IE disappears from taskbar on reboot

[Sxcd1]

I recently go some malware on my computer which was removed with Malware Bytes. After that was fixed I noticed that my IE and Windows Explorer icons don't stay on the taskbar. They are there at boot up but disappear as everything load. I've tried to pin them to the taskbar but they still disappear after reboot. Does anyone know how to fix this? Thanks.

 

[ThrashZone]

Hi,
Did you use the Threat scan or the Custom scan in mbam ?
Use the custom scan and scan all connected drives,
Post the scan results

Review Jacee’s instructions to run Adwcleaner here post #7,
Ignore the title of the thread,
http://www.sevenforums.com/system-security/316404-instant-savings-app.html
On the BleepingComputer site use the button that looks like this,

SAS is safe to remove anything it finds
http://www.superantispyware.com/?tag=SUPERANTISPYWARE
This one is the longest up to 4 hours, the others are only about 45 minutes,
http://www.microsoft.com/security/scanner/en-us/default.aspx

 

[Sxcd1]

Here is the log from Mbam

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2015/07/09 22:03:07 -0400</date>
<logfile>mbam-log-2015-07-09 (22-03-07).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.01.6.1022</version>
<malware-database>v2015.03.09.05</malware-database>
<rootkit-database>v2015.02.25.01</rootkit-database>
<license>trial</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>Warren</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>425583</objects>
<time>830</time>
<processes>8</processes>
<modules>0</modules>
<keys>210</keys>
<values>4</values>
<datas>0</datas>
<folders>153</folders>
<files>594</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>warn</pup>
<pum>enabled</pum>
</options>
<items>
<process><path>C:\Program Files (x86)\HQCinema Pro  2.1V09.07\65cd391c-8991-4061-9130-e6cdb77e5f59-10.exe</path><vendor>PUP.Optional.CrossRider.A</vendor><action>delete-on-reboot</action><pid>7420</pid><hash>e792d46f434704328d53ca4b34d2639d</hash></process>
<process><path>C:\Program Files (x86)\HQCinema Pro  2.1V09.07\65cd391c-8991-4061-9130-e6cdb77e5f59-6.exe</path><vendor>PUP.Optional.CrossRider.A</vendor><action>delete-on-reboot</action><pid>28472</pid><hash>6d0c5be8454575c138a8d14433d3a957</hash></process>
<process><path>C:\Program Files (x86)\HQCinema Pro  2.1V09.07\65cd391c-8991-4061-9130-e6cdb77e5f59-1-6.exe</path><vendor>PUP.Optional.CrossRider.A</vendor><action>delete-on-reboot</action><pid>28212</pid><hash>d8a1e95a5a3038fee5fb1ff6ba4c43bd</hash></process>
<process><path>C:\Program Files  (x86)\StormWatch\StormWatchApp.exe</path><vendor>PUP.Optional.StormWatch.A</vendor><action>delete-on-reboot</action><pid>27884</pid><hash>f287e063becc1422bb12b99c827ef10f</hash></process>
<process><path>C:\Program Files  (x86)\StormWatch\SWUpdaterSvc.exe</path><vendor>PUP.Optional.StormWatch.A</vendor><action>delete-on-reboot</action><pid>28228</pid><hash>3f3a7bc8127834021e6c31cfe71bdb25</hash></process>
<process><path>C:\Program Files  (x86)\StormWatch\StormWatchSrv.exe</path><vendor>PUP.Optional.StormWatch.A</vendor><action>delete-on-reboot</action><pid>10412</pid><hash>b9c0ae954a40b284235dd2e33ac91ee2</hash></process>
<process><path>C:\Program Files  (x86)\RadPlayer\myradioplayer.exe</path><vendor>PUP.Optional.MyRadioPlayer.A</vendor><action>delete-on-reboot</action><pid>25744</pid><hash>760347fcd8b2fb3b9dd50a2745c009f7</hash></process>
<process><path>C:\Program Files (x86)\Consumer  Input\Monitoring\dca-monitoring.exe</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>delete-on-reboot</action><pid>24876</pid><hash>b2c75ce7424894a2928eb4b7a0632bd5</hash></process>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SWUpdater</path><vendor>PUP.Optional.StormWatch.A</vendor><action>success</action><hash>3f3a7bc8127834021e6c31cfe71bdb25</hash></key>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\consumerinput_update</path><vendor>PUP.Optional.ConsumerInput.A</vendor><action>success</action><hash>aecbb192e2a877bf771e2768f30e28d8</hash></key>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\consumerinput_updatem</path><vendor>PUP.Optional.ConsumerInput.A</vendor><action>success</action><hash>aecbb192e2a877bf771e2768f30e28d8</hash></key>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS  NT\CURRENTVERSION\IMAGE FILE EXECUTION  OPTIONS\CONSUMERINPUTUPDATE.EXE</path><vendor>PUP.Optional.ConsumerInput.A</vendor><action>success</action><hash>aecbb192e2a877bf771e2768f30e28d8</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS  NT\CURRENTVERSION\IMAGE FILE EXECUTION  OPTIONS\CONSUMERINPUTUPDATE.EXE</path><vendor>PUP.Optional.ConsumerInput.A</vendor><action>success</action><hash>aecbb192e2a877bf771e2768f30e28d8</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\TYPELIB\{7BAB653D-88FB-4F60-AFC2-8E6FD59FAFF3}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\INTERFACE\{DD05B915-F77B-474A-9D42-9FEEAF5475C4}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DD05B915-F77B-474A-9D42-9FEEAF5475C4}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DD05B915-F77B-474A-9D42-9FEEAF5475C4}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{7BAB653D-88FB-4F60-AFC2-8E6FD59FAFF3}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{7BAB653D-88FB-4F60-AFC2-8E6FD59FAFF3}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\CLSID\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}\INPROCSERVER32</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\dcabho.Dca.1</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\dcabho.Dca</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\CLASSES\dcabho.Dca</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\CLASSES\WOW6432NODE\dcabho.Dca</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER  HELPER  OBJECTS\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
<key><path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER  HELPER  OBJECTS\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}</path><vendor>PUP.Optional.Consumer.Input.A</vendor><action>success</action><hash>3c3d52f17b0f0531137cdf42aa59b14f</hash></key>
rest deleted as too long and got an error after posting.

I've ran all 4 programs till they report not malware but after reboot the windows explorer and internet explorer icons on the taskbar disappear during the boot process.

 

[ThrashZone]

Hi thanks you can upload as a text attachment instead of using code especially long ones
What did adwcleaner find ?
Remove PUP.Optional.CrossRider virus (Removal Guide)

 

[Sxcd1]

Have run all 4 programs multiple time and still can't get IE and Windows explorer on taskbar.

 

[UsernameIssues]

.... icons don't stay on the taskbar. They are there at boot up but disappear as everything load....

Perhaps you can find the offending app by not letting everything load:
http://www.sevenforums.com/tutorial...ation-conflicts-performing-clean-startup.html

It those steps fail to find the issue, then try using Process Monitor.
Filter the events by Path > Contains > Quick Launch\User Pinned\TaskBar
Enable boot logging using this info.
Create the pinned items.
Reboot and follow the steps to save the results.

No need to upload the saved log file unless you cannot figure out what app got rid of your taskbar items.

 

[GokAy]

If your Windows is 32bit - Try browsing to IE folder in prog files x86 and right click send to:desktop, try pinning this new shortcut.

If it is 64 bit - pin a shortcut you make from IE folder in program files.

And regarding MBAM scan, did you enable rootkit scanning in settings - detections?

 

[Sxcd1]

I've ran Malwarebytes, super antispyware and adware cleaner multiple time, as well as edit the startup in MSCONFIG to prevent the malware from loading. I've reset IE and tried to do the same to Firefox. I'm getting no malware found with all programs and IE works fine but firefox goes to Search
and get the error server not found.
Saving Google as the default page in firefox doesn't fix it. I think I'm very close to getting rid of this malware. Thanks for the help.

 

[GokAy]

Check the shortcut of Firefox, I have seen a similar thing with IE on a friend's machine. I even thought MBAM was useless for it for a while, then figured the unwanted page was loading due to being included in the shortcut which was pinned. I unpinned/deleted and re-made a new shortcut from the exe. You can still just modify the shortcut too.

See if this is the case.

 

[Sxcd1]

Duh I can't beleive I didn't think of that. Thanks so much. Windows Explorer, Firefox and IE are all back on my taskbar. Is there anything I should do to confirm I removed all the malware other that getting a clean report from malware bytes and Superantispyware?

 

[GokAy]

No problem at all, glad it got fixed If all MSE, MBAM and SAS gave a green light I wouldn't worry.

 

[UsernameIssues]

Try browsing to IE folder in prog files x86 and right click send to:desktop, try pinning this new shortcut.

And regarding MBAM scan, did you enable rootkit scanning in settings - detections?

...Windows Explorer, Firefox and IE are all back on my taskbar....

If you are using IE10 or above on a 64bit OS, then the pinned shortcut should be pointing to the 64bit version of IE... not the 32bit version.

The first instance of IE I'll call the parent process. The parent process does not have a visible window. It launches 32bit children (which show you websites). You can tell IE's parent process to launch 64bit children. See this post.

If you pin the 32bit version of IE10 or above to the task bar, you will be telling Windows to use the 32bit version of IE as the parent process on a 64bit Operating System. Microsoft will not let that happen on a 64bit Operating System. The 32bit version of IE will load and then it will start the 64bit version of IE as the parent process instead - then the 32bit version exits RAM.

 

[GokAy]

UsernameIssues: thanks for pointing this out. I did read your similar comment in the other thread but either it was after my last post here or I failed to remember

I will be more careful next time

 

[Sxcd1]

It appears as if I spoke to soon. Malwarebytes found 4 items and removed them. I rebooted and I'm running it again. Something also set my DNS server to an ip address for IPv4. I reset it to obtain DNS automatically.

 

[GokAy]

Did you take note of the DNS address?
OpenCandy is not serious, it is a PUP, Potentially Unwanted Program.

 

[Sxcd1]

Unfortunately I didn't take note of the DNS address. Should I just delete the directory /program files/AdaptiveController ?

 

[GokAy]

Check in Control Panel - Programs and Features, see if it is listed there. Note publisher etc info if you see it.

 

[Sxcd1]

I don't notice any programs in the list that don't belong and nothing from adaptive controller.

 

[UsernameIssues]

Sxcd1,
Please tell us if you did this:

Try browsing to IE folder in prog files x86 and right click send to:desktop, try pinning this new shortcut.

And regarding MBAM scan, did you enable rootkit scanning in settings - detections?

If you have not, then please scan again with that option enabled.

It appears as if I spoke to soon. Malwarebytes found 4 items and removed them. I rebooted and I'm running it again. Something also set my DNS server to an ip address for IPv4. I reset it to obtain DNS automatically.

That DNS change is scary. Even if you scanned for rootkits with Malwarebytes, please get a second opinion via WDO.

Unfortunately I didn't take note of the DNS address. Should I just delete the directory /program files/AdaptiveController ?

I'll let GokAy answer that.http://www.sevenforums.com/members/gokay.html


If I might be so nosy:
1) What level is your UAC set to?
2) What version of Windows 7 is installed on this computer?
(Ultimate, Pro, .....)
You might want to update your specs:
http://www.sevenforums.com/profile.php?do=extra

 

[GokAy]

** I have revised post #7 to make the correct shortcut matching the OS bit version as per UsernameIssues' reminder **

What is left in the folder? Can you take a screenshot please?

Alright, according to Malware scan of spoac.exe eba6871371dc65120662999b6baca6b485757685 - herdProtect it is PUP which runs as spoac.exe and has created a service "Adaptive Coordinator", do you see any of them in Task Manager or when you run "services.msc" respectively?