Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE opens by itself


  • Please log in to reply
10 replies to this topic

#1 lxlqlxl

lxlqlxl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 March 2010 - 03:24 AM

Below was written with the intended purpose of helping add more info to a users post to help out with diagnosing the problem. However in trying to do so it appears I can't the thread this was meant to add to is from the user hippiechld and the thread to which I am refering. hxxp://www.bleepingcomputer.com/forums/topic299593.html. I can understand your policy on this kinda but it is far to restrictive and its basically shooting yourself in the foot with the intended purpose of helping people. That is of course you are some sort of supreme being and are the know all be all of computer related issues. So far from what I have seen your malware/virus type sections have been lackluster. Some decent info but most of it is rehashed things that any one who has installed a virus program either knows about or has done 100 times before. I won't post my hijackthis log due to I have already combed it plenty of times in relation to this issue and it won't add to solving this problem for me or the other user. By shooting yourselves in the foot I mean I don't know how large your staff is but from what I have been able to tell you do not have the resources or manpower to answer every ones pleas promptly. Also from the replies I have seen show 0 knowledge on this type of popup. It isn't installed it doesn't have registry key's as far as I have seen and isnt spotted by hijack this and I am sure it wont be able to spot it at all unless you look at it in the 10 second time frames you have before it disappears. It looks as if it is dormant for all but 30 to 60 mins then it starts up opens IE which is not my default browser waits 10 seconds loads a page keeps that page open for 10 seconds then promptly closes it. Then it repeats that cycle 2 to 5 more times. All in all I think this is a new thing that has started it is unlike any thing I have seen before. I am sure there is a solution to it but I am positive you will have members and others coming here looking for a solution when this explodes.

A tip on your not allowing other members to post help on others threads. Why don't you make it an option for the author? Also lets say when one of you gets around to checking their thread if you notice some one being mean or rude to the op they be cut off from posting on that thread and temp banned from posting on the site for a period of time? Problems would get solved much quicker and your knowledge base would grow substantially. The op of the last thread didn't know much of the info I listed below which does nothing but add to finding a solution.

All in all this is a very restrictive site with some good info that can usually be found elsewhere. Just not this issue due to it being something new. By new I mean a new way to avoid detection which all the sources and fixes you have listed so far doesn't work. So as long as it remains restrictive I doubt I will be adding much to it or directing people toward it.

Again what is listed below was going to be my response to the other ops thread. There is little to no reason why info like that couldn't be shared between people on the same thread. I am rarely for editing peoples replies or deleting them but I could understand in this type of forum to make it easier for people to find solutions to do so. Like if some one replied lol or whatever then they could be punished in whatever way. If they actually tried to contribute and actually did so I see nothing wrong with doing so and if who ever is in charge actually sat down and thought about it they would come to the same conclusion. That is if they want to help people in a timely productive manner.

------------------

I have what you have. I have tried several methods listed above including combofix and nothing has worked yet. I did however find the source or it looks like the source any way. A program called tcpview helped me find it. I waited until the popups would come well I had tcpview open while I did other things and when the popups came I went to tcpview to see the iexplore.exe and what address it was going to. The address it goes to is mediaplex.com I added all the address's I could find linked to them to the hosts file so hopefully that will stop or slow it down some. I also copied the url's from the last few times. The thing with these the popups don't stay open. They open IE for about 10 seconds then load whatever site they want wait about 10 or so seconds then close IE. Then open another one. The rates I have seen are any where from 3 to 6 times probably more. The rates at which this happens is around every 30-60 mins. When this first started happening I would just keep clicking the x and the pages would never even begin to load. Any way here is what I added to hosts

127.0.0.1 NS1.MEDIAPLEX.COM # 64.158.223.64
127.0.0.1 NS2.MEDIAPLEX.COM # 64.70.10.79
127.0.0.1 mediaplex.com
127.0.0.1 64.70.54.41
127.0.0.1 ASIA9.AKAM.NET
127.0.0.1 USE4.AKAM.NET
127.0.0.1 NS1-27.AKAM.NET
127.0.0.1 NS1-100.AKAM.NET
127.0.0.1 EUR2.AKAM.NET
127.0.0.1 EUR3.AKAM.NET

They also go by valueclick and fastclick

The links below are from the popups I let load and when I could be fast enough to copy them to a txt file. I don't intend or want any one to go to the sites below I am providing them for diagnostic purposes only.

hxxp://homeinsurehelp.com/

hxxp://homeinsurehelp.com/result.php?Lfzxpset%3EPomjof%2CMfoefs%27c%3EbH%3Au%5BXmvd4Wz%5BXimcIBvZ3%3Au%27f%3Evt%

3CVT%3C6%3A%3C2%3C2%3C82246925%3Ctuzmf2%606%3A%2Fdtt%3C3%3Cjoufsdptnpt%60bggjmjbuf%602%60e3s%60efsq%3Cbouipoz118%

3Cbouipoz118%3C%3C%3A94%3Cdmfbo%3C%3C0e0tfbsdi0q0joufsdptnpt0ynm0epnbjomboefs0joum0e3s0gfg0qpqdbu0w30%3Cenynm%

2Fjoufsdptnpt%2Fpwfsuvsf%2Fdpn%27dbu%3EMfoefst%27dbuqpt%3E2%27qpt%3E5%27tfbsdi%60uzqf%3Edbufhpsz%27enybsht%

3E17pFOzb5%5BH2ZT7wPMKxqMjGekH%3A2JDsciQTuOZHuJqKvCDMpKHu%3AhJ%5Bsu4bpyM4%3AdsPkRX6gYRCk7X2BgRT5XUn9ChcWMYe8rwCuin%

5BektFCbGjoovs8rnz6mMNqyVEu7VjV%5B%5B%606Xuj3SOGPQm%60YO5g4by8j8eElkgdN%5Bo1cbhvb7Zsm977.yHE1G24WLKBmh%2F-ZU1%7B%

27jqvb%60je%3Edde55d49g6ged838%3Ac1bfeb17f9fef19

hxxps://www.quickenloans.com/mortgage-options/mortgage-rates-comparison?

qls=GTO_K0009583.0000534222&ef_id=1083:1:f1372785badf28980dfcb3da6c2782bc_37755202022_139202417522:S58GOtBkLCYAAHngUm

gAAAMA:20100316041658

hxxps://www.quickenloans.com/home-equity-loan

hxxp://www.spcgame.com/ad/vc.htm

hxxp://cureandhemorrhoids.com/

hxxp://debttradebill.com/

----------------------------------------------------------------

hxxp://www.spcgame.com/index.php?params=game/1697/

hxxp://www.spcgame.com/index.php?params=game/1697/

hxxp://www.spcgame.com/index.php?params=game/786/

hxxp://www.spcgame.com/index.php?params=game/1019/

hxxp://www.spcgame.com/index.php?params=game/1629/


I have yet to do a system restore due to I find some issues challenging and when I have time I like to try to solve them before I break down and do a system restore or just reinstalling the operating system. Others tend to have traces this doesn't appear to. Be it a simple exe or dll or even a "rootkit" all scanning methods so far has not fixed and or solved the problem. The scanning methods listed in the ops thread found some things but nothing that is involved with this issue.

So far it appears adding those to the host file worked. It hasn't popped up in an hour or so. If it does popup I will either edit this thread if I can or reply to the thread saying it didn't work.

===========
-- Edit/addition --
===========

Ok below here is some log info from tcpview I edited my ip for obvious reasons. The address's that it goes to are not. The changes from resolved to not resolve is from me changing the settings in tcpview. The iexplore.exe:3668 you will notice 2 seperate ones. All of the seperate ones are from seperate saves from tcpview. It gets kinda hectic trying to save them while the info is still there I didn't get all of them this time. The address's I added to host didn't work I am going to try adding some of these primarily media.fastclick.net if that works I will post back here. It didn't popup for nearly 2 hours this time. Oh and if any of you know anything about tcpview or can make a program like it. A good feature would be that every time you click save it saves a seperate copy of the file. Like if it says save as save it as say log. The next time you hit save its log0001, log0002, log0003, etc. I would have been able to get much more detailed info if I didn't have to use the save as feature every single time. media.fastclick.net is added to hosts and I will work on the others some time tomorrow if that doesn't work.

iexplore.exe:4612 UDP 127.0.0.1:4983 *:*
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4984 media.fastclick.net:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4985 rd.apmebf.com:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4986 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4987 65.216.161.35:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4988 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4992 a204-245-162-8.deploy.akamaitechnologies.com:http

iexplore.exe:3668 TCP xxx.xxx.x.xxx:1038 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:3668 UDP 127.0.0.1:1037 *:*
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1041 yx-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1043 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1039 media.fastclick.net:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1040 rd.apmebf.com:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1045 9a.49.4f.static.xlhost.com:http ESTABLISHED

iexplore.exe:3668 TCP xxx.xxx.x.xxx:1038 64.79.73.154:80 ESTABLISHED
iexplore.exe:3668 UDP 127.0.0.1:1037 *:*
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1041 74.125.45.149:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1043 74.125.159.149:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1039 63.215.202.18:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1040 63.215.202.22:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1045 64.79.73.154:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1048 72.246.209.115:80 ESTABLISHED

iexplore.exe:3604 TCP xxx.xxx.x.xxx:1061 64.79.73.154:80 ESTABLISHED
iexplore.exe:3604 UDP 127.0.0.1:1060 *:*
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1063 63.215.202.18:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1064 63.215.202.22:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1068 64.79.73.154:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1065 74.125.45.149:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1069 65.216.161.19:80 ESTABLISHED

iexplore.exe:4472 TCP xxx.xxx.x.xxx:1075 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:4472 UDP 127.0.0.1:1074 *:*
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1078 yx-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1076 media.fastclick.net:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1077 rd.apmebf.com:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1081 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1082 a204-245-162-17.deploy.akamaitechnologies.com:http

iexplore.exe:620 TCP xxx.xxx.x.xxx:1089 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:620 UDP 127.0.0.1:1088 *:*
iexplore.exe:620 TCP xxx.xxx.x.xxx:1092 yx-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1090 media.fastclick.net:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1091 rd.apmebf.com:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1097 65.216.161.58:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1094 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1096 9a.49.4f.static.xlhost.com:http ESTABLISHED


Edited by lxlqlxl, 16 March 2010 - 04:49 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:45 AM

Posted 16 March 2010 - 01:46 PM

This has been a topic that has been discussed numerous times and we will not be changing our policies. It is my job to make sure that our members get helpful and safe advice. As malware removal advice consists of deleting files, replacing legitimate system files, editing the registry, etc there is too much potential for bad advice to be given. Therefore we restrict who can give advice in the malware removal forum to only people we know are trained in malware removal.

Does that limit the users who can help? Yes.

Does that make it so we can miss some good advice? Yes

Does it allow us to protect our users from bad advice? Yes

I think the risks of having strangers possibly give bad advice that may make a computer unbootable outweights the potential benefits of helpful information someone may post. As for helping people in a timely manner. I think we do a great job helping considering how many requests for help we receive per day and the fact that we are offering free help. If people absolutely need immediate help, then I suggest they contact an consultant and pay for the computer to be repaired.

Now as to your problem. What you want to post actually wont do anything but stop the popups from being shown. Iexplore will still open and the infection will continue to run. The only thing you are doing is hiding the fact that the infection exists. That's not the right way to go about it in my opinion. I am sure Mole will be able to find the problem as he digs deeper.


#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:10:45 PM

Posted 16 March 2010 - 02:46 PM

Thanks for your advice. Our forums work precisely the way we intend; that is, we don't give know-it-alls the opportunity to screw up someone else's computer. We handle hundreds of cases a day, and have a backlog of tens of hundreds, all of which will be fixed and sent on their merry way. By comparison, about every three months someone comes along with well-intentioned advice without bothering to try and understand why and how we do things, which for the most part we ignore, other than to say thank you for your input. That goes doubly when a member doesn't take the time to see where comments belong, and where relevant discussions go.


#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:45 PM

Posted 16 March 2010 - 02:58 PM

One of the reasons BC has become a site respect d by our peers and the media is that we make every effort to protect our Members needing help from well-meaning but bad or incomplete advice that usually does more harm than good. Now this may mean that quality help is not instantaneous, but it also means that no Member has to come back with a computer that is dead because they did not get professional, trained, and knowledgeable assistance, or because all the malware was not removed the first time.

Edited by jgweed, 16 March 2010 - 02:59 PM.

Whereof one cannot speak, thereof one should be silent.

#5 lxlqlxl

lxlqlxl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 March 2010 - 03:26 PM

I understand the hosts solution was a temp one. I didn't mean to state it as a "fix". I do however think I did get it fixed earlier the popup hasn't came back yet. So if you want to shoot the solution back over to the other op I think they would be grateful. Also thanx for the timely response. I understand your reasoning but it can still be kept up with people who give bad advice to be disallowed that option any more and or have say a kind of online test of knowledge before some one is allowed to give advice. Any way whatever works. The solution is below as what worked for me.

I got a copy of spyhunter 3 updated the definitions and it caught the file where the others didn't the entry it deleted that appears to have caused the problem is below.


[06:18:30] SCANNER File identified(md5) as: Trojan.Dropper, file path: C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe - My windows folder isn't named windows but I renamed it here.

[07:06:54] REMOVAL Removing started...
[07:07:25] REMOVAL Removing memory items...
[07:07:25] REMOVAL Removing files...
[07:07:26] ItemFile Success compress C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000000.ec
[07:07:26] REMOVAL Removing item [File] C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe..

Hope that helps. spyhunter is not a free program and won't remove the infection unless you pay for it but hopefully with this info of the infected file and possible location it can better help you determine a free program/solution that will help theirs. One thing I would suggest the other op doing is downloading spyhunter 3 free version and seeing if ntoskrnl.exe pops up. If it does in a similar location then that is the likely issue.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:45 AM

Posted 16 March 2010 - 03:48 PM

The method you described about vetting users would just be too time consuming for us. This is the easiest approach with the limited amount of time we have to manage the site.

As for the fix, thanks, I will pass on the info. Do you happen to have a sample of that file in your quarantine that you can submit to us?

#7 lxlqlxl

lxlqlxl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 March 2010 - 07:10 PM

Sry don't think spyhunter have a quarantine. If you know or think that it does give me a location and I can check it out. I am searching my drives for the right copy of it but nothing so far and the location it was in is gone. Maybe the other op if given directions to they can save a copy of it. If I knew beforehand I could have saved it but I didn't see any need at the time. If I find a copy I will post back here. Also the issue still has not came back up yet as far as I can tell. If it does I will let you know.


=======
--- Edit ---
=======

I think I found it but it is compressed or something the file name is now 000000.ecd or so the log said it was I have that file if you know how to open it.

Edited by lxlqlxl, 16 March 2010 - 07:19 PM.


#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:45 AM

Posted 16 March 2010 - 08:53 PM

See if you can submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=4

Also found this:

http://www.enigmasoftware.com/support/use-...llback-manager/

#9 lxlqlxl

lxlqlxl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 17 March 2010 - 01:47 AM

Ok the file is submitted. One other thing I think I forgot to mention is spyhunter see's the object name as Trojan.Dropper. When I got the file back in the original location I moved it to a different location and rescanned to make sure the file I moved was the right one, and as of yet the issue hasn't happened again. I hope this helps solve the other ops issue. I know how annoying that thing is.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:45 AM

Posted 17 March 2010 - 08:26 AM

Not sure what to tell you, but that file is legitimate.

http://www.virustotal.com/analisis/cd5a0b4...b721-1267549608

That is the Windows Kernel.

#11 lxlqlxl

lxlqlxl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 18 March 2010 - 05:49 AM

Well, I don't know what to tell you. Spyhunter said that was wrong and when it removed it the popups stopped. So I don't know how you test those files but in my windows xp machine it helped those popups. One other issue well the same issue. The underlying issue is still there I am fairly sure. My computer bluescreened while ago restarted it and one of my drives did not show up and the computer was slow. I got a spyhunter error and it couldn't run then I got those popups again. However since I restarted from that point it hasn't happened again. If you think it is becuase spyhunter was blocking it via another method thats wrong due to I had spyhunter installed and the popups kept coming. It wasn't until I updated definitions scanned and removed that file and then the popups stopped. I will edit this post if the popups come back at all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users