>>>>Since opening a file (forwarded by a friend) ZoneAlarm has been telling me the Internet Explorer is trying to access IP 127.0.0.1:Port xxxx, where port xxxx varies almost each time. Symantec antivirus finds nothing. Does anybody have any idea what this may be? If I tell ZoneAlarm to block the access the IE process freezes, but it is possible to cancel IE by pressing the X button in the top right.
>>>
>>>It's viral-like activity, for sure. Most Windows servers are running IIS, and some users' workstations probably are as well. So, if that file is opened on such a machine, and IIS is unpatched, it could be exploited by the malware.
>>>
>>>It looks as though something has hooked itself either into IE as a "browser helper object" (easiest to fix) or directly into your TCP/IP stack. You should run an AV scan by at least one other product - you can temporarily install the free AVG product, or try online AV scans by Trend Micro etc.
>>
>>Hi Al. I tried uninstalling IE7 and the problem went away with IE 6.
>
>Actually, the symptoms went away after uninstalling IE7 - this does not necessarily mean the problem is also gone. With modern malware, absence of symptoms does not mean absence of malware.
>
>> After reinstalling IE7 the problem reappears. That points to your idea of a "browser helper object" (which I don;t think exist in IE6? ) rather than directly into the TCP/IP stack. Now, how to detect which of the IE7 addonss in the one that creates the problem? Do you know of any way to figure that out other than trial and error, which I think could be disastrous?
>
>IE6 also supports BHOs. With IE6 or above on XP or above, you can go to Tools...Internet Options...Programs and click on the "Manage add-ons" button to list and manage BHOs. You can start by disabling all add-ons that have no Publisher, or where the Publisher is not verified. If that works, you can turn half of them back on to see if the problem recurs. Using this binary-tree approach you can quickly determine which is the problem. Of course, you can also Google any add-on you don't recognize, or that looks suspicious.
>
>Jos's suggestions for third-party tools are good as well.
>
>Of course, a rogue BHO may not be the problem at all. Some other type of process may be getting IE to do its bidding; that process may be IE7-specific, but may actually be using some Windows component or DLL that gets installed with IE7, or with a future Windows service pack, patch, or update.
>
>As with all such problems/infestations there are 2 possible outcomes:
>
>1. Successful Identification and Repair
>
>- You (or a service professional) clearly identify the problem (perhaps from careful analysis of the file that originally caused the problem, often by scanning it, and/or your computer, with multiple AV scanners)
>
>- You confirm that your computer has the modifications known to be caused by this malware.
>
>- You run the prescribed steps to cleanse your computer.
>
>- You confirm that, after these steps, your computer no longer has the modifications caused by the malware and that it no longer exhibits its symptoms.
>
>At this point you can now "trust" your computer again, and use it normally.
>
>2. Unable to Identify and Repair
>
>- e.g. symptoms continue, or are intermittent, or "go away by themselves"
>
>This means you have a computer you can no longer trust. You cannot keep important or confidential information on it, you cannot allow it to exist on an internal LAN with other computers that it may attack without warning, you cannot do online banking with it (or anything involving valuable or important user names or passwords) etc. etc. - the list goes on and on. You have to assume a criminal has full access to the computer and can monitor all your activities.
>
>At this point you have 2 further sub-options:
>
>2a. Do nothing, and hope that a future antivirus/antimalware update will identify and repair the problem. While waiting, don't trust the computer or use it for anything important.
>
>2b. Back up your user files (and AV scan the backup afterwards), then wipe your computer clean and do a bare-metal reinstallation of everything (i.e. including hard drive reformat).
>
>2b is a drastic step, but when it's done you will have a trustworthy computer. Yes, it will take some time, but you need to weigh that against the time it will take to research and repair the problem (with no guarantee of success).
>
>Reinstalling from scratch can be made much less painful if you regularly do image backups of your entire system. Just restore from your most recent known good (i.e. uninfected) image, and you're right back where you were then. Another option with modern hardware is to use a virtual machine manager such as VMWare or Microsoft Virtual Server; you can then backup or restore virtual machine images as needed. However, doing either of the above requires some advance planning and discipline.
>
>Of course, you know what is said regarding backup, that there are only 2 kinds of people:
>
>- True Believers, and
>- Those who will one day become True Believers ;)


Al, I am taking your advice to heart and will probably go the start from scratch route ugh!

Thanks for the encouragement.

Alex