Question

Locked

Fake Internet Explorer Removal Help.

By eddy315west ·
Ok first of all i know this is not an official internet explorer. second i have 2 other computers that this does not happen on at all. here is my problem.

I use windows live messenger . and when i recieve a email a little box pops up. usually i click on that box and it takes me to my inbox. but lately its been taking me to a fake looking internet explorer. which in the past never did . ive scanned my pc using kaspersky internet security and it removed it and now all of a sudden its back again . so i used superanti spyware and i have no spyware whatsoever so i know its not spyware.
i have noted also it opens one page where its ask me for my email and password like hotmail.com does and it opens a second blank page. and just so you know i use internet explorer 7 these look like ie6 and with weird icons here are the pictures .

both pictures of this fake ie :
http://img253.imageshack.us/img253/231/fakeie7mw7.jpg

http://img385.imageshack.us/img385/7484/fakeie72yc9.jpg

and here is what my ie7 looks normally :

http://img253.imageshack.us/img253/5121/normalielg0.jpg

now on my other 2 computers when i click on th envelope in the windows live messenger or the popup box alerting me i recieve an email it takes me directly to my inbox doesnt ask me to log in like in those 2 pictures and my ie7 on all 3 pcs dont look like those 2 pictures

any help or info would be much appreciated.

thanks in advance , eddy

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

My first move would be to

by Dumphrey In reply to Fake Internet Explorer Re ...

boot into safe mode and run spybot and then SDFix.
http://www.bleepingcomputer.com/files/sdfix.php
SDFix is sometimes registered as a virus by AV products, but this is a false positive. Run this tool in safe mode, it will want to reboot into normal mode to finish.
Try this and let me know how it goes.

Collapse -

re: It's back again.....

by ThumbsUp2 In reply to Fake Internet Explorer Re ...

You said: ive scanned my pc using kaspersky internet security and it removed it and now all of a sudden its back again .

You're infected AGAIN.

Did you scan AGAIN with Kasperky? If it removed it the first time, what makes you think it wouldn't remove it the 2nd or 3rd time?

Have you tried downloading, installing and using CCleaner? It does a pretty fair job of removing critters like the one you've caught.

And, like Dumphrey said, run SpyBot Search & Destroy in Safe Mode. If you think you have absolutely no spyware just because you ran one program and it didn't report anything, think again. Who knows? Maybe Super Anti Spyware is the problem in itself!

And finally, it's probably time to look at the security you've got installed (or not). If you're catching anything at all, let alone TWICE, obviously what you're using isn't up to the task.

Collapse -

If he didn't disable sys restore

by jdclyde In reply to re: It's back again.....

many virusi will keep putting themselves right back.

disable sys restore, boot to safe mode and clean.

reboot and repeat until you get at least one clean scan, before you go back to a normal boot.

Something like that, I would run a second AV package as well. (or wipe/load)

Collapse -

A nice bill of health from "Killdisk" will go down well.

Killdisk:
http://www.killdisk.com/
This will get rid of the problem that you have. Yes it will take around 3 to 4 hours to do, but this time you better lock your system down. Make sure you save all of your data first.

Please post back if you have any more problems or questions.
If this information is useful, please mark as helpful. Thanks.

Collapse -

This should do the trick

by Jacky Howe In reply to Fake Internet Explorer Re ...

Turn off System Restore by following the steps below.
<br><br>
Download Malwarebytes Anti-Malware, install it and update it and scan the PC in Safe Mode.
<br>
http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe
<br><br>
Just to be on the safe side when you finish do an online scan with Bitdefender.
<br>
http://www.bitdefender.com/scan8/ie.html
<br>
Remember to turn on System Restore when you have finished cleaning.
<br><br>
Steps to turn off System Restore<br>
1. Click Start, right-click My Computer, and then click Properties.<br>
2. In the System Properties dialog box, click the System Restore tab.<br>
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.<br>
4. Click OK.<br>
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:<br>
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.<br>
Do you want to turn off System Restore?<br>
After a few moments, the System Properties dialog box closes.<br>
<br><br>
Steps to turn on System Restore<br>
1. Click Start, right-click My Computer, and then click Properties.<br>
2. In the System Properties dialog box, click the System Restore tab.<br>
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.<br>
4. Click OK. After a few moments, the System Properties dialog box closes.
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome.
</i>

Collapse -

Nothing Has Worked

by eddy315west In reply to Fake Internet Explorer Re ...

Tried SDFix No Luck
Tried Spybot Search And Destroy No Luck
Tried MalwareBytes No Luck
Tried Disabling System Restore on hdd No Luck
Tried Kaspersky No Luck

KillDisk I own And i know it will do the trick but im honestly to tired to reinstall all my apps programs games updates and etc!

any other suggestions !

Collapse -

A couple of checks

by Jacky Howe In reply to Nothing Has Worked

If it is infected this should pick it up. Download HijackThis and run it and then go to the site below to analyze it to find out if you are infected or post the log file here.
<br><br>
http://aumha.org/downloads/hijackthis.exe
<br><br>
HijackThis log file analysis
<br><br>
Hijack This opens you a possibility to find and fix nasty entries on your computer easier. Therefore it will scan special parts in the registry and on your harddisk and compare them with the default settings. If there is some abnormality detected on your computer HijackThis will save them into a logfile. In order to find out what entries are nasty and what are installed by the user, you need some background information.
<br><br>
A logfile is not so easy to analyze. Even for an advanced computer user. With the help of this automatic analyzer you are able to get some additional support. Just paste your complete logfile into the textbox at the bottom of this page. Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and not HijackThis the program.
<br><br>
http://hijackthis.de/
<br><br>
Use the Internet Explorer (No Add-ons) mode<br>
To do this, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Internet Explorer (No Add-ons).
<br><br>
If this resolves the issue, follow these steps to isolate the browser add-on that is causing the issue:<br>
1. Click Tools, and then click Internet Options. <br>
2. Click the Programs tab, and then click Manage add-ons. <br>
3. Click an add-on in the Name list, and then click Disable. <br>
4. Repeat step 3 until you identify the add-on that is causing the issue.
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome.
</i>

Collapse -

hijack this

by eddy315west In reply to A couple of checks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:46 AM, on 10/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\AI Suite\AiSuite.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=6**57
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=6**57
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161**0} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)
O9 - Extra button: Messenger - {FB5F1**0-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1**0-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222641842468
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222717472929&h=b3d0b83fe314db5a7d3c8ee9928b1aac/&filename=jinstall-6u7-windows-i586-jc.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8384 bytes

Collapse -

HijackThis

by Jacky Howe In reply to hijack this

looks alright although there was a question mark against this.
<br><br>
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
<br>
You must be using Corel software if not remove it with HijackThis.
<br>
I take it that the No-Addons didn't work. So try disabling your Toolbars and see what happens.
<br><br>
<i>Keep us informed as to your progress if you require further assistance.</i>
<br><br>
<i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome.
</i>

Collapse -

Bad call

by jdclyde In reply to Nothing Has Worked

There are times when a wipe/load is the option required.

If what you have is tricky enough to get by all of the steps you listed, how can you ever be sure you got it all?

I would never be able to trust it again, and you shouldn't either.

Yeah, I hate spending two days doing a wipe/load to.

Back to Software Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums