Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Iexplore.exe, can't reinstall AVG - Virus?


  • Please log in to reply
9 replies to this topic

#1 Grantyy

Grantyy

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 16 September 2009 - 09:39 PM

Hi - My computer has been slow for some time now, mainly accessing Internet pages but over the last week it got even worse, I searched using various Anti virus progs mainly AVG 8.5 free and Malwarebytes, they would find threats and seemingly remove them but they would just find them again.
I noticed I was getting multiple instances of Iexplore.exe sometimes there would be two Rundll32.exe's and about 6 svchost.exe's also in startup there was two Tintsetp that I could not remember seeing before, mayb one but not two, I uninstalled AVG as I thought it may be corrupted but when I tried to reinstall it came up with a failed message, I had used Revo uninstaller to remove it, so I tried going through the registry myself and deleted every related file apart from the ones named legend avg or something similar as they would not be moved, still AVG would not restore yet throughout this process Windows security Centre showed I was fully protected and under virus protection it listed AVG, yet I knew I had removed it completely.

I looked up multiple instances of Iexplore and found a lot of info but none was really consistent, I found one guy who had posted a few times and found the files he mentioned in the reg and deleted them as there was no other reference to them on the net, I think one file started czx or something and another had olf within it, just looked for the post but I cannot find it, I then deleted malwarebytes and downloaded one from your site renaming it as advised, I went to safe mode and it found one infected file, only a temp file but it mentioned schost, Malwarebytes says no action taken, though I thought I had deleted it, Meant to add that it all started when my firefox browser kept freezing and was difficult to use which is the only reason I went back to IE of course to realise Iexplore was creating usually about 6 copies and it was running slow although much more useable than firefox was at that point, it seemed more instances of Iexplore appeared the longer i was connected. here's the Mbam log -

Malwarebytes' Anti-Malware 1.41
Database version: 2813
Windows 5.1.2600 Service Pack 3 (Safe Mode)

17/09/2009 02:15:56
mbam-log-2009-09-17 (02-15-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 219326
Time elapsed: 22 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Granty\Local Settings\Temp\svchost.exe (Trojan.Agent) -> No action taken.

after this process thankfully AVG installed and is now showing the system tray icon, I now have four svchost.exe running which seems right to me?, but I have not used IExplorer as my firefox is working and very fast too, I have reinstalled firefox numerous times in the past and it always starts off fast but a day later it is 50% slower, I wonder if this was down to the virus as it always seems to slow down even with all add ons disabled.

Sorry about the lack of the names of the files I deleted in the reg but I really have been involved with this for hours on end, my Computer seems brighter and pages in firefox are loading like a dream for the minute at least, I do expect it to slow, though this is different as I haven't actually reinstalled it this time, just deleted some bad files so hopefully it'll hold up.

I just want to be sure my computer is clean as I have been on similar sites once before complaining of a slow pc but the Anti virus progs were not finding much, this time they have and with the corruption of both browsers and my inability to reinstall AVG, and the fake security centre reassurances, I get the impression something nasty has been on my system, hope it was not a keylogger as I registered my new card online a few days ago and that is my main concern, should I call the bank? to be safe, all advice from here on in is greatly appreciated - Thanks :thumbsup:

Edited by Grantyy, 16 September 2009 - 09:53 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 17 September 2009 - 06:55 AM

Malwarebytes says no action taken

This usually occurs if you forget to click "Remove Selected" and instead just click "Save Logfile" or save the report before having MBAM remove the threats.

Your log indicates your ran MBAM in safe mode. Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally.

To confirm if everything was removed, rescan again in normal mode and check all items found for removal. Don't forgot to update MBAM through the program's interface (preferable method) and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing a new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

I now have four svchost.exe running which seems right to me?,

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.

svchost.exe SYSTEM (there can be more than one listed)
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE (there can be more than one listed)

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. Another techinique is for the process to alter the registry and add itself as a Startup program so that it can run automatically each time the computer is booted. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate and see what services a Svchost.exe process is controlling:Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location If you right-click on a file and select properties, you will see more details.

I noticed I was getting multiple instances of Iexplore.exe

If you do a Google search for multiple instances of iexplore.exe running in Task Manager, you will find numerous complaints with various causes and possible solutions. This problem could be malware or non-malware related. There are worms like W32/Lovgate-AD that will cause the same problem you are experiencing. In addition to other files it drops iexplore.exe in C:\Windows\system32. One of the ways that malware tries to hide is to give itself the same name as a critical system file like iexplore.exe. However, it then places itself in a different location on your computer. The legitimate iexplore.exe is located in the C:\Program Files\Internet Explorer folder. Make sure of the spelling. If it is iexplor.exe or iexplorer.exe, then it's malware. Also check to make sure iexplore.exe is not loading at startup as that too can be malware.

NOTE: If you are using Internet Explorer 8, it is my understanding that it it will run an extra instance of iexplorer.exe as part of the Automatic Crash Recovery feature. Internet Explorer8 will open a new process for the main window and another process with any opened tab. This feature allows Internet explorer to prevent itself from closing when a web site in one tab crashes. It has also been reported that this utilizes high memory resources.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Grantyy

Grantyy
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 18 September 2009 - 12:13 AM

Thanks for taking the time and for going in depth to help people like me understand a bit more, I often run scans in safe mode after I have run a standard scan but for some reason I always thought of it the other way around, that if the virus is running it may stop the program from finding it, but of course that's exactly what they are designed to do, not just look for file names but also progs running in a suspect manner, I have just never thought of it like that before, I sometimes wonder how easily a program such as AVG or Mbam could become corrupted by a virus, I guess if the system is clean when you install them that they guard well against this happening right?

I will complete all of the above later when I get in from work, Thanks again :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 18 September 2009 - 07:04 AM

I often run scans in safe mode after I have run a standard scan but for some reason I always thought of it the other way around, that if the virus is running it may stop the program from finding it

Some security tools are designed to work differently from others and you should always familiarize yourself with the vendor's recommendations. There are many tools that work well in safe mode, but MBAM was designed to work more effectively when run in normal mode. One reason is that some types of malware will disable safe mode so you cannot use it.

Edited by quietman7, 18 September 2009 - 07:12 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Grantyy

Grantyy
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 24 September 2009 - 07:49 PM

Oh no, false optimism on my part, guess I still need to do what is listed above, when I said above that my security centre was showing AVG as protecting my computer when I had completely removed it well I believe the Firewall is also showing as being in force when it really isn't, is that a possibility?
I believe I had removed the majority of the bug as I had regained full control of my PC but then all of the sudden a balloon popped up and said your firewall is disabled, I don't understand how one min it's working the next it isn't, now my computer is stuck in treacle again :thumbsup: , the net is extremely slow again. I'll set my virus programs to run again then review what you have said to do previously, I have been away most of last week so hadn't had chance, likely be away most of the weekend but I will do what ever you advise ASAP.

Just a couple of questions if you don't mind

my Java may not have been up to date, is that a possible cause of all of my problems despite having a firewall, does the same go for flash?

I have just researched the bugs Mbam found and read somewhere that once you have a backdoor.bot your computer has been compromised and may be very difficult to guarantee it will ever be clean again without a full re-install, is this true because if so I may just bite the bullet and do it.

If I do I need to get a few things backed up to disk, parts of these types of malware are unlikely to be in with my documents or photos right, last thing I want is to take it with me - Thanks again for your help


Malwarebytes' Anti-Malware 1.41
Database version: 2854
Windows 5.1.2600 Service Pack 3

24/09/2009 21:13:13
mbam-log-2009-09-24 (21-13-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 202614
Time elapsed: 1 hour(s), 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 24 September 2009 - 09:25 PM

my Java may not have been up to date, is that a possible cause of all of my problems despite having a firewall, does the same go for flash?

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

...your machine may still be vulnerable to attacks if you never bother to uninstall or remove older versions of the software...a malicious site could simply render Java content under older, vulnerable versions of Sun's software if the user has not removed them....

Hole in Patch Process
Ghosts of Java Haunt Users

...Either update Java, or remove it. Do not refuse the updates. That gives you the worst of all possible worlds: a buggy old version of Java that might be exploited by maliciously coded web pages...

FAQs: Should I update Java?

I have just researched the bugs Mbam found and read somewhere that once you have a backdoor.bot your computer has been compromised and may be very difficult to guarantee it will ever be clean again without a full re-install, is this true because if so I may just bite the bullet and do it.

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. Read Danger: Remote Access Trojans.

Although the infection can be identified and removed, the PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

If I do I need to get a few things backed up to disk, parts of these types of malware are unlikely to be in with my documents or photos right, last thing I want is to take it with me

If you are considering reformatting or doing a factory restore with a Recovery Disk/Recovery Partition due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Grantyy

Grantyy
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 28 September 2009 - 09:44 AM

Hi Quietman, I have done a reinstall after some problems, when I first tried doing a standard installation it kept coming up with cannot find the SWP file, can't remember the exact file name, I then realised I had another system disk which allowed me to format drive C and reinstall windows from scratch, However I did not format my D drive as I had a lot of video and holiday pictures that would be difficult to transfer to disk, I manually deleted pretty much everything else, infact I only ended up with a handful of Vids pics and documents, no .exe files.

Once the reinstall had finished I updated windows the system restarted, then I got AVG free 8.5 and toolbar, but then the bit that confused me is that the yellow update shield came up again and started downloading pretty slowly, when I clicked on the shield nothing happened except when mousing over it told me how far until 100%, after all of the probs I have had I was weary of this download as I had just updated and restarted using windows update, in task manager IEXPLORE.EXE appears which is all in capitals though before it was in lower case, I have researched and found conflicting info, some say it can legitimately be both upper and lower, yet some sites say it is malware? , I just want to be sure I am free as I am pretty sure the virus I had before involved a keylogger, Once I even noticed the lights on my modem flicking briefly in perfect sync with every key stroke, though this did not happen after that particular time.

I guess it's easy to become paranoid and I feel that although I updated and got AVG installed as quickly as I possibly could, that if something is left over there was nothing stopping it from getting in before AVG, is the IEXPLORE.EXE normal as far as you are aware as I don't understand why it would now be in caps?

Edited by Grantyy, 28 September 2009 - 09:46 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 28 September 2009 - 11:04 AM

Doing a Google search you may have read this comment:

IEXPLORE.EXE (all caps) located in Windows\System32 folder is a virus

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. If a file with the name is running but Internet Explorer itself is not, than that is a clue something may be amiss.

The comment example shows the process as running from the system32 folder instead of its proper location in the C:\Program Files\Internet Explorer folder.

Upper or lower-case letters in the file or folder name do not matter as Windows considers them the same. If you were to rename iexplore.exe to IEXPLORE.EXE in the C:\Program Files\Internet Explorer folder and launch the browser, it will show in Task Manager with the name in all caps. Close the browser, rename it back with lower case letters, relaunch and open Task Manager again, you will see the file name in all caps.

Do not assume case sensitivity. For example, consider the names OSCAR, Oscar, and oscar to be the same, even though some file systems (such as a POSIX-compliant file system) may consider them as different...

File Names, Paths, and Namespaces
Filenames and limitations
Quick reference: Requirements for file names in Windows
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Grantyy

Grantyy
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 28 September 2009 - 12:09 PM

Is this file (below in bold) anything to worry about, found it on my system and then in the post below but not much info anywhere else, since my re-install IE has had to close 4 times which makes my initial thought of something still not being quite right more likely, I renamed IEXPLORE to iexplore and once i closed it and reopened it is in lower case apart from the .EXE as it does not apear in the target folder. Also there are two instances of Iexplore one in C\program files Internet explorer the other is C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e, don't understand why there are two and I think the latter one was lowercase and the first one was uppercase until I changed it, I have run AVG and Mbam and both have come up clean, after the fresh reinstall I would expect IE to run problem free but as I say it keeps closing. guess i'll have to download firefox and keep an eye on my accounts, is there any other progs you would reccomend I run as if I had a backdoor.bot before I want to be sure I am clean now

Hard Drive Full? - Check for iexplore.exe.exp logfile
Filed under: XP — Tags: internet explorer — ryebread @ 11:05 pm
Did you wake up this morning to find out that your 120GB hard drive was full? Take a peek in the folder where Internet Explorer resides, and check for a rogue logfile…. Delete it from C:\Program Files\Internet Explorer\iexplore.exe.exp.log and you should be all set.

This entry was posted on Wednesday, July 29th, 2009 at 11:05 pm and is filed under XP.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 Comment »

I have recently discovered and deleted this file, my ? is how in the hell did it get there and what was it. There is NO information about this file anywhere on the internet.
Thanks for your assistance. Gayle

*** Here is a small portion of that file

######## EXCEPTION: 0xC0000005 at address: 0x0486CFD1: ACCESS VIOLATION read attempt to address 0x00000010
1: 09/28/09 07:13:48

1: 0
1: SymGetModuleInfo): GetLastError = 87

1: 1
1: SymGetModuleInfo): GetLastError = 87

1: 2
1: SymGetModuleInfo): GetLastError = 87
--------------------------

51 DllGetClassObject +76900 bytes
1: Decl: DllGetClassObject
1: SymGetModuleInfo): GetLastError = 87

1: 52
1: SymGetModuleInfo): GetLastError = 87

1: 53
1: SymGetModuleInfo): GetLastError = 87

1: 54
1: SymGetModuleInfo): GetLastError = 87

1: 55 GetDC +114 bytes
1: Decl: GetDC
1: SymGetModuleInfo): GetLastError = 87

1: 56 GetDC +340 bytes
1: Decl: GetDC
1: SymGetModuleInfo): GetLastError = 87
--------------------------------

1: 43 LoadBitmapA +226 bytes
1: Decl: LoadBitmapA
1: SymGetModuleInfo): GetLastError = 87

1: 44 DialogBoxIndirectParamAorW +54 bytes
1: Decl: DialogBoxIndirectParamAorW
1: SymGetModuleInfo): GetLastError = 87

1: 45 DialogBoxParamW +63 bytes
1: Decl: DialogBoxParamW
1: SymGetModuleInfo): GetLastError = 87

1: 46 Ordinal59 +54 bytes
1: Decl: Ordinal59
1: SymGetModuleInfo): GetLastError = 87

1: 47
1: SymGetModuleInfo): GetLastError = 87

1: 48 ImportPrivacySettings +6478 bytes
1: Decl: ImportPrivacySettings
1: SymGetModuleInfo): GetLastError = 87

1: 49 GetDC +114 bytes
1: Decl: GetDC
1: SymGetModuleInfo): GetLastError = 87

1: 50 CreateIconFromResourceEx +706 bytes
1: Decl: CreateIconFromResourceEx
1: SymGetModuleInfo): GetLastError = 87
-----------------------------------

1: 59 Ordinal107 +48986 bytes
1: Decl: Ordinal107
1: SymGetModuleInfo): GetLastError = 87

1: 60 Ordinal102 +556 bytes
1: Decl: Ordinal102
1: SymGetModuleInfo): GetLastError = 87

1: 61 Ordinal101 +297 bytes
1: Decl: Ordinal101
1: SymGetModuleInfo): GetLastError = 87

1: 62
1: SymGetModuleInfo): GetLastError = 87

1: 63
1: SymGetModuleInfo): GetLastError = 87

1: 64 RegisterWaitForInputIdle +73 bytes
1: Decl: RegisterWaitForInputIdle
1: SymGetModuleInfo): GetLastError = 87



Sorry if it's nothing just the post above worried me and I didn't know what to make of it, surely these guys (hackers) don't get enjoyment out of causing the average person all this trouble, thank god people like you go out of their way to help

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 28 September 2009 - 12:24 PM

If you search your computer, you may find other legitimate copies of iexplore.exe in various Microsoft related folders such as:
C:\Program Files\Internet Explorer\en-US
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\ie7updates\KB969897-IE7
C:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE
C:\WINDOWS\SoftwareDistribution\Download\803badc49670f68514bc104c4297fe82\SP3GDR
C:\WINDOWS\SoftwareDistribution\Download\803badc49670f68514bc104c4297fe82\SP3QFE

Anytime you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users