\Documents and Settings\Sally\Cookies\sally@overture[2].txt
C:\Documents and Settings\Sally\Cookies\sally@perf.overture[1].txt
C:\Documents and Settings\Sally\Cookies\sally@pro-market[2].txt
C:\Documents and Settings\Sally\Cookies\sally@questionmarket[1].txt
C:\Documents and Settings\Sally\Cookies\sally@revsci[2].txt
C:\Documents and Settings\Sally\Cookies\sally@server.iad.liveperson[2].txt
C:\Documents and Settings\Sally\Cookies\sally@server.iad.liveperson[3].txt
C:\Documents and Settings\Sally\Cookies\sally@shopping.112.2o7[1].txt
C:\Documents and Settings\Sally\Cookies\sally@specificclick[1].txt
C:\Documents and Settings\Sally\Cookies\sally@stat.dealtime[1].txt
C:\Documents and Settings\Sally\Cookies\sally@statse.webtrendslive[2].txt
C:\Documents and Settings\Sally\Cookies\sally@toseeka[1].txt
C:\Documents and Settings\Sally\Cookies\sally@tracking.pulse360[1].txt
C:\Documents and Settings\Sally\Cookies\sally@tribalfusion[1].txt
C:\Documents and Settings\Sally\Cookies\sally@www.directnetadvertising[1].txt
C:\Documents and Settings\Sally\Cookies\sally@zedo[2].txt

Edited by NeilH, 03 March 2008 - 10:45 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:58 AM

Posted 03 March 2008 - 11:40 PM

Thanks for the log NeilH,

I'm going to ask you to run a scan with it again, but this time in Safe Mode. The reason is that more areas where malware may lurk is available in Safe Mode.

Before going into Safe Mode, make sure you have the settings as follows:

Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.

Once you are in safe mode, make sure to set up the scan this way:

· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.

At this point, reboot into normal mode and retrieve the log. Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 NeilH

NeilH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 04 March 2008 - 02:41 AM

Hey Orange Blossom,

Thanks again for you help.
I did what you asked and here is the new log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/03/2008 at 11:27 PM

Application Version : 4.0.1154

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:08:36

Memory items scanned : 181
Memory threats detected : 0
Registry items scanned : 5043
Registry threats detected : 0
File items scanned : 48702
File threats detected : 39

Adware.Tracking Cookie
C:\Documents and Settings\Neil\Cookies\neil@4781.2602100002.clickshield[1].txt
C:\Documents and Settings\Neil\Cookies\neil@ad.yieldmanager[2].txt
C:\Documents and Settings\Neil\Cookies\neil@adecn[1].txt
C:\Documents and Settings\Neil\Cookies\neil@adecn[2].txt
C:\Documents and Settings\Neil\Cookies\neil@adrevolver[2].txt
C:\Documents and Settings\Neil\Cookies\neil@ads.revsci[1].txt
C:\Documents and Settings\Neil\Cookies\neil@advertising[1].txt
C:\Documents and Settings\Neil\Cookies\neil@atdmt[1].txt
C:\Documents and Settings\Neil\Cookies\neil@atdmt[3].txt
C:\Documents and Settings\Neil\Cookies\neil@dealtime[2].txt
C:\Documents and Settings\Neil\Cookies\neil@doubleclick[1].txt
C:\Documents and Settings\Neil\Cookies\neil@enhance[2].txt
C:\Documents and Settings\Neil\Cookies\neil@media.adrevolver[1].txt
C:\Documents and Settings\Neil\Cookies\neil@msnportal.112.2o7[1].txt
C:\Documents and Settings\Neil\Cookies\neil@overture[1].txt
C:\Documents and Settings\Neil\Cookies\neil@overture[2].txt
C:\Documents and Settings\Neil\Cookies\neil@perf.overture[1].txt
C:\Documents and Settings\Neil\Cookies\neil@pro-market[2].txt
C:\Documents and Settings\Neil\Cookies\neil@revsci[2].txt
C:\Documents and Settings\Neil\Cookies\neil@roiservice[1].txt
C:\Documents and Settings\Neil\Cookies\neil@sales.liveperson[1].txt
C:\Documents and Settings\Neil\Cookies\neil@sales.liveperson[2].txt
C:\Documents and Settings\Neil\Cookies\neil@sales.liveperson[4].txt
C:\Documents and Settings\Neil\Cookies\neil@specificclick[1].txt
C:\Documents and Settings\Neil\Cookies\neil@stat.dealtime[2].txt
C:\Documents and Settings\Neil\Cookies\neil@toseeka[1].txt
C:\Documents and Settings\Neil\Cookies\neil@www.xxxtubemovies[2].txt
C:\Documents and Settings\Neil\Cookies\neil@yadro[1].txt
C:\Documents and Settings\Neil\Cookies\neil@zedo[1].txt
C:\Documents and Settings\Sally\Cookies\sally@adecn[1].txt
C:\Documents and Settings\Sally\Cookies\sally@ads.pointroll[1].txt
C:\Documents and Settings\Sally\Cookies\sally@atdmt[1].txt
C:\Documents and Settings\Sally\Cookies\sally@doubleclick[1].txt
C:\Documents and Settings\Sally\Cookies\sally@heavycom.122.2o7[1].txt
C:\Documents and Settings\Sally\Cookies\sally@hitbox[1].txt
C:\Documents and Settings\Sally\Cookies\sally@imrworldwide[2].txt
C:\Documents and Settings\Sally\Cookies\sally@networkadvertising[1].txt
C:\Documents and Settings\Sally\Cookies\sally@pro-market[1].txt
C:\Documents and Settings\Sally\Cookies\sally@tacoda[1].txt

It prompted me for an update before I ran it this time so I did it, I hope that doesn't throw us off. I figured it was a good idea to get the latest updates.

Edited by NeilH, 04 March 2008 - 02:43 AM.


#6 NeilH

NeilH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 04 March 2008 - 10:13 PM

Hey Orange Blossom,

I'm not being impatient here, I just wanted to state that the problem does still exist as I didn't say either way in my last post.
Just let me know what to do next when you get back on to my case :thumbsup:

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:58 AM

Posted 04 March 2008 - 11:09 PM

Hello NeilH,

I just got back a few minutes ago from a VERY LONG day at work and a drive home in a snowstorm.
---------------
Yes, you were right to let it update before running the scan.

Thanks for posting the log. SUPERAntiSpyware found just a few tracking cookies. I'm going to consult with some others to see where to go from here in identifying what is causing your problems.

In the meantime, I encourage you to read the following about cookies and work to block such cookies.

Tracking cookies are not a threat, but there are privacy concerns. Tracking cookies are a kind of third party cookie. You can read more about the kind of cookies and how to block unwanted cookies in IE in the in this post: http://www.bleepingcomputer.com/forums/ind...st&p=702871

The links he provides will tell you how to block third party cookies in IE.

You can set up Firefox to block unwanted and unneeded cookies this way:

Click on Tools --> Options --> Privacy

Make sure there is a check mark by "Accept Cookies from Sites." Then in the box just below, make sure the window says "Ask me every time."

What this will do is that every time a site wants to put a cookie on your computer, a little window will pop up asking you if you want to accept it. The first time it shows up, click on "Show details". From then on, except when you reinstall Firefox or in some instances update it, the details will always be shown. There you can see who wants to put it on your computer and whether it is a session cookie or a permanent cookie.

You can add the site to your black list or white list by putting a check mark Use my choice for all cookies from this site and clicking on Deny which adds it to the black list or Allow for session or Allow. The latter choice means that any permanent cookies will stay on your computer until they expire or you delete them. The former choice means that the cookies will always go away when you close your browser. Either way, the sites will be added to the white list.

You can see what cookies are installed by clicking on the Show Cookies button on the privacy screen where you set the cookie options. When you click on Exceptions you will see the list of sites blocked from or permitted to set cookies. You can manually add sites to the block or allow list here, and you can also remove sites from the list.

Security programs such as Spywareblaster - prevents spyware from being installed on your PC. - Tutorial: Using SpywareBlaster will add many sites to the block list to protect you from tracking cookies.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 NeilH

NeilH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 04 March 2008 - 11:40 PM

I seriously hardly ever use IE and definitely have never been to any of those sites so I'll definitely look into the info you suggested, thanks.

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:58 AM

Posted 05 March 2008 - 12:45 AM

Hello NeilH,

You're welcome. I rarely use IE myself. The guides in the links are well worth reading, and do look into getting SpywareBlaster.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:58 AM

Posted 05 March 2008 - 05:12 PM

Hello NeilH,

I've consulted with some malware experts, and they suggested that you post an HJT log.

Please follow the directions in this guide. If you can't do a step, skip it and go on to the next. Then create an HJT log, you will find the directions in step 9 of the guide.

Create a new topic in this forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work and paste in your HJT log. Also, include the link to this thread and say that we sent you there.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Please post the link to your new thread as a reply to this topic so we know you are receiving help in the HJT forum.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 NeilH

NeilH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 06 March 2008 - 02:39 PM

Hey Orange Blossom,

So last night I started to follow your instructions which included downloading and running Spybot - Search and Destroy.
Amazingly enough, this seems to have found and eliminated the problem! Of course it's still early and may re-appear, but so far so good. I'll post again in a few days and let you know either way.

Thanks again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users