Odd IE6 behaviour - Malware?

Discussion in 'System Security & Infection Support' started by Tosca, Dec 13, 2004.

  1. Tosca

    Tosca VIP Member

    Joined:
    Nov 8, 2004
    Messages:
    249
    Likes Received:
    3
    Location:
    Townville
    Hi everyone

    I have XP Pro SP1 and IE6. I've managed to clear the IE Address bar of all web addresses but, if I type a single letter in the Address Bar, it retrieves a list of items from my Desktop! Obviously, this only occurs if the item begins with that letter. It picks up files on the desktop and even the Recycle Bin.

    I've been into IE6 Tools>Internet Options and cleared our Cookies, TIFs, turned Autocomplete Off, Cleared Passwords, Forms, Offline Content etc. and I've also been into the Registry and cleared the TypedURLs but the odd behaviour still occurs!

    I ran AdAware and Spybot - each of which identified a handful of items and I let each piece of software deal with as it felt fit. No difference.

    Finally, I ran HiJackThis and here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:06:49, on 13/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\sony\vaio power management\SPMgr.exe
    C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
    C:\WINDOWS\ATK0100\Hcontrol.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\Program Files\sony\BlueSpace\BlueSpaceNE.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\Program Files\CoolMon\CoolMon.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Me\My Documents\Downloaded Applications\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.sony-europe.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.club-vaio.sony-europe.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
    O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
    O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
    O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: BlueSpace NE.lnk = C:\Program Files\sony\BlueSpace\BlueSpaceNE.exe
    O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O15 - Trusted Zone: *.vaio-link.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O17 - HKLM\System\CCS\Services\Tcpip\..\{90665326-46D8-4C3C-A59F-845F1E766F12}: NameServer = 192.168.0.1,4.2.2.2

    I'm hoping that there is something there which I could delete that will resolve the problem. If not, what do I do next?

    Thanks in anticipation of someone being able to help to resolve this for me.
     
    Tosca, Dec 13, 2004
    #1
    1. Advertisements

  2. Tosca

    D Schrute Assistant Sensei VIP Member

    Joined:
    Aug 31, 2004
    Messages:
    1,201
    Likes Received:
    19
    Location:
    VA & NC
    It shows a list of all files... or is it a history type group of files that you accessed through explorer or my computer?
     
    D Schrute, Dec 13, 2004
    #2
    1. Advertisements

  3. Tosca

    Tosca VIP Member

    Joined:
    Nov 8, 2004
    Messages:
    249
    Likes Received:
    3
    Location:
    Townville
    It's random - but includes files etc. on the Desktop. For instance:

    If I type <A>, it picks up files on the Desktop beginning with <A> but it also picks up <Air France> which is in my Favorites. If I rename the item in Favorites, it disappears from the IE Address drop down list but reappears when the new first letter is entered.

    If I type <C>, it picks up <Control Panel>.

    If I type <M>, it picks up <Major Travel> which is identical with an entry in my Favorites but it also picks up <My Computer> and <My Documents>. This isn't from the Start menu because I've changed the name of <My Documents> to <Documents> on the Start menu.

    Bizarre, eh?
     
    Tosca, Dec 13, 2004
    #3
  4. Tosca

    D Schrute Assistant Sensei VIP Member

    Joined:
    Aug 31, 2004
    Messages:
    1,201
    Likes Received:
    19
    Location:
    VA & NC
    If you clear your history will anything show up in the bar if you type in a letter/character?
     
    D Schrute, Dec 13, 2004
    #4
  5. Tosca

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Sounds like maybe something the MSN toolbar is doing. It actually sounds kind of handy.
     
    Fenis-Wolf, Dec 13, 2004
    #5
  6. Tosca

    Tosca VIP Member

    Joined:
    Nov 8, 2004
    Messages:
    249
    Likes Received:
    3
    Location:
    Townville
    Humph - you might think it's good but I don't like it, particularly as I noticed it about 10 days ago and I don't know why it started! I strongly suspect some malware but I can't trace it. It's so annoying that I'm tempted to reinstall my OS but that would be an absolute pain ....... as I'm sure you would agree. I'd far rather be able to sort it out myself (or in conjunction with you guys!) so we can offer help to folks in the future if they develop similar problems.
     
    Tosca, Dec 13, 2004
    #6
  7. Tosca

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    You might just want to install all those extra toolbars you have installed. I see you have MSN AND Google toolbar installed. One of those is quite probably the culprit. I didn't see anything that really screams 'SPYWARE' above.
     
    Fenis-Wolf, Dec 13, 2004
    #7
  8. Tosca

    Tosca VIP Member

    Joined:
    Nov 8, 2004
    Messages:
    249
    Likes Received:
    3
    Location:
    Townville
    How do I get rid of the Google and MSN toolbars? They were here when I set the laptop up initially. If I decide that I want them back (if uninstalling doesn't resolve the problem), how would I do that?
     
    Tosca, Dec 13, 2004
    #8
  9. Tosca

    D Schrute Assistant Sensei VIP Member

    Joined:
    Aug 31, 2004
    Messages:
    1,201
    Likes Received:
    19
    Location:
    VA & NC
    They should (I know google will be for a fact) in the Control Panel > Add/Remove Programs but if that doesn't work you can delete them through HiJackThis.
     
    D Schrute, Dec 13, 2004
    #9
  10. Tosca

    Tosca VIP Member

    Joined:
    Nov 8, 2004
    Messages:
    249
    Likes Received:
    3
    Location:
    Townville
    I figured it out and deleted them via Control Panel. I turned my laptop off then rebooted - no difference! :(


    Any other ideas before I reinstall the OS?
     
    Tosca, Dec 13, 2004
    #10
  11. Tosca

    D Schrute Assistant Sensei VIP Member

    Joined:
    Aug 31, 2004
    Messages:
    1,201
    Likes Received:
    19
    Location:
    VA & NC
    You mean the toolbars are still there or the "problem" still persists? Did you try clearing the history and url history???
     
    D Schrute, Dec 13, 2004
    #11
  12. Tosca

    Tosca VIP Member

    Joined:
    Nov 8, 2004
    Messages:
    249
    Likes Received:
    3
    Location:
    Townville
    The toolbars are gone. I've deleted the url history, TIFs and Cookies, turned off autocomplete and cleared everything within it - Forms, Passwords. I've also been into Administrator Account and deleted TIF, History and Cookies Folders from the account that I first noticed things going wrong. I logged into a *NEW* account that I just created and, even from that, the strange behaviour in IE occurs. It also occurs when I'm logged in as Administrator!

    Needless to say, the AV scan (McAfee) is also clear - DAT files are today's.

    I'm stumped and SOOOO close to reinstalling. I hate having something like this that I can't account for. I doubt it could be a hardware problem (I'm no expert!) and the laptop's only 3 months old.

    Anyone with any more suggestions?
     
    Tosca, Dec 14, 2004
    #12
  13. Tosca

    D Schrute Assistant Sensei VIP Member

    Joined:
    Aug 31, 2004
    Messages:
    1,201
    Likes Received:
    19
    Location:
    VA & NC
    Are there any remaining folders from the toolbars say in C:\Documents and Settings\Username\Application Data\ ??? Note: you need to having hidden folder views enabled (In My Computer > Tools > Folder Options > View Tab > Select View Hidden Files and Folders) to see that folder.
     
    D Schrute, Dec 14, 2004
    #13
  14. Tosca

    Tosca VIP Member

    Joined:
    Nov 8, 2004
    Messages:
    249
    Likes Received:
    3
    Location:
    Townville
    No - there doesn't seem to be any remnants of the Toolbars, either directly relating to Google or MSN in <Application Data>, nor in any of the other folders that might be related, i.e. <Application Data\Microsoft>. There is, however, a folder <Application Data\Microsoft\MSN Messenger and then there is one subfolder then three further subfolders containing files. I guess that these are legit. BTW, I'm the only user, so have the folders set to be revealed.


    Remember that the odd behaviour doesn't only happen when I'm logged into this particular account but also when I logged into a brand new account that I created earlier this evening and also when I'm logged in as Administrator. That suggests to me that the problem isn't related specifically to the <username>. I seem to recall hearing of "repairing" IE6 and just wonder if this might help. I'll look into it and try it out. It can't do any harm, can it???
     
    Tosca, Dec 14, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.