# Multiple Internet explorer openings



## Cowboy622

I recently had an issue with Outlook not opening and I took the CPU into a computer shop. This resulted in an entire reformatting, (I use Win XP) Everything has been fine and then one day I hear music coming from the computer and the only program running is Outlook. I opened the task manager and while it only said Outlook under the applications tab, under the processes tab there was 47 "iexplorer.exe" running. I had to end task each one and as I was doing this a few more popped in. Now almost everytime I use internet explorer, there will be multiple entries under the processes tab and I have to end task each one. When I go to open internet explorer, I get a prompt to choose, return to my last session or go to home page. Once I chose return to my last session, and it took me to an asthma sufferer's website, (which I've never been on.)

I have run Spybot S & D, Ad Aware, and CCleaner to try to rid myself of spyware. I have the free AVG antivirus installed. Any suggestions??? (Other than to use Mozilla Firefox, which I do use sometimes with no problems). 

Thanks in advance for any suggestions.


----------



## Cowboy622

Just an FYI, below is the response which I received elsewhere and seems to have worked. Thought I'd post it here just in case someone else has the problem:

Spybot, adaware are past their prime and Ccleaner will do nothing to get rid of an infection other than mop up a bit once something else has gotten rid of it.

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner4.exe

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under *General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies can be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

4. Download, install, and run HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.
Do NOT attempt to "fix" anything yet with Hijackthis!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!*


----------



## Cowboy622

Below are the results of these scans. Any suggestions???

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2010 at 05:59 PM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 2353

Scan type : Complete Scan
Total Scan Time : 00:41:33

Memory items scanned : 398
Memory threats detected : 0
Registry items scanned : 5752
Registry threats detected : 12
File items scanned : 6194
File threats detected : 14

Adware.XML Parser-AIE/Crypt
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{099A69F9-76B4-3063-BD47-2B5BB9935036}
HKCR\CLSID\{099A69F9-76B4-3063-BD47-2B5BB9935036}
HKCR\CLSID\{099A69F9-76B4-3063-BD47-2B5BB9935036}
HKCR\CLSID\{099A69F9-76B4-3063-BD47-2B5BB9935036}\InprocServer32
HKCR\CLSID\{099A69F9-76B4-3063-BD47-2B5BB9935036}\InprocServer32#ThreadingModel
HKCR\CLSID\{099A69F9-76B4-3063-BD47-2B5BB9935036}\ProgID
HKCR\CLSID\{099A69F9-76B4-3063-BD47-2B5BB9935036}\VersionIndependentProgID
HKCR\D.1
HKCR\D.1\CLSID
HKCR\D
HKCR\D\CLSID
C:\WINDOWS\SYSTEM32\RT89986.DLL
HKU\S-1-5-21-2000478354-1708537768-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{099A69F9-76B4-3063-BD47-2B5BB9935036}

Adware.Tracking Cookie
C:\Documents and Settings\Valued Customer\Cookies\[email protected][2].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][2].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][1].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][1].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][2].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][2].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][1].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][1].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][2].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][1].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][1].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][3].txt
C:\Documents and Settings\Valued Customer\Cookies\[email protected][2].txt

mbam-log-2010-01-31 (08-34-10).txt
Malwarebytes' Anti-Malware 1.44
Database version: 3667
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/31/2010 8:34:10 AM
mbam-log-2010-01-31 (08-34-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 219442
Time elapsed: 1 hour(s), 56 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Valued Customer\Desktop\Mark Lindberg\ComboFix\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Valued Customer\Desktop\Mark Lindberg\ComboFix\PV.cfxxe (Adware.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Valued Customer\Desktop\Mark Lindberg\ComboFix\pv.com (Adware.Swizzor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A672E036-E17B-4280-94CE-6DB871F5A513}\RP123\A0018621.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A672E036-E17B-4280-94CE-6DB871F5A513}\RP67\A0013052.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmon_ct.exe (Trojan.Agent) -> Quarantined and deleted successfully.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-31 16:02:49
Windows 5.1.2600 Service Pack 3
Running: dzqyctfh.exe; Driver: C:\DOCUME~1\VALUED~1\LOCALS~1\Temp\fgecaaod.sys

---- Kernel code sections - GMER 1.0.15 ----

? jaddtskm.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\PxHelper.sys entry point in "init" section [0xBA5713D8]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:25 PM, on 1/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4512 bytes


----------

