Explorer.exe launching hidden IE windows + Google hijack

admin
14 September 2023
564 Views

Question:

While no spyware expert, I am an advanced user, but this current infection has me stuck. How I got infect in the first place is questionable, but I believe a malicious website used a PDF exploit.

The symptoms are as follows:

  • An error message about an IDE hard drive error was received. Authenticity of this message is questionable.
  • A mass filesystem attribute change to +hidden was done.
  • Running of Task Manager was disabled.
  • Google search results are sometimes hijacked and taken to sites like Happili.com.
  • Hidden IE windows are connecting to websites in the background. I can hear videos playing, and I get IE script error notification windows.

I performed scans using the following:

  • Combofix (crashed system)
  • Lavasoft AdAware
  • Malwarebytes Anti-Malware
  • Symantec AntiVirus
  • Spybot Search & Destroy
  • Windows Defender

A few exe files with random character names were found and removed, but the infection is not gone. No more IDE errors have been received. I fixed the hidden files and Task Manager manually, and it has not been a problem since. I reinstalled Firefox, which seemed to temporarily fix the Google hijack, but it seems to come back. The hidden IE windows I have not been able to figure out.

A tracked down the process that is downloading webpages and playing videos, and it’s explorer.exe. To make it even stranger, it seems that the problems only activate when I have an explorer window open to browse files. When I close these windows the videos stop playing and the symptoms stop occurring.

It does not appear that explorer.exe has been modified since the filesize matches a known good copy. My best guess is that something is hooking into it, or attaching to the process when it launches. C:\windows\explorer.exe 1033216 bytes

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:05:33 AM, on 4/8/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WDSC\iseries\InfoCenter\infoexec.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ClipX\clipx.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Documents and Settings\ppq1\Application Data\DropBox\bin\Dropbox.exe
C:\Documents and Settings\ppq1\My Documents\PowerMenu\PowerMenu.exe
C:\Program Files\Windows 7 Shortcuts 0.4\Windows 7 0.4.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\ppq1\My Documents\TrueCrypt\TrueCrypt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\plink.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\plink.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\cmd.exe
c:\cwrsync\rsync.exe
c:\cwrsync\rsync.exe
c:\cwrsync\rsync.exe
C:\Documents and Settings\ppq1\My Documents\f@h\[email protected]
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Documents and Settings\ppq1\My Documents\f@h\FahCore_a4.exe
C:\PROGRA~1\Citrix\ICACLI~1\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\phpDesigner6\phpDesigner.exe
C:\Program Files\WinSCP\WinSCP.exe
C:\WINDOWS\system32\mstsc.exe
C:\Documents and Settings\ppq1\My Documents\My Dropbox\tmp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ICHelp] C:\WDSC\iseries\InfoCenter\infoexec.exe C:\WDSC\iseries\InfoCenter\infoexec.cfg
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [ClipX] C:\Program Files\ClipX\clipx.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\ppq1\Application Data\DropBox\bin\Dropbox.exe
O4 - Startup: Shortcut to PowerMenu.exe.lnk = C:\Documents and Settings\ppq1\My Documents\PowerMenu\PowerMenu.exe
O4 - Startup: Shortcut to Windows 7 0.4.lnk = C:\Program Files\Windows 7 Shortcuts 0.4\Windows 7 0.4.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195271368621
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195271347976
O17 - HKLM\System\CCS\Services\Tcpip\..\{34333398-84CE-4109-B752-787236F265A3}: NameServer = 10.1.2.16,10.1.2.18
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folding@home-CPU-[1] - Unknown owner - C:\Documents and Settings\ppq1\My Documents\f@h\[email protected]
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\ppq1\Desktop\temp.html

Answer:

If you suspect your computer is infected with malware that’s causing issues like hidden Internet Explorer (IE) windows and Google search result hijacking, it’s important to take systematic steps to address the problem. Here’s a comprehensive guide on how to deal with these issues:

1. Isolate Your Computer

Before attempting to remove the malware, it’s essential to isolate your computer from the network to prevent the infection from spreading to other devices and to avoid further data exposure.

2. Backup Important Data

Before making any changes to your system, ensure you have a backup of your important data. You can use an external hard drive, USB flash drive, or cloud storage for this purpose.

3. Scan and Remove Malware

Perform a thorough malware scan using multiple reputable anti-malware tools. You’ve already used some tools, but here are additional steps:

Anti-Malware ToolAdditional Steps
Malwarebytes Anti-MalwareEnsure it’s updated to the latest definitions and run a full system scan. Remove any detected threats.
Symantec AntiVirusUpdate definitions and run a full system scan. Remove threats if detected.
Spybot Search & DestroyUpdate and immunize your system, then run a scan. Remove any identified threats.
Windows DefenderUpdate and run a full system scan. Remove detected malware.
CombofixIf Combofix crashed your system previously, consider using it in safe mode with networking or seek expert assistance.

After each scan, restart your computer to ensure the removal of any active malware components.

4. Repair or Reinstall Browsers

Since your browsers may have been affected, it’s a good idea to either repair or reinstall them:

  • Internet Explorer: Open the Control Panel, go to “Programs and Features,” select “Turn Windows features on or off,” and uncheck “Internet Explorer.” Click “OK” to apply the change, then restart your computer. Afterward, re-enable Internet Explorer using the same process.
  • Firefox: Reinstall Firefox to ensure a clean version without any extensions or settings that the malware may have altered.

5. Check Browser Extensions/Add-ons

Review and remove any suspicious or unknown browser extensions, add-ons, or plugins that could be contributing to the issues.

6. Monitor for Suspicious Activity

Keep an eye on your computer for any unusual or suspicious activity. If you notice hidden IE windows or Google hijacking reoccurring, it might indicate that the malware is not fully removed.

7. Check Hosts File

Inspect your computer’s hosts file for any unauthorized or suspicious entries. Malware often manipulates this file to redirect web traffic.

8. Verify Windows Updates

Make sure your operating system and all software are up to date with the latest security patches and updates. Malware can exploit vulnerabilities in outdated software.

9. Seek Expert Help

If the issues persist or if you are unable to completely remove the malware on your own, it’s advisable to seek assistance from a professional malware removal service or community. Experts can perform advanced diagnostics and removal procedures.

10. Prevent Future Infections

To prevent future infections, maintain good computing practices:

  • Regularly update your operating system and software.
  • Use strong, unique passwords.
  • Be cautious when downloading files or clicking on links, especially from untrusted sources.
  • Invest in reputable anti-malware software and keep it up to date.
  • Consider using a reliable firewall and intrusion detection system.
Author admin