Just today I noted that both SpyBot and the Astrill setup program (VPN proxy software) reported that IE was open and to shut it down.
I had in fact shut down my laptop right before booting up, unplugged it, taken out the battery for about 10 minutes and then restarted it when I noted this occurring.
I then saw 2 entries for IE open in Task Manager - 1 showing the home page (blank) and the other with an entry: "C\Program Files (x86)\Internet Explorer\iexplore.exe SCODEF:9362 CREDAT:71937".
I would say that this only occured in the past 4-7 days, as I had updated SpyBot once earlier in the week as well and done a full scan.
I have now updated SpyBot, run a full scan, but nothing has been found. I think hosts files are always innoculated by Spybot, so I would have thought I was protected.
Also running Malwarebytes now after update and nothing found.
Resident AV is ESET NOD32 64-bit for business.
Using Comodo Firewall free after ZoneAlarm's interface became too simplified.
One interesting point of note is that I was forced to use WebEx with one of SonicWall's Indian engineers in the past few days, which required the use of Internet Explorer activeX permissions as well as Windows permissions-could this be the problem?? Comodo identified and blocked some files, such as: atasinst.exe, atasctrl.dll, but the session went ahead properly. However, that does not say that something may have been allowed by my allowing that application to execute in Windows!
Downloaded the TrendMicro version of HiJackThis, v.2.0.4 (why doesn't it allow me to have an option to "Run as Administrator"?), and here are the results, after noting that it was denied access to the Hosts files, which are being appended using the notepad instructions from the HiJackThis program. It also advised that I should Run as Admin, but their is no option when right-clicking!
Here's the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 15:17:05, on 20-Jan-12 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v8.00 (8.00.7601.17514) Boot mode: Normal
Here's the Hosts file, having deleted most of the entries that SpyBot made (Don't think that this was affected):
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost # Start of entries inserted by Spybot - Search & Destroy 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com ........... 127.0.0.1 mastercard-kundensicherheit.de # End of entries inserted by Spybot - Search & Destroy
Any help on what I should do here to eliminate the IE problem?
Thanks!
Post Edited (SuperFlyBoy) : 20-01-2012 10:32:40 GMT
I found a definite solution for google redirect on my computer, at least. I got this virus 2 days ago. If I clicked on any search item found by google, I got redirected to a page showing a puma and another search engine. I did NOT use it at all. That would invite problems. I ran through a bunch of possible browser solutions, none of which worked. Malwarebyte and AVG did not find the problem. Kaspersky TDSS killer and one or two other standalone rootkit things didn't find it, but one of them found a rootkit that resolved another issue I had which was a just-in-time debugging window that kept appearing. And perhaps that rootkit also came along with the redirect - I cannot know. So I do advise using the Kaspersky program too.
I kept reading and looking at youtube for solutions all day yesterday. I examined my hosts file but it was ok, as this has been a solution in the past. By the way, one can bypass the redirect, or mine at least, by pasting the web address into the search line and going to the site that way. That was the only way I could even view these sites and look for solutions.
Today I started again. First I got rid of all cookies and cleaned out the cache and all temporary files from both my firefox and IE8 browsers. This didn't solve the problem, but my memory is hazy on that. It might have because I did something else. Next I searched on third-party browser extension and I disabled that. That might have done some good. Again, I can't know because I did a third thing, and this might be what worked. The thrid-party search led me to a microsoft website with a page of possible aids. One was to run sfc /scannow. This could be what solved the problem.
You go to START. Then to RUN. Then you type in sfc /scannow. (There is a space after sfc.) This will ask you to insert your original CD that installs windows. Luckily I had it. This program examines all the windows files and makes sure they are all right. It apparently replaces any ones that are corrupted or altered. The program takes 10-15 minutes to complete. (I got a window from the CD asking me what I wanted to do and I simply exited it while the program kept running underneath.)
Afterwards, I rebooted. Voila! The !!!! redirect was gone! I could not believe it, but it's gone. Where did it come from? Probably from some site with links to movie downloads, but who really knows? I suspect www.avaxhome.
This redirect virus I got seems to alter not the hosts file but the atapi.sys file which is in the system32 drivers folder. I could not open that in readable form and even if I did I would have been guessing how to fix it. I found out about atapi.sys from a google forum.
On that forum, there seemed good evidence that the atapi.sys file was being altered by this version of a redirect virus. One person solved the problem by importing a read only atapi.sys file from a clean computer. I couldn't do that, and I was reluctant to try combofix by myself and so I looked for another solution.
I do hope that using sfc /scannow or that in combination with the other easy steps I took, which were to remove all cookies, clean the cache, clean the download history, clean the form history, clean the temporary files, and disable third party browser extension in IE.
Beginning system scan. This process will take some time.
Beginning verification phase of system scan. Verification 100% complete.
Windows Resource Protection did not find any integrity violations.
(I am not *actually* being redirected, but the other IE windows are opening in task manager, with coded commands...so something is monitoring/compromised in my system!)
Post Edited (SuperFlyBoy) : 27-01-2012 15:53:19 GMT
I'm no computer expert, mind you, but the web materials on that hosts file that you show suggest to me that it needs fixing up. If you can alter the hosts file, I'd eliminate all the spybot comments and insertions. I'd eliminate starting from the line
# localhost name resolution is handled within DNS itself.
all the way down.
At the bottom of the pruned file, I'd insert the one line that is needed, and that line is
127.0.0.1 localhost
There should not be a # sign in this line, as it is an instruction, not a comment.
This advice is based on reading about 5 advisories about this file and how it should look.
I opened my hosts file using notepad and altered it. But I was unable to replace the existing file, but maybe you can.
Please allow me to inform you that redirect infections can be written in multiple ways. You should keep in mind though that there is always a solution.
Run hijackthis and place a checkmark by this entry:
R3 - URLSearchHook: (no name) - - (no file)
Then, go to Start, type regedit in the search box and press Enter.
Go to the following folders, using the navigation pane on the left: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes
Once you have expanded the SearchScopes, select each of the folders beneath, one at a time and check what it is written on the right. If the name you find on the left is not Bing, Yahoo, Google, (or another search engine you know and use), with that folder selected on the left, press Delete on your keyboard and confirm.
Lastly, make sure to reset your IE to default. (Start > type Internet Options > Enter > select the Advanced tab > press "Reset..." > check "Delete personal settings" > confirm).
Take note that multiple IE processes are normal if you are watching movies, or playing games, or if you have multiple tabs open.Andreea-Luciana Ostache Senior Support Technician EN support@bullguard.com www.bullguard.com
Andreea-Luciana Ostache said... Please allow me to inform you that redirect infections can be written in multiple ways. You should keep in mind though that there is always a solution.
Run hijackthis and place a checkmark by this entry:
R3 - URLSearchHook: (no name) - - (no file)
Then, go to Start, type regedit in the search box and press Enter.
Go to the following folders, using the navigation pane on the left: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes
Once you have expanded the SearchScopes, select each of the folders beneath, one at a time and check what it is written on the right. If the name you find on the left is not Bing, Yahoo, Google, (or another search engine you know and use), with that folder selected on the left, press Delete on your keyboard and confirm.
Lastly, make sure to reset your IE to default. (Start > type Internet Options > Enter > select the Advanced tab > press "Reset..." > check "Delete personal settings" > confirm).
Take note that multiple IE processes are normal if you are watching movies, or playing games, or if you have multiple tabs open.
Please note that this is not normal, is it?: "C\Program Files (x86)\Internet Explorer\iexplore.exe SCODEF:9362 CREDAT:71937".
Could this be a result of the United Airlines search tool/program?
However, I will first try to uninstall it and post the Hijackthis log.
Thanks so much!
Post Edited (SuperFlyBoy) : 01-02-2012 07:24:51 GMT
The SCODEF parameter for each tab refers to the PID of its frame process.
If you download Process Explorer from here live.sysinternals.com/procexp.exe you can expand iexplore.exe and see exactly what windows are running and if you double-click on an entry, you will see the path and command for the process.
Let me know if you have taken the other steps I advised you to take and let us know if you find anything new with Process Explorer.Andreea-Luciana Ostache Senior Support Technician EN support@bullguard.com www.bullguard.com
Andreea-Luciana Ostache said... Go to the following folders, using the navigation pane on the left: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
One comes back to Bing.
Another comes back to "Web Search", http://search.freecause.com/favicon.ico - which is the search function of the United Airlines toolbar/search tool, something that is normally running on my machine, but I doubt that the SCODEF/CREDAT is due to that program.
Take note that multiple IE processes are normal if you are watching movies, or playing games, or if you have multiple tabs open.
Curently IE is open with 2 instances, none of which I had selected or opened - I show no IE window open on my machine, but yet TaskManager shows these 2 open, one of which has the SCODEF / CREDAT active.
Post Edited (SuperFlyBoy) : 02-02-2012 08:44:31 GMT
Andreea-Luciana Ostache said... The SCODEF parameter for each tab refers to the PID of its frame process.
If you download Process Explorer from here live.sysinternals.com/procexp.exe you can expand iexplore.exe and see exactly what windows are running and if you double-click on an entry, you will see the path and command for the process.
Let me know if you have taken the other steps I advised you to take and let us know if you find anything new with Process Explorer.
ProcessExplorer shows these 2 iexplore.exe instances running under the United tool, as under:
I generally recommend against using toolbars, simply because they can have a multitude of security vulnerabilities, that can get exploited. Make sure to keep your Antivirus up to date!
You are most welcome! Keep us informed of any new developments, if any.Andreea-Luciana Ostache Senior Support Technician EN support@bullguard.com www.bullguard.com
Currently it is Wednesday, June 19, 2013 2:10 AM (GMT +3) There are a total of 59,652 posts in 13,158 threads. In the last 3 days there were 2 new threads and 14 reply posts. View Active Threads
Who's Online
This forum has 34676 registered members. Please welcome our newest member, hawanili. 11 Guest(s), 0 Registered Member(s) are currently online. Details
|
Forum Help Manual
