Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ieplore.exe Running Continuously As A Process


  • Please log in to reply
14 replies to this topic

#1 upallnite

upallnite

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 06 July 2006 - 05:22 PM

Hi to all. I'm new to this forum, but in my past 3 days of searching for an answer, this is the only one I've joined, because it seemed to have the best layout and information.

Problem:
Hit a website with IE, and was immediately infected (with something or many things).
Ran HijackThis, Ad-Aware, ewido, BitDefender Pro, Spybot S&D, and WinTasks Pro 5. All this found lots of stuff, and fixed said stuff.
However, iexplore.exe is running continuously as a process. Now, I cannot connect to the Internet by any means. If I delete/stop the process with the Task Manager or WinTasks Pro, it immediately comes back. If I boot to SAFE MODE, I cannot delete/stop the process at all. In SAFE MODE, the iexplore.exe process starts and stops (appears and disappears) on its own (in Task Manager), ~ every 1/2 second. This causes the CPU to be used 100%.
My search found topic57109 here that appears to be the same issue. Other searches also lead me to believe that the answer is with Prevx1. However, Prevx1 requires an active connection to the Internet by the infected computer, which I do NOT have.
I've put about 20 hours into this mess, and would GREATLY appreciate any help I can get.
Thanx.
upallnite
Yust call me Sven.
Remember, no matter where you go, there you are.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 06 July 2006 - 08:56 PM

hi upallnite, Welcome to the forum :thumbsup:

Possible solution

If you are running the Yahoo! Toolbar, a fix has been released to help prevent this problem. Go to the Yahoo! Toolbar website and click Download the Yahoo! Toolbar.

Yahoo Toolbar
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 upallnite

upallnite
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 06 July 2006 - 09:31 PM

Hi boopme,

Thanx for the response. Unfortunately, it's not gonna be that easy. No, I do not have Yahoo or Google toolbars added. I'm pretty sure this is malicious stuff, since the multitude of scans I have done did find and clean several viruses.
Now, all scans that I can do turn up nothing. But, iexplore.exe is still banging away as a process that is immediately returned if stopped (Normal boot mode), and cannot be stopped in Safe Mode.
Unfortunately, I can't run Prevx1 because I cannot connect to the Internet.
Again, any help will be GREATLY appreciated.
Thanx, in advance.
upallnite
Yust call me Sven.
Remember, no matter where you go, there you are.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 06 July 2006 - 10:10 PM

Sorry it was a no go,but we tried. I assume you have Xp. I was also reading some things on removeing unneccessary browser Add ons,but you cannot get there, can you..

There is also a IE repair tutorial Here

If all else fails I suggest you copy your 1st post and submit a HiJack log to one of the BC experts. Those instructions are HERE

Sometimes you only stop things from happening by self repairing an HJT log and don't cure the problem.
Note once you submit the log MAKE NO MORE CHANGES to your PC until told what to do by the team member.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Gyro

Gyro

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 07 July 2006 - 03:39 AM

Allrighty, You can try a few things at this point, first and foremost, you can go to zdnetdownloads.com and download something called unlocker, install it on the computer boot it up in safe mode and try deleting the file that way. However most virusus like this have backups, so really you need to isolate it. You can do this a few ways, go to your start bar and run msconfig, then go to your boot and see if you can stop it from booting up. However some registry files don't show up here, if this is the case follow this guide http://www.bleepingcomputer.com/tutorials/how-to-remove-a-trojan-virus-worm-or-malware/ If all else fails, if your running xp you can do a system restore to where this wasn't happening, Me suppots this feature as well. Keep ing mind that the registry is delicate and don't go unchecking everything, back up your registry if all possible. And remember, I can't be held too accountable if ya mess up :thumbsup:

#6 upallnite

upallnite
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 07 July 2006 - 06:02 AM

Thanx, all. I'll try a few of these items after I get back from work (yuck!). Then, if necessary, I'll post an HJT log. BTW, yes, I'm running XP Pro SP1.
Yust call me Sven.
Remember, no matter where you go, there you are.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 PM

Posted 07 July 2006 - 08:08 AM

iexplore.exe or ieplore.exe? Check your spelling. ieplore.exe is related to Trojan/Backdoor.Powerspider.B which adds a startup entry to your registry. See here. iexplore.exe is the main executable for Microsoft Internet Explorer but it can also be bad depending on its location.

Download and scan with Ewido Anti-Spyware v4.0 in "SAFE MODE".
Print out the Ewido Install and Scan Instructions.

Download and scan with Sysclean Package also in safe mode after scanning with ewido.
1. Create a new folder on drive "C:\" ("C:\New Folder") and rename it Sysclean.
2. Place the sysclean.com inside that folder.
3. Then download the latest Virus Pattern Files (lptXXX.zip).
4. Extract the lptXXX.zip pattern file into the same folder you created for sysclean.com.
5. Close all open applications and DISABLE your current anti-virus software. Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them first.
6. Open the Sysclean folder and double-click on sysclean.com to run.
7. It will take some time to complete. Be patient and let it clean whatever it finds.
8. Exit when done and re-enable your anti-virus program.

Then perform these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall Scan
a-squared Web Malware Scanner
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 upallnite

upallnite
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 07 July 2006 - 11:31 PM

Hi quietman7,

Oops - my bad. It's a spelling error (I just checked, again, to be sure). The continuous process is indeed iexplore.exe. The file itself (iexplore.exe) seems to be the good one. I checked it against the one on the uninfected computer I'm using now. A search if the entire C: drive shows this file in C:\Program Files\Internet Explorer, C:\Windows\$NtServicePackUninstall$, C:\Windows\ServicePackFiles\i386. There is; however, a similar file, IEXPLORE.EXE-27122324.pf in C:\Windows\Prefetch. I don't know about this one.
The real killer is the fact that iexplore.exe is forced into running as a process that can be stopped, but immediately comes back, in NORMAL MODE. It's also running as a process that's stopped and restarted ~ every 1/2 second in SAFE MODE, so you can't kill it.
Unfortunately, I've been unable to find what's doing that up to now.
I've downloaded the latest ewido stuff, and printed your instructions. I'm about to embark on this new quest. This scan will take forever, because the behaviour of this beast causes 100% CPU usage in SAFE MODE. I'll post the results when it's finally done.
Again, thanx SO MUCH for your help!
upallnite
Yust call me Sven.
Remember, no matter where you go, there you are.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 PM

Posted 08 July 2006 - 06:28 AM

Your welcome. Post back if you need further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 upallnite

upallnite
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 09 July 2006 - 05:16 PM

Hi again quietman7,

Well, it looks like I still need some help.

Downloaded & updated (via files from other PC) the ewido stuff & ran scan.
(Thanx again, for the directions on how to do that without an Internet connection.)
It found artm_new.dll and identified it as Trojan.Agent.oh, but it couldn't quarantine it.
I tried to delete it from C:\Documents and Settings\All users\Documents\Settings, but it couldn't be deleted.
In all my research, I remembered seeing KillBox. Got that from other PC & used it to delete the file on reboot.
VOILA! It was gone & iexplore.exe was no longer being launched as a process from hell! Yeeeeehaaaaaw!
I then did the sysclean thing, which took FOREVER, since I have thousands of my digital pix files on the PC.
All came up okay, nothing found.
But, ...
Now, one problem still exists.
When I login as me (an administrator), I cannot launch the TaskManager.
I get a message that it has been disabled by the administrator. When I login as Administrator, I can use the TaskManager.

Thanx, in advance, for your help.

upallnight
Yust call me Sven.
Remember, no matter where you go, there you are.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:51 PM

Posted 10 July 2006 - 04:06 AM

Its possible you have some other malware on your system that the previous scans did not find. Its time to have a deeper look as to what's going on with your system by creating a hijackthis log.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log".
When you have done that, post a log in the HijackThis Logs and Analysis Forum, not here, for assistance by the HJT Team Experts.

Start a new topic, give it a relevant title and post the log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 upallnite

upallnite
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 July 2006 - 05:25 AM

Thanx again, quietman7,

I'll work on the HJT log posting later tonight (after work)

upallnite
Yust call me Sven.
Remember, no matter where you go, there you are.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:51 PM

Posted 10 July 2006 - 05:59 AM

Hi,

When I login as me (an administrator), I cannot launch the TaskManager.
I get a message that it has been disabled by the administrator. When I login as Administrator, I can use the TaskManager.


Perform this:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
In case you still are unsure how to create a reg file, take a look here with screenshots.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 upallnite

upallnite
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 11 July 2006 - 05:51 AM

Hi miekiemoes,

Thanx, that worked great!

Does this mean I'm probably not further infected, and I don't have to do the HJT stuff (Prevx1 & ewido are not finding anything else)?

One more item, please.
I also noticed (simultaneously) that the desktop seems to have the background wallpaper locked somehow. I can't change it. When I click the Display Properties Desktop tab, Browse, Position, and Color boxes are grayed out; and the Backgroung selection box has the scroller locked all the way at the bottom, showing the Internet Explorer icon. The screen background is solid blue, but I notice that when I log out, for an instant before returning to the login screen, my previously selected Azur wallpaper displays, then disappears.

Thanx, in advance for your help.

upallnite
Yust call me Sven.
Remember, no matter where you go, there you are.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:51 PM

Posted 11 July 2006 - 06:36 AM

Hello,

Perform next:

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e peek2.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
del peek*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch should look afterwards: Posted Image
Doubleclick look.bat
Notepad will open with some txt in it. Copy and paste the contents in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users