A Nasty Little Virus

[Radicool]

A Nasty Little Virus?

My older brother complained to me the other day (yes my brother, mum, etc, ask me to fix their computers all the time) about his webpage being set to something like "startpage". I didnt think anything of it and told him to change it back to google. He noticed that at random times, his computer would work really hard.

After taking a look, I found a process called "iexplorer" within the task manager (which im pretty sure is the process for the internet) which was cranked up using 99% of the CPU. This caused the fan to become really loud too! I ended the process, but it randomly pops up by itself sometimes. Or maybe it pops up after the internet is opened, im not sure. I also noticed, upon restarting the computer, the default page for the internet would revert to "startpage". You would have to change the default page to google every time the computer started up.

My brother said he read something that "startpage" is a virus, but I couldn't find any information regrding it being a virus. I ran a scan with Malwarebits and found a PUP virus. Problem not fixed. Ran a scan with Malware Bits is Safe Mode. No virus, problem still there. Ran a Boot Time scan with Avast! (special feature in Avast! which scans the computer before the operting system loads), found 2 viruses. Problem not fixed.

The only thing I did a day earlier before all of this was install an updated version of a Radeon Graphics driver, which I sourced from the HP website itself. The problems did not occur after that event, but the next day. I tend to think thats just a coincidence though.

Any ideas people? If its a virus, I can seem to detect it. Is this "Startpage" thing legit, or a virus?

Edit: This has been solved. Thanks to everyone who helped.

 

[Zakamutt]

This is a stretch, but could the "startpage" website actually be containing a virus, which you keep re-infecting yourselves with since you don't change the start page?

Also, the standard process name isn't necessarily iexplorer.exe. On this win7 box I have explorer.exe, and I think it was iexplore.exe in some other versions.

Something that hijacks your start page doesn't seem very good-willed to me.

 

[Radicool]

website actually be containing a virus, which you keep re-infecting yourselves with since you don't change the start page?

After I deleted the 3 virsues (which I'm not sure is the one which is causing problems), the default broswer is still being changed to "Startpage". So that leads me to think that there is still a virus on the computer, automatically changing the default home page for the internet.

I am still not certain its a virus. But its odd that the homepage is being changed automatically, and that the CPU jumps to 99% usage after visiting the website. Maybe Ill run a scan (to delete the virus), then change the homepage while disconnected from the internet. This will prevent me receiving another virus before I change the homepage. If I still receive problems, Ill conclude that there is either an undetectable virus or there may be some faulty drivers installed or something (which I doubt).

Edit: I disabled the network adapter to prevent the computer from accessing the internet. I ran a scan and found another virus (yes after I alrready scanned and deleted 2). This leads me to beleive the website was giving me a virus like Zamutt said. The computer is free from CPU overloads now. However the home page is still automatically reverting to the "startpage" when I open the explorer.

Edit 2: After a fair bit of research, I've concluded it must be some kind of malware. Tried a program called "SpyBot" which some1 reccomended from a forum. Despite bad reviews due to the program being very outdated, I used it anyway. It detected lots of registry issues, but the problem still remains...! Just about to give up if any1 can make any suggestions...

 

[Mechanical Man]

If everything fails, you can try combofix. But it's last resort weapon and you should read about it first.

 

[Velgen]

Now I know this isn't probably the answer you want, but why don't you simply just reinstall Windows 7 these days it is pretty quick to reinstall an OS. If the fix takes longer than reinstalling the OS why not simply back up the files and reinstall the OS is my line of thinking these days.

I guess if you don't want to do that my suggestion would be boot into safe mode with no networking and start a scan while you manually remove anything from the Local and Temp folders that seems suspicious. Simply delete anything that doesn't have a logical file name most of the times temp files follow a logical naming scheme, or just delete everything in the Local folder that isn't profile related. If it isn't there he may of installed a malicious program but I would think that would be a pretty easy one to notice.

 

[PROXY]

He might have a toolbar or addon installed that causes this. I had similiar problems with the startpage too once.

 

[Nuclear]

I recommend using Malwarebytes and doing a scan

http://www.malwarebytes.org/

 

[Radicool]

If everything fails, you can try combofix. But it's last resort weapon and you should read about it first.

Ill look into this.

Now I know this isn't probably the answer you want, but why don't you simply just reinstall Windows 7 these days it is pretty quick to reinstall an OS. If the fix takes longer than reinstalling the OS why not simply back up the files and reinstall the OS is my line of thinking these days.

It is a laptop. Most laptops dont come with a windows 7 CD. I cannot reinstall windows 7 unfortunately. Also, I have looked into downloading windows 7 (legitamately) with no success.

Simply delete anything that doesn't have a logical file name most of the times temp files follow a logical naming scheme, or just delete everything in the Local folder that isn't profile related

I have deleted all broswing history. I ticked all the boxes (cookies, history, temp files, etc) and even unticked "preserve favourites". No Luck. I even reset the whole broswer in advanced settings and still no luck.

He might have a toolbar or addon installed that causes this. I had similiar problems with the startpage too once.

Everything is disabled apart from Avast! (the antivirus)

I recommend using Malwarebytes and doing a scan

Yes I have used that program in safe mode as well as normal mode. No luck.

 

[Dr Super Good]

What browser are you using? If you are using Internet Explorer 9, upgrade to 10 beta since the changes in how it functions might kill any malware. If you use firefox or chrome, you need to make sure the lattest version is installed (those usually fix security holes).

 

[Ralle]

iexplorer.exe is Internet Explorer. explorer.exe is the windows file manager.

 

[Nuclear]

Uninstall IE.

 

[Velgen]

Ill look into this.

It is a laptop. Most laptops dont come with a windows 7 CD. I cannot reinstall windows 7 unfortunately. Also, I have looked into downloading windows 7 (legitamately) with no success.

I have deleted all broswing history. I ticked all the boxes (cookies, history, temp files, etc) and even unticked "preserve favourites". No Luck. I even reset the whole broswer in advanced settings and still no luck.

Everything is disabled apart from Avast! (the antivirus)

Yes I have used that program in safe mode as well as normal mode. No luck.

I wasn't referring to the stuff you can do from your browser/Disk Clean Up, I was telling you to go to the hidden folder in the User folder called AppData (full path being C:\Users\<InsertUserNameHere>\AppData). Inside that folder you will find 3 folders Local, LocalLow, and Roaming. Generally viruses will be in Local or in the temp folder within Local. Just delete any file that doesn't follow a logical naming scheme or seems suspicious. You won't break anything if you screw up and accidentally delete a file that isn't related to the virus.

You can find a Windows 7 ISO pretty easily just search for Windows 7 ISO. I made a comp a year ago that didn't have an ODD (I already had a copy of Windows 7 Home Premium I had bought just needed a way to install it). So I went to Window's site to see if they had any tools for making a bootable flash drive to install Windows 7 from and they did. Only problem is they had nowhere to download the ISO if I remember. So I searched Windows 7 ISO and immediately found what I was looking for. It wasn't modified or anything just the Windows 7 Home Premium ISO from the install DVD. So just search and you should find it. Now the program I used to make the bootable flash drive was Unetbootin it's made for making Linux bootable flash drives, but it should work for this as well. If this seems too much like piracy please remove this part of my post.

 

[Dr Super Good]

Uninstall IE.

Not really possible as it is coupled to the Windows OS. Where else would you set your proxy settings?

 

[Radicool]

What browser are you using? If you are using Internet Explorer 9, upgrade to 10 beta since the changes in how it functions might kill any malware. If you use firefox or chrome, you need to make sure the lattest version is installed (those usually fix security holes).

Yes, Im using Internet Explorer 9. I don't usually download betas and what not, but I might this time. Usually IE asks if I want an update. How to manually update?

I wasn't referring to the stuff you can do from your browser/Disk Clean Up, I was telling you to go to the hidden folder in the User folder called AppData (full path being C:\Users\<InsertUserNameHere>\AppData). Inside that folder you will find 3 folders Local, LocalLow, and Roaming. Generally viruses will be in Local or in the temp folder within Local. Just delete any file that doesn't follow a logical naming scheme or seems suspicious. You won't break anything if you screw up and accidentally delete a file that isn't related to the virus.

Inside the 3 different folders I find many sub folders with long names (silly thins like 00xxQBDH-67336) as well as some files. I am also seeing some files with the names of some old junk toolbars which were accidently installed a long time ago and uninstalled. Your saying I can delete everything in these 3 folders without harming the computer? If so Ill just do that. Theres no many oddly named files to try and diffrentiate "wierd" and "normal" file/folder names.

 

[Dr Super Good]

Yes, Im using Internet Explorer 9. I don't usually download betas and what not, but I might this time. Usually IE asks if I want an update. How to manually update?

From Microsoft.

It is the release preview. Hopefully it is enough to kill the virus due to the differences. It will be comming out soon for Windows 7 as a manditory update anyway so do not worry about it being "untested".

If that fails, you might want to try different competitor browsers like Fire Fox or Chrome. Be aware that Fire Fox may be less secure and it considerably slower due to its open source nature (you get what you pay for). Chrome is more secue and very fast but is deveolped by google (so uses a lot of their advertisement technology to help them) so might not be something you want to use for ethical reasons. Both have very good browser standard compatibility and may even render pages better than Internet Explorer 9 is doing.

 

[Velgen]

Inside the 3 different folders I find many sub folders with long names (silly thins like 00xxQBDH-67336) as well as some files. I am also seeing some files with the names of some old junk toolbars which were accidently installed a long time ago and uninstalled. Your saying I can delete everything in these 3 folders without harming the computer? If so Ill just do that. Theres no many oddly named files to try and diffrentiate "wierd" and "normal" file/folder names.

I honestly suggest following DSG advice because this is a bit more advanced honestly, but if updating it does not kill it you may try what I am further explaining.

Just the Local folder really. Most of the stuff in those folders if deleted will just be downloaded again by the program if it requires it to function. As for the LocalLow and Roaming folders it is very rare to have one in LocalLow as far as I know, and I have never encountered one in Roaming. Roaming holds actual application data. To give an example its where games like Minecraft reside so I wouldn't bother deleting anything from that (It has a lot of profile/other application data in short don't fuck with it if you don't know what you are doing). The Local folder is generally the one it will be in and I think I've maybe once seen a part in LocalLow in the Sun/Java folder. So in other words you can mess with Local and LocalLow and probably not notice anything, but do not touch anything in Roaming.

As for browsers I am currently using a derivative of Firefox called Pale Moon and I rather like it.

 

[Radicool]

I honestly suggest following DSG advice because this is a bit more advanced honestly, but if updating it does not kill it you may try what I am further explaining.

I did try your method however it did not fix the problem. I deleted everytihing in the Local and Locallow folder, with the exception of the "microsoft" folder. I also scanned using "Microsoft Safety Scanner". It found another 2 viruses, but I had to go away for the weekend so I didnt see the results or check if it fixed the problem.

If it doesnt, I will try Doctors method. If that doesnt work, I think the next step is to violently obliterate the computer. Thanks very much for your help everyone

Edit: After the scan with the Microsoft saftey scanner, the problem appears to be gone. Looks like the scanner found the virus causing the problems. Funny Avast! or Malwarebytes couldn't find it. Thanks for the help everyone.

 

[TheNisse]

Boot and nuke that s**t, install OS, install chrome instead of IE, install NotScripts plugin for chrome, install an AV, scan your backup data, transfer backup back to the PC.

In my experience you should use your time fixing the thing causing the problem, rather than the problem itself, in order to prevent it from reoccurring.

 

[Dr Super Good]

install chrome instead of IE

This does not make it any more safe. IE is no longer the most commonly used browser and as such is no longer the target of most viruses. Yes it will make you immune to that specific one but Chrome has others. The person may also prefer to use IE over Chrome.

 

[Radicool]

Boot and nuke that s**t, install OS, install chrome instead of IE, install NotScripts plugin for chrome, install an AV, scan your backup data, transfer backup back to the PC.

In my experience you should use your time fixing the thing causing the problem, rather than the problem itself, in order to prevent it from reoccurring

Thanks for the help. Ill rep you too, but I have already fixed it. I downloaded a third virus scanning program which finally managed to detect the virus and remove it. Problem disappeard immediately afterwards. Btw, I already have an antivuris and I dont have backups

The person may also prefer to use IE over Chrome.

Yeah, I prefer Internet Explorer. Never got use to using Chrome or Firefox.

 

[Zakamutt]

Getting people that don't care about security to use NoScript (note: the actual NoScript is for firefox / similar only, but there seems to be something called NotScript for chrome) will probably be a tall order.

As of IE9 IE got a lot better, but now that I've gotten used to firefox setup there is no way in hell I'm switching (also, I personally hate the IE9 design with a passion).

Good thing you managed to get rid of the virus, kind of strange that they would be this evasive. I guess it's theoretically possible they were engineered to resist certain scanners, but really..

 

[Radicool]

Good thing you managed to get rid of the virus, kind of strange that they would be this evasive. I guess it's theoretically possible they were engineered to resist certain scanners, but really..

It makes you wonder. How many viruses are sitting on your computer right now that your AV has no idea about...lol. I used Microsoft security scanner on my computer too after it managed to clean my brothers computer. It found 2 viruses! My Avast! or Malwarebytes didnt find those...

Actually, I'll stop thinking about it before I get paranoid and start downloading more and more scanning programs, lol.