Explorer restaring IE6 --> virus?? bug??

[intrepid_dw]

All:

I've been perusing a bizarre little laptop with a clean install of Win
XP Pro with SP2. Only apparent additional installs are the Google
Toobar for IE and MS Office 2K3.

Problem is that, after a few minutes of uptime, Explorer will start
firing instances of Internet Explorer at seemingly random intervals;
sometimes as often as once every one or two seconds, then slow down,
then fire several more, etc, then go dormant for several minutes. I've
run the checks in safe mode and stopped all stoppable services, all to
no avail. All I've been able to conclude is that something is making
Explorer start IE over and over again, and I can't seem to find a
reason why.

My first thought was an outbound zombie-type virus, but there are no
outbound network connections showing up via netstat, and there is no
homepage hijack. AdAware comes away clean and HiJack shows nothing
suspicious; all entries in the Run\RunOnce registry entries are traced
back to legitimate executables. I performed a safe-mode scan with
Symantec's online scanner and Microsoft's online scanner, and neither
found anything. I'm on the order of stumped.

Any ideas?? Any chance I'm coming up with some really obscure, perhaps
new, virus or malware?? I'm grasping at straws at this point...so I'd
appreciate any suggestions or theories.

THanks,
intrepid

 

[Guest]

All:

I've been perusing a bizarre little laptop with a clean install of Win
XP Pro with SP2. Only apparent additional installs are the Google
Toobar for IE and MS Office 2K3.

Problem is that, after a few minutes of uptime, Explorer will start
firing instances of Internet Explorer at seemingly random intervals;
sometimes as often as once every one or two seconds, then slow down,
then fire several more, etc, then go dormant for several minutes. I've
run the checks in safe mode and stopped all stoppable services, all to
no avail. All I've been able to conclude is that something is making
Explorer start IE over and over again, and I can't seem to find a
reason why.

My first thought was an outbound zombie-type virus, but there are no
outbound network connections showing up via netstat, and there is no
homepage hijack. AdAware comes away clean and HiJack shows nothing
suspicious; all entries in the Run\RunOnce registry entries are traced
back to legitimate executables. I performed a safe-mode scan with
Symantec's online scanner and Microsoft's online scanner, and neither
found anything. I'm on the order of stumped.

Any ideas?? Any chance I'm coming up with some really obscure, perhaps
new, virus or malware?? I'm grasping at straws at this point...so I'd
appreciate any suggestions or theories.

THanks,
intrepid

1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Click On Programs Tab and click on manage Add-Ons and Disable non-verified
Add-Ons ( you can/must Renable them later one-by-one and see the culprit and
Disable it or Remove it).
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box (it
will disable Google toolbar do for now please).
Then click OK to close the IE properties.

While the Firework going On did try to see which processes is taking the
Usage of the CPU by pressing ALT + DEL + CTRL.
HTH.
Let us know.
nass

 

[intrepid_dw]

Hi nass,

Thanks for trying to help.

Everything was cleaned out - cookies, cache, the whole schmear, etc.
Recall, too, that this was a clean install (within the last week) of
WinXP Pro, so there really wasn't much in history or TIF/cache/etc -
but what was there was cleaned out. I looked in the registry for
specific Explorer and Internet Explorer BHO's, and there was only one
for Adobe, and I was able to verify that it was legitimate. I had
already completely uninstalled the Google Toolbar.

No process is capturing a significant slice of CPU time, and all of
the processes listed in Task Manager mapped back to legitimate Windows
processes (verified with the help of Process Explorer and HiJack
This). The only blip of CPU that would appear was related to the
Explorer process, but once a new IE session would start, the Idle
process would go back to its normal 99%. I was able to confirm that
the instances are being fired by Explorer as described below.

I suspected that a virus had installed itself as a service, but was
able to eliminate that as a practical matter during a restart into
Safe mode. In the midst of all the "fireworks" of new IE instances
coming up, I went to the IEXPLORE.EXE process and took away all
execute privileges from Everyone, then enabled object auditing. That
then started hitting the event log with "Failure" notices for startup
attempts of IE being spawned from Explorer under the user account
under which I was logged in. That, combined with the fact that just
about every other service I could stop was, in fact, stopped, (and
those that weren't were SYSTEM processes which, in turn, were verified
to map back to legitimate versions of legitimate executables) led me
to conclude with a pretty high degree of confidence that the problem
was not some trojan service.

That's what now leads me to suspect something has insinuated itself
into the Explorer process, but I'm not exactly sure what.I've not been
able to find anything such as files or registry entries associated
with Explorer (HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
and the same branch under HKCU) that aren't legitimate.

The curious part about this is the variability of the new IE
instances. At its worst, new instances would pop up just as an
existing instance would be closed. At other times, if you were trying
to use an open instance, it would "refresh" itself back to the home
page as if the "Home" button had been pressed or programmatically
invoked. Other times, it would sit quietly, and a new instance of IE
would pop up only every several minutes. I've even looked to see if a
scheduled process is being secretly invoked, but none are present.
Part of me began to wonder if there was a keyboard hardware
malfunction (eg shorting/bouncing browser hotkey) that just happened
to manifest itself as IE instances popping up at varying intervals/
frequencies.

I appreciate the help. More ideas still welcome...

-intrepid

All:

I've been perusing a bizarre little laptop with a clean install of Win
XP Pro with SP2. Only apparent additional installs are the Google
Toobar for IE and MS Office 2K3.

Problem is that, after a few minutes of uptime, Explorer will start
firing instances of Internet Explorer at seemingly random intervals;
sometimes as often as once every one or two seconds, then slow down,
then fire several more, etc, then go dormant for several minutes. I've
run the checks in safe mode and stopped all stoppable services, all to
no avail. All I've been able to conclude is that something is making
Explorer start IE over and over again, and I can't seem to find a
reason why.

My first thought was an outbound zombie-type virus, but there are no
outbound network connections showing up via netstat, and there is no
homepage hijack. AdAware comes away clean and HiJack shows nothing
suspicious; all entries in the Run\RunOnce registry entries are traced
back to legitimate executables. I performed a safe-mode scan with
Symantec's online scanner and Microsoft's online scanner, and neither
found anything. I'm on the order of stumped.

Any ideas?? Any chance I'm coming up with some really obscure, perhaps
new, virus or malware?? I'm grasping at straws at this point...so I'd
appreciate any suggestions or theories.

THanks,
intrepid

1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Click On Programs Tab and click on manage Add-Ons and Disable non-verified
Add-Ons ( you can/must Renable them later one-by-one and see the culprit and
Disable it or Remove it).
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box (it
will disable Google toolbar do for now please).
Then click OK to close the IE properties.

While the Firework going On did try to see which processes is taking the
Usage of the CPU by pressing ALT + DEL + CTRL.
HTH.
Let us know.
nass- Hide quoted text -

- Show quoted text -

 

[Guest]

Download the AutoRun and see the real running processes in the background:
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx

Download this ShellExView and see the
running application in the background:
http://windowsxp.mvps.org/slowrightclick.htm

Do you have MS Messenger running?, I will try to block or see the Open pots
and block them on the Firewall (not the fireworks this time <grin>) and see
if the behaviour will still persist .
P.S did you get the security updates from MS site?.
HTH.
nass

Hi nass,

Thanks for trying to help.

Everything was cleaned out - cookies, cache, the whole schmear, etc.
Recall, too, that this was a clean install (within the last week) of
WinXP Pro, so there really wasn't much in history or TIF/cache/etc -
but what was there was cleaned out. I looked in the registry for
specific Explorer and Internet Explorer BHO's, and there was only one
for Adobe, and I was able to verify that it was legitimate. I had
already completely uninstalled the Google Toolbar.

No process is capturing a significant slice of CPU time, and all of
the processes listed in Task Manager mapped back to legitimate Windows
processes (verified with the help of Process Explorer and HiJack
This). The only blip of CPU that would appear was related to the
Explorer process, but once a new IE session would start, the Idle
process would go back to its normal 99%. I was able to confirm that
the instances are being fired by Explorer as described below.

I suspected that a virus had installed itself as a service, but was
able to eliminate that as a practical matter during a restart into
Safe mode. In the midst of all the "fireworks" of new IE instances
coming up, I went to the IEXPLORE.EXE process and took away all
execute privileges from Everyone, then enabled object auditing. That
then started hitting the event log with "Failure" notices for startup
attempts of IE being spawned from Explorer under the user account
under which I was logged in. That, combined with the fact that just
about every other service I could stop was, in fact, stopped, (and
those that weren't were SYSTEM processes which, in turn, were verified
to map back to legitimate versions of legitimate executables) led me
to conclude with a pretty high degree of confidence that the problem
was not some trojan service.

That's what now leads me to suspect something has insinuated itself
into the Explorer process, but I'm not exactly sure what.I've not been
able to find anything such as files or registry entries associated
with Explorer (HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
and the same branch under HKCU) that aren't legitimate.

The curious part about this is the variability of the new IE
instances. At its worst, new instances would pop up just as an
existing instance would be closed. At other times, if you were trying
to use an open instance, it would "refresh" itself back to the home
page as if the "Home" button had been pressed or programmatically
invoked. Other times, it would sit quietly, and a new instance of IE
would pop up only every several minutes. I've even looked to see if a
scheduled process is being secretly invoked, but none are present.
Part of me began to wonder if there was a keyboard hardware
malfunction (eg shorting/bouncing browser hotkey) that just happened
to manifest itself as IE instances popping up at varying intervals/
frequencies.

I appreciate the help. More ideas still welcome...

-intrepid

All:

I've been perusing a bizarre little laptop with a clean install of Win
XP Pro with SP2. Only apparent additional installs are the Google
Toobar for IE and MS Office 2K3.

Problem is that, after a few minutes of uptime, Explorer will start
firing instances of Internet Explorer at seemingly random intervals;
sometimes as often as once every one or two seconds, then slow down,
then fire several more, etc, then go dormant for several minutes. I've
run the checks in safe mode and stopped all stoppable services, all to
no avail. All I've been able to conclude is that something is making
Explorer start IE over and over again, and I can't seem to find a
reason why.

My first thought was an outbound zombie-type virus, but there are no
outbound network connections showing up via netstat, and there is no
homepage hijack. AdAware comes away clean and HiJack shows nothing
suspicious; all entries in the Run\RunOnce registry entries are traced
back to legitimate executables. I performed a safe-mode scan with
Symantec's online scanner and Microsoft's online scanner, and neither
found anything. I'm on the order of stumped.

Any ideas?? Any chance I'm coming up with some really obscure, perhaps
new, virus or malware?? I'm grasping at straws at this point...so I'd
appreciate any suggestions or theories.

THanks,
intrepid

1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Click On Programs Tab and click on manage Add-Ons and Disable non-verified
Add-Ons ( you can/must Renable them later one-by-one and see the culprit and
Disable it or Remove it).
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box (it
will disable Google toolbar do for now please).
Then click OK to close the IE properties.

While the Firework going On did try to see which processes is taking the
Usage of the CPU by pressing ALT + DEL + CTRL.
HTH.
Let us know.
nass- Hide quoted text -

- Show quoted text -

 

[intrepid_dw]

I will most certainly grab Autoruns, and hope that reveals something
I'm not seeing. I know the BHO's and all the Run\RunOnce\RunOnceEx
entries are empty, so anything else that can find something buried
even deeper would be great.

Thanks.

-intrepid

Download the AutoRun and see the real running processes in the background:http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Aut...

Download this ShellExView and see the
running application in the background:http://windowsxp.mvps.org/slowrightclick.htm

Do you have MS Messenger running?, I will try to block or see the Open pots
and block them on the Firewall (not the fireworks this time <grin>) and see
if the behaviour will still persist .
P.S did you get the security updates from MS site?.
HTH.
nass

Hi nass,

Thanks for trying to help.

Everything was cleaned out - cookies, cache, the whole schmear, etc.
Recall, too, that this was a clean install (within the last week) of
WinXP Pro, so there really wasn't much in history or TIF/cache/etc -
but what was there was cleaned out. I looked in the registry for
specific Explorer and Internet Explorer BHO's, and there was only one
for Adobe, and I was able to verify that it was legitimate. I had
already completely uninstalled the Google Toolbar.

No process is capturing a significant slice of CPU time, and all of
the processes listed in Task Manager mapped back to legitimate Windows
processes (verified with the help of Process Explorer and HiJack
This). The only blip of CPU that would appear was related to the
Explorer process, but once a new IE session would start, the Idle
process would go back to its normal 99%. I was able to confirm that
the instances are being fired by Explorer as described below.

I suspected that a virus had installed itself as a service, but was
able to eliminate that as a practical matter during a restart into
Safe mode. In the midst of all the "fireworks" of new IE instances
coming up, I went to the IEXPLORE.EXE process and took away all
execute privileges from Everyone, then enabled object auditing. That
then started hitting the event log with "Failure" notices for startup
attempts of IE being spawned from Explorer under the user account
under which I was logged in. That, combined with the fact that just
about every other service I could stop was, in fact, stopped, (and
those that weren't were SYSTEM processes which, in turn, were verified
to map back to legitimate versions of legitimate executables) led me
to conclude with a pretty high degree of confidence that the problem
was not some trojan service.

That's what now leads me to suspect something has insinuated itself
into the Explorer process, but I'm not exactly sure what.I've not been
able to find anything such as files or registry entries associated
with Explorer (HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
and the same branch under HKCU) that aren't legitimate.

The curious part about this is the variability of the new IE
instances. At its worst, new instances would pop up just as an
existing instance would be closed. At other times, if you were trying
to use an open instance, it would "refresh" itself back to the home
page as if the "Home" button had been pressed or programmatically
invoked. Other times, it would sit quietly, and a new instance of IE
would pop up only every several minutes. I've even looked to see if a
scheduled process is being secretly invoked, but none are present.
Part of me began to wonder if there was a keyboard hardware
malfunction (eg shorting/bouncing browser hotkey) that just happened
to manifest itself as IE instances popping up at varying intervals/
frequencies.

I appreciate the help. More ideas still welcome...

-intrepid

:
All:
I've been perusing a bizarre little laptop with a clean install of Win
XP Pro with SP2. Only apparent additional installs are the Google
Toobar for IE and MS Office 2K3.
Problem is that, after a few minutes of uptime, Explorer will start
firing instances of Internet Explorer at seemingly random intervals;
sometimes as often as once every one or two seconds, then slow down,
then fire several more, etc, then go dormant for several minutes. I've
run the checks in safe mode and stopped all stoppable services, all to
no avail. All I've been able to conclude is that something is making
Explorer start IE over and over again, and I can't seem to find a
reason why.
My first thought was an outbound zombie-type virus, but there are no
outbound network connections showing up via netstat, and there is no
homepage hijack. AdAware comes away clean and HiJack shows nothing
suspicious; all entries in the Run\RunOnce registry entries are traced
back to legitimate executables. I performed a safe-mode scan with
Symantec's online scanner and Microsoft's online scanner, and neither
found anything. I'm on the order of stumped.
Any ideas?? Any chance I'm coming up with some really obscure, perhaps
new, virus or malware?? I'm grasping at straws at this point...so I'd
appreciate any suggestions or theories.
THanks,
intrepid
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Click On Programs Tab and click on manage Add-Ons and Disable non-verified
Add-Ons ( you can/must Renable them later one-by-one and see the culprit and
Disable it or Remove it).
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box (it
will disable Google toolbar do for now please).
Then click OK to close the IE properties.
While the Firework going On did try to see which processes is taking the
Usage of the CPU by pressing ALT + DEL + CTRL.
HTH.
Let us know.
nass- Hide quoted text -
- Show quoted text -- Hide quoted text -

- Show quoted text -

 

[Guest]

Good luck and it will much appreciated if you sent a feedback with your
findings.
Regards,
nass

I will most certainly grab Autoruns, and hope that reveals something
I'm not seeing. I know the BHO's and all the Run\RunOnce\RunOnceEx
entries are empty, so anything else that can find something buried
even deeper would be great.

Thanks.

-intrepid

Download the AutoRun and see the real running processes in the background:http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Aut...

Download this ShellExView and see the
running application in the background:http://windowsxp.mvps.org/slowrightclick.htm

Do you have MS Messenger running?, I will try to block or see the Open pots
and block them on the Firewall (not the fireworks this time <grin>) and see
if the behaviour will still persist .
P.S did you get the security updates from MS site?.
HTH.
nass

Hi nass,

Thanks for trying to help.

Everything was cleaned out - cookies, cache, the whole schmear, etc.
Recall, too, that this was a clean install (within the last week) of
WinXP Pro, so there really wasn't much in history or TIF/cache/etc -
but what was there was cleaned out. I looked in the registry for
specific Explorer and Internet Explorer BHO's, and there was only one
for Adobe, and I was able to verify that it was legitimate. I had
already completely uninstalled the Google Toolbar.

No process is capturing a significant slice of CPU time, and all of
the processes listed in Task Manager mapped back to legitimate Windows
processes (verified with the help of Process Explorer and HiJack
This). The only blip of CPU that would appear was related to the
Explorer process, but once a new IE session would start, the Idle
process would go back to its normal 99%. I was able to confirm that
the instances are being fired by Explorer as described below.

I suspected that a virus had installed itself as a service, but was
able to eliminate that as a practical matter during a restart into
Safe mode. In the midst of all the "fireworks" of new IE instances
coming up, I went to the IEXPLORE.EXE process and took away all
execute privileges from Everyone, then enabled object auditing. That
then started hitting the event log with "Failure" notices for startup
attempts of IE being spawned from Explorer under the user account
under which I was logged in. That, combined with the fact that just
about every other service I could stop was, in fact, stopped, (and
those that weren't were SYSTEM processes which, in turn, were verified
to map back to legitimate versions of legitimate executables) led me
to conclude with a pretty high degree of confidence that the problem
was not some trojan service.

That's what now leads me to suspect something has insinuated itself
into the Explorer process, but I'm not exactly sure what.I've not been
able to find anything such as files or registry entries associated
with Explorer (HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
and the same branch under HKCU) that aren't legitimate.

The curious part about this is the variability of the new IE
instances. At its worst, new instances would pop up just as an
existing instance would be closed. At other times, if you were trying
to use an open instance, it would "refresh" itself back to the home
page as if the "Home" button had been pressed or programmatically
invoked. Other times, it would sit quietly, and a new instance of IE
would pop up only every several minutes. I've even looked to see if a
scheduled process is being secretly invoked, but none are present.
Part of me began to wonder if there was a keyboard hardware
malfunction (eg shorting/bouncing browser hotkey) that just happened
to manifest itself as IE instances popping up at varying intervals/
frequencies.

I appreciate the help. More ideas still welcome...

:
All:

I've been perusing a bizarre little laptop with a clean install of Win
XP Pro with SP2. Only apparent additional installs are the Google
Toobar for IE and MS Office 2K3.

Problem is that, after a few minutes of uptime, Explorer will start
firing instances of Internet Explorer at seemingly random intervals;
sometimes as often as once every one or two seconds, then slow down,
then fire several more, etc, then go dormant for several minutes. I've
run the checks in safe mode and stopped all stoppable services, all to
no avail. All I've been able to conclude is that something is making
Explorer start IE over and over again, and I can't seem to find a
reason why.

My first thought was an outbound zombie-type virus, but there are no
outbound network connections showing up via netstat, and there is no
homepage hijack. AdAware comes away clean and HiJack shows nothing
suspicious; all entries in the Run\RunOnce registry entries are traced
back to legitimate executables. I performed a safe-mode scan with
Symantec's online scanner and Microsoft's online scanner, and neither
found anything. I'm on the order of stumped.

Any ideas?? Any chance I'm coming up with some really obscure, perhaps
new, virus or malware?? I'm grasping at straws at this point...so I'd
appreciate any suggestions or theories.

THanks,
intrepid

1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Click On Programs Tab and click on manage Add-Ons and Disable non-verified
Add-Ons ( you can/must Renable them later one-by-one and see the culprit and
Disable it or Remove it).
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box (it
will disable Google toolbar do for now please).
Then click OK to close the IE properties.

While the Firework going On did try to see which processes is taking the
Usage of the CPU by pressing ALT + DEL + CTRL.
HTH.
Let us know.
nass- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -

 

[PA Bear]

Anti-virus application is...?

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[intrepid_dw]

PABear (and nass)

Ongoing thanks for the assistance.

Here's the Saturday PM update

* Performed "preliminary check* at aumha.org, and nothing was found.
* I have performed a *third* full virus scan on this system, this time
with a fresh install of McAfee Enterprise 8.0i including latest
updates. Nothing adverse detected. Previous scanners included Symantec
and Microsoft's online scanners; neither discovered anything.
* Downloaded, installed, and updated latest version of SpyBot Search
and Destroy. Full scan; nothing found.
* Downloaded and installed RootkitRevealer. No rootkits detected.
* Had already performed download/install/update of latest AdAware -
full scan, nothing found.
* Downloaded and ran CWShredder from aumha.org. No CWS found.
* Hosts file has no entries other than loopback (127.0.0.1)
* Downloaded and run Sysinternals autorun; have found nothing out of
the ordinary yet, still reviewing its results, however.

Right now, there's still nothing pointing to any adware/malware/
viruses, but IE still popping up with what I've come to call the
"Redenbacher Effect" (multiple IE windows popping up, but not
hijacked) every few minutes. No untoward outbound network activity
detected through firewall.

Continuing to investigate; will update as I find new info.

BTW, debug/investigate steps are not at all intimidating; been working
on Windows PC's for waaaay too long. Trying to fix this box as a favor
for a friend, also a personal challenge Really expected quick ID
problem, but potentially deep, dark, ugly fix; expected to see
something buried in startup (run\runonce\runonceex), hacked service,
BHO, something, but not so far. Almost started to think it's a weird
keyboard or touchpad problem that's causing IE to fire errantly...but
still looking.

Can still inhibit all IE activity by rebooting to safe mode and
stripping all Execute privs to everyone on IEXPLORE.EXE, machine then
works, but that hardly seems a practical solution

Machine rebuild under consideration....but not just yet

Will rerun HiJack and make sure I haven't overlooked anything there.

Thanks for your ongoing help,
-intrepid

 

[intrepid_dw]

Ok, here's some fractionally more detailed discovery info:

* I can terminate the multi-pop IE behavior if I terminate the
Explorer process. This obviously leaves me without a taskbar, systray,
etc, but for now I can start other processes via TaskManager.

* If I manually start IE from TaskManager, the started instance will,
at seemingly random intervals, refresh itself back to the defined home
page.

This would seem to divide the observed behaviors into two distinct
classes; the perpetual reinstancing of IE, and the perpetual
"rehoming" of an existing instance...

-intrepid

 

[Guest]

What about the java version installed on that machine is it all up2date ( the
latest version)?.
Try to Repair/Reinstall IE or try registering these DLLs:
Open the Run command and type in:
regsvr32 urlmon.dll
regsvr32 initpki.dll
regsvr32 shell32.dll
regsvr32 dssenh.dll
regsvr32 Cryptsvc.dll
regsvr32 Sccbase.dll
regsvr32 softpub.dll
regsvr32 mshtml.dll
regsvr32 wintrust.dll
regsvr32 rasenh.dll
regsvr32 shdocvw.dll
regsvr32 Cryptdlg.dll
regsvr32 Jscript.dll
regsvr32 Browseui.dll
netsh winsock reset

Also run the sfc /scannow
HTH.
Let us know.
Regs,
nass

 

[PA Bear]

Have you posted your HijackThis log to an appropriate forum for review by an
expert on this stuff?

 

[intrepid_dw]

All,

I have been out of pocket most of today and will again most of the day
on Monday, so I don't have a great deal of new information to relay
here.

PABear, in response to your question, I did not post the HJT log
because it was so short, and I was able to trace the bulk of the
information therein to legitimate sources. Also, it has so little
information compared to most of those logs I see posted, frankly
didn't feel like wasting someone's time by starting a separate forum
thread on it alone. I'm sure the relative "shortness" of the log goes
back to the fact that it's a fairly recent machine rebuild.

I will be working on this machine a bit more tonight, and some again
late tomorrow night after some church obligations. I will be sure to
post whatever I find.

Again, continued thanks for everyone's assistance. I will be delighted
to figure this one out!!

-intrepid

 

[intrepid_dw]

Hello, all. I hope I haven't lost everyone's interest...some things
came up and I have not been able to work on this as much as I'd hoped.

I am almost ready to conclude that this is some type of unusual driver
behavior in conjunction with the mouse driver. My most recent notion
had me plug in an external (USB) mouse and try disabling the Synaptics
touchpad driver (which is no small feat in itself). While I cannot
categorically state the popups were eliminated when navigating with
the external mouse, I can state that they were dramatically
reduced..from as many as dozens per quarter-hour to only two or three.
In the best-case state, I was actually able to plug in a DVD movie and
watch the whole thing (appx two hours) with *zero* popups.

This is the closest I have been able to come to even allowing myself
to infer a cause-and-effect relationship between *anything* and the
popups, and while it still may prove to be a red herring, this is the
path I'm opting to pursue at the moment.

-intrepid_dw

 

[PA Bear]

To keep track of things, it helps immensely if you include all of previous
message(s) in your replies to the newsgroup. We have no idea what you're
talking about.

 

[intrepid_dw]

Sorry, Bear, considering the threaded nature of the newsgroup and that
I've seen more than a few people flamed over the years for
perpetuating repeated text in subsequent messages, I opted not to
include the balance of the thread.

-intrepid