Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iexplore.exe


  • This topic is locked This topic is locked
24 replies to this topic

#1 Black_

Black_

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 06 July 2010 - 07:38 PM

Alright so lets begin with my pc:
Windows XP home edition
Geforce 260 vid card
X58 3X SLI Motherboard
4gigs of RAM

Story:

So recently I had my computer fixed by a place called Infotech near Sea-Tac Washington. My mobo fried so I had it replaced.
Got it back and didn't notice anything was out of wack(was happy it just worked to be honest lol)
So a day or so after I get it back, I noticed my sound would cut off randomly and I would get random audio clips, short; about 3-8 seconds. I have AVG so I ran that and came up with nothing.
Checked my Windows Firewall and it was set to "OFF" (I figured that's one of the things that infotech place does to run their programs to diagnose a issue) So I put "ON" on my firewall and rebooted my pc.
I checked the firewall again right after startup and noticed it was "OFF" again..It did it 4-5 times. I even just checked now and it was off. Everytime I boot up my computer it seems to be set to "OFF"

After that I soon discovered IEXPLORE.EXE in my task manager and everytime I ended the process it would rear its ugly head a few seconds back. I have google'd "random advertisements" and "Iexplore.exe" and detailed guides of what to do have lead me to this website. I have looked into multiple topics about the same exact problem and have tried many things and the iexplore.exe will not go away. Here's what i've done so far.

I had my roomate install Malwarebytes when I was at work. It first found 2 random spywares and I just deleted em. I have ran MBAM 8 more times to no avail, it found nothing.
Just about 10 minutes ago I uninstalled it and re-installed it and renamed the .exe file.
It found 2 trojans:[LOG BELOW]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4285

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/6/2010 5:09:16 PM
mbam-log-2010-07-06 (17-09-16).txt

Scan type: Quick scan
Objects scanned: 143770
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\admin\Local Settings\Temp\loader.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temp\smss.exe (Trojan.Clicker) -> Quarantined and deleted successfully.



Trojan Remover installed, run and found absolutely nothing 3 times.
I dl'd a free trial of ZoneAlarm(which I found out to be a firewall) lol
Ending the process which is iexplore.exe and it will pop up within 5 seconds again.
Tried going into Search and deleting the iexplore.exe file which is NOT under "C:/Windows/etc" it will go into the recycle bin but if I search again it will just make a copy.
Installed SuperAntiSpyware, updated preferences. Rebooted into Safe mode and did a scan. I clicked 'Administrator" and it did delete a Trojan. I rebooted into normal and the file was still there.
NOTE: There are 2 users on my pc(I am the only one that uses it by the way) 1: Administrator 2: Admin. I currently use the "Admin" one, not "Administrator".
I went into safe mode in "Admin" and SAS did not find a trojan on a complete full scan.

This file will not go away no matter what I do.

I am running out of options and am very annoyed at this trojan/virus/malware. I made an account today(even introduced myself :thumbsup:) just because I believe you guys here know how to finally deal with this problem.

I will be near my PC as much as I can to assist you guys asap to get this fixed. I do realize you guys go on a first come first serve status and I have no problem waiting a short amount of time. Thank you and I look forward to hearing back!




I forgot to mention; I found a trojan when I was in Safe Mode in the main Administrator user, Quarantined it and Deleted it, then looked in the search function "iexplore.exe" and it did find the fake one, i deleted it and it DID stay deleted. It does not show up in the task manager in safe mode under the Admin user. But the moment I reboot into Safe mode under "Admin" or reboot normally It is there.

Thanks

Edited by Black_, 06 July 2010 - 10:11 PM.


BC AdBot (Login to Remove)

 


#2 Black_

Black_
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 06 July 2010 - 10:37 PM

Numerous times as well I have deleted the file under C:Windows/Prefetch/iexplore.exe/27122324.pf
It came back everytime so I'm assuming there's a hidden file 'somewhere'. I've tried scanning for rootkits from AVG and came up nothing multiple times.
I've scanned the file instantly with AVG,SAS,MBAB,TR(TrojanRemover) and Ad-aware, all came up nothing.

I can't play games, watch game videos/previews, or any anime.

I realize you guys are busy and I am not intentionally bumping my topic just to get answered, I am still trying as much as I can to get this fixed and am trying different things and posting on here.

Thank you.

#3 Black_

Black_
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 07 July 2010 - 09:09 PM

I realize that others are getting help before I have received any assistance. I also realize that someone "may" be working on my problem, but I have yet to receive any such response.

now...Update:

I ran safe mode in my regular user "Admin" last night and SAS found "Trojan.Agent Gen Nullo[Micro]" and i quarantined it and deleted it. So I reboot to make sure its removed fully and to my amazement the Iexplore.exe is not on my list on Task Manager YAY..but my happiness was short lived.
About 30 minutes after I found/Quarantined/Removed the trojan, i'm exited from my full screen game and my mouse pointer keeps redirecting itself to the top left of my screen. Then I decide to look in Task Manager, and YUP iexplore.exe is right back on the damn list. Then a few seconds later I get more random audio clips and sometimes I get my windows un-selected.

Please assist, I've done all that I can and cannot figure out what this issue is. I've been patient in waiting for a response and from the looks of it, it seems to be a problem you guys have dealt with before. I've done everything from those old topics and I still have this issue.

#4 IndoSlim

IndoSlim

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 07 July 2010 - 10:46 PM

I'm having the exact same problem! I've posted it here also, but, like you, have yet to receive an answer. If you find a solution please post it, and if I find one, I will do the same. Thanks.

#5 MistaFake

MistaFake

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 09 July 2010 - 07:25 PM

Same exact thing dude
I thought I got rid of it started to play some Counter-Strike: Source and what do you know iexplore.exe is up and running again...

Not to advertise but they found a solution. http://forums.majorgeeks.com/showthread.php?t=217807
I tried it but there was no extra smss or services.exe.... so yeah I'm sad right now

Edited by MistaFake, 09 July 2010 - 07:28 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 09 July 2010 - 08:43 PM

Hello, unfortunately what happened here is all the posts. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 or more replies. A team member, looking for a new topic to work may assume another Team member is already assisting you and not open the thread to respond.


That said you need to update and rerun MBAM ...The others need a new topic as all the help may not be the same.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Now an online scan.. ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\ESET\ESET Online Scanner\log.txt
    folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


Finally a Rootkit scan with GMER
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Black_

Black_
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 09 July 2010 - 09:14 PM

Did MBAB again:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4298

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/9/2010 7:11:27 PM
mbam-log-2010-07-09 (19-11-27).txt

Scan type: Quick scan
Objects scanned: 148349
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Gonna reboot into norm mode again and do ESET


ESET:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=fbf2ec7fbe58bf43a8a6ea2f39c38e8c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-08 03:38:49
# local_time=2010-07-07 08:38:49 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=16510
# found=3
# cleaned=3
# scan_time=564
C:\Documents and Settings\admin\Application Data\Sun\Java\Deployment\cache\6.0\10\39bd360a-703f9e48 a variant of Win32/TrojanDownloader.Unruy.BZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\admin\Local Settings\Temp\42720656.exe a variant of Win32/TrojanDownloader.Unruy.BZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\admin\Local Settings\Temp\42870062.exe a variant of Win32/TrojanDownloader.Unruy.BZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=fbf2ec7fbe58bf43a8a6ea2f39c38e8c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-10 02:57:53
# local_time=2010-07-09 07:57:53 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=5891 16776869 100 100 0 8228838 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=100057
# found=0
# cleaned=0
# scan_time=2415

Edited by Black_, 09 July 2010 - 10:02 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 09 July 2010 - 09:27 PM

Ok, We need that ESET log to be sure.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 FPSFan

FPSFan

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 09 July 2010 - 09:30 PM

Sorry to be throwing this in here, but you may be infected by the Whistler Bootkit. It evades GMER scans.

Edit Link removed, thank you but we do ot feel that is a safe way to remove a Rootkit like that anymore. We prefer they are removed in the
Virus, Trojan, Spyware, and Malware Removal Logs forum.

Edited by boopme, 14 July 2010 - 07:10 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 09 July 2010 - 09:39 PM

I'm waiting on ESET to see...Thank you

Edited by boopme, 10 July 2010 - 04:44 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Black_

Black_
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 10 July 2010 - 12:11 AM

I posted the ESET by editing my last post.

I unplugged my internet connection to my pc and ran GMER, it didn't find anything other than normal. (Cannot post log as Gmer decided to "Not responding" when I tried to save the log to my desktop.)

Sidenote: When I was offline doing the GMER I noticed the windows would be unselected as if i clicked the background, the different tabs would be grayed out. Also I opened up Task Manager and iexplore.exe kept bumping itself to the top and random places. I noticed i had services.exe which I don't recall having at an earlier time. It seemed as if the trojan/malware/w/e was trying to boot itself up on cycles somehow, but couldn't because I wasn't connected to the internet. My CPU usage was 35-50% the whole time as i was running GMER while I had Taskmanager up.(not sure if that's normal)

And all of a sudden, since your response(boopme) to run MBAM, and ESET i've had constant "Not responding" windows/tabs. Could not select anything, had to shut down pc from power switch on back of tower.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 10 July 2010 - 04:47 PM

This is a piece of malware that alters the Master Boot Record of your Harddisk. Once done that it can facilitate all kinds of malware, as in your case the two processes running from the System Restore directory.

To confirm this, do the following:

In case you don't have an archive extracter installed already:
Please download 7zip and install the program on your computer (we need this program in order to be able to unzip the tool that can delete Bootkit Whistler).

When 7zip is succesfully installed, please download bootkit_remover.rar and save the file to your desktop.

Right click on the file and select "extract/unzip here".

This will create two readme files and remover.exe on your desktop.
Double click on remover.exe; a command window will open. Please copy/paste the text under "MBR Status" and post that in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Black_

Black_
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 10 July 2010 - 05:39 PM

I downloaded 7zip and the bootkit remover, here is the log from the process:

Bootkit Remover version 1.0.0.1
© 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 8cedfa5de235f2c6eceb00dafafd92fd

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:42 AM

Posted 10 July 2010 - 05:45 PM

Click Start, Run then copy and paste the below into the Run box and click OK.
"%userprofile%\Desktop\remover.exe" fix \\.\PhysicalDrive0
Now reboot your PC and after reboot continue with the below instructions.
Disable System Restore on all drives.
Look for the below folder and if if it sill exists, delete it.
C:\System Volume Information\Microsoft


Disabling System Restore
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Black_

Black_
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:42 AM

Posted 10 July 2010 - 06:24 PM

Ran the command and rebooted my computer.
After I rebooted and disabled system restore on all drives, I looked for the C:\System Volume Information\Microsoft folder but it was nowhere to be found on my computer.

(Thank you for your help by the way, I really appreciate it)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users