2 Replies Latest reply on Jun 26, 2011 5:14 AM by Peacekeeper

    virus infects internet explorer

      i got a certain file from bittorrent (which i think was the source of the problem) on a win2k machine, shortly thereafter i experienced the payload, which caused the computer to continually open new iexplorer windows. i use Firefox mainly, but use internet explorer only for hotmail, as MSN opens it.  the problem occurs after closing a internet explorer window (usually quickly after it appears) and explorer uses max CPU opening new windows. shortly afterwards i found the exact problem on my XP based EEE although i have not run the suspect program there. i use this computer the most, keeping it on there was "bearable". i had installed process explorer and process monitor though i intend on reinstalling the OS as it has made System restore non functional. iexplore once run does not close and remains in background and when shutting down it tells me that its still not closing and must be done manually. one day it ran MMC to disable the keyboard and touchpad,i got control again by plugging in a usb mouse and run process monitor - the command (according to process monitor) was C:\windows\system32\mmc.exe C:\windows\system32\devmgmt.msc /s   (See image.) later i standby and the disabled items worked again.

       

      the poping up IE windows only contain the webpage that MSN messenger opens (hotmail inbox page), no ads or anything funny, just appears the intention is to make the computer unusable. i would also like to say that all the windows opened by virus are "clones" (in my opinion), although they independently load the web page, the difference between the clones and a page opened by MSN messenger, is that the MSN opened pages bring up the message "you are about to leave a secure internet connection. it will be possible for others to view the information you send" however the clones do not display this message (this is because the MSN windows start with https, then go to http).  during this increased CPU usage, i do see additional files being loaded (appearing green in the file area of process explorer) durig the recreation, the last being Netmsg.dll. during closing of IE once,  i noticed in task manager it has used 0.5GB of ram, but obviously i have not been doing that much browsing.

       

      at one stage it might have interfered with firefox preventing it from seeing the mouse well (i would right click, menu would open but hovering mouse over items would not highlight them)

       

       

      im reporting this so you can catch it with your AV.

      i also have a vista laptop it comes with McAfee (it wants me to buy more), the virus has found a way on this machine even though the program is running all the time,  i forget to do a scan and instead i do system restore (successfully) and it appears to be fine. the installed products are: securitycenter, virusscan, personal firewall, anti-spam, privacy service. if i never used MSN i wouldnt have known about this infection.

       

      so if anyone wants an infection, i can send the file

        • 1. Re: virus infects internet explorer

          i did find an additional problem, i searched for *.* between two dates and after i chose something (dbl click). info in screenshot (dates are 1-jun-2010 and 1-dec-10.)

           

          i am able to freeze the process using process explorer. also i wrote "shortly afterwards" when describing the migration to the XP, this was days, where as when describing the time to see it after running the program on the 2k machine, the time was minutes.

           

          SHbrowseUI.GIF

           

          (edit reason: i forgot why i did this screenshot) on 25/06/11 19:34:08 CDT
          • 2. Re: virus infects internet explorer
            Peacekeeper

            Ok not a virus expert but I suggest trying the following

             

            If you think you have a virus infection on your PC do one or both of the following :

            - Run the free Mcafee Stinger program from http://vil.nai.com/vil/stinger/ -

             

            Download here latest version of getsusp https://community.mcafee.com/thread/32269

            It will see if files on your PC as suspect or known malware and please add your email addy to thye preferences so Mcafee knows who is sending the files to them (this sending is automatic and helps improving Mcafee dats)

            Before you use Getsusp, you should go to this document

            https://community.mcafee.com/docs/DOC-1323

            and download the PDF file explaining what Getsusp is and how it works, and this document

            https://community.mcafee.com/docs/DOC-1761

            which downloads the installation guide PDF document.

             

            If you want a second opinion, or to be on the safe side, then you can do a scan with the free versions of these tools :

            Malwarebytes and SuperAntiSpyware

             

            If you already have Malwarebytes installed, the virus could be protecting itself against it. In that case, in order to get Malwarebytes running you'll need to rename the executable. Open theC:\Program Files\Malwarebytes Antimalware folder, then rename the "mbam.exe" file and double-click directly on the file to open the program. After updating the program, run a full system scan usingMalwarebytes.

             

            Make sure both programs are updated to the latest versions before running them and let them clean anything they find. If they quarantine a file or fail to remove a file try to get a copy of it and send it to Mcafee using the virus submission path described here :

             

            Send the file to mcafee labs at http://vil.nai.com/vil/submit-sample.aspx