Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IEXPLORE.EXE on startup. Am I infected?


  • Please log in to reply
7 replies to this topic

#1 loboloco51290

loboloco51290

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:41 AM

Posted 04 March 2016 - 12:48 AM

Hello BC community!

 

I recently updated my HP ENVY m6 Notebook with Intel Core i7-3632QM to Windows 10 Home 64 bit and went through pretty much every step in your Slow Computer/browser? Check Here First , including running Autoruns. I found this under Image Hijacks:

 

C:\Program Files\Internet Explorer\IEXPLORE.EXE - Internet Explorer - Microsoft Corporation - c:\program files\internet explorer\iexplore.exe

 

..which in your startup database is listed as an UP added by RBOT-EY worm. I hesitate to remove it before consulting with you all... 

 

I also:

 

Ran Malawarebytes custom scan to include rootkits, and cleaned the PUP it found, but IEXPLORE.EXE wasn't on the list. 

 

Ran Panda Cloud Cleaner who found 2 ''suspicious policies'': 

 

HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

 

When i tried to remove/clean them, Panda Cleaner crashed. I unfortunately don't have access to the dialog box exact text anymore, but essentially it said ''Panda Cloud Cleaner encountered an error and had to close''

 

My computer is not particularly slow, and does not display any particular strange behavior

 

Keep in mind I know very little about all of this... in fact it's worst; I don't know how much I know or don't know about all this. So, thank you all for your help in advance :)



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:41 AM

Posted 04 March 2016 - 06:14 AM

Bee24:

:welcome: to the Bleeping Computer Am I Infected? What Do I Do? Forum. My name is Phil, and if you would permit, since we will be working together, I would like to address you by your first name, if that is alright with you.

I have done some research on the issue of iexplore.exe appearing in the "Image Hijack" tab of Autoruns. I have the same entry on my computer, but iexplore.exe is in lower case, not upper case. From what I have read, just because an entry appears in the Autoruns "Image Hijack" tab doesn't necessarily mean that it is malware-related.

Let's run a couple of preliminary scans to see if there is anything nefarious lurking about on your computer.



:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

*Click this link to open ESET OnlineScan.
* Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
* When prompted allow the Add-On/Active X to install.
* In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
* Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):

  • Remove found threats
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

*Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
*When the scan completes, click List Found Threats (only if anything is found).
*Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
*Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!



:step2: Download and install Malwarebytes Anti-Malware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.2.*.****.exe and follow the prompts to install the program ( * = program version numbers may vary - always get the latest version).
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard
  • Paste the contents of the clipboard into your next reply.

 

 

I would like you to paste the logs from both scans into your next reply. I will examine those and determine what our next step should be. If there is evidence of serious infection, you might have to open a new thread in the Virus, Trojan, Spyware and Malware Removal Logs Forum, but let's not get ahead of ourselves yet.

If I haven't responded to your reply in 24 hours, please send me a personal message.

Have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#3 loboloco51290

loboloco51290
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:41 AM

Posted 05 March 2016 - 12:13 PM

Hello Phil, thank you for your response. First names work for me, I'm Oscar.

(what/who's ''bee24''?)

 

Here are the logs you asked:

 

 

ESET found one:

 

C:\Users\Oscar\AppData\Roaming\uTorrent\updates\3.3.1_30003.exe - a variant of Win32/AdkDLLWrapper. A potentially unwanted application - cleaned by deleting

 

 

Malwarebytes found 17:

 

Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 2016-03-03
Scan Time: 04:49
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.03.03.02
Rootkit Database: v2016.02.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Oscar
 
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 843769
Time Elapsed: 7 hr, 5 min, 59 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 11
 
PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\APPID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}, Quarantined, [f06e4a391386d6606f51c3f139c93ec2], 
 
PUP.Optional.Wajam, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}, Quarantined, [f06e4a391386d6606f51c3f139c93ec2], 
 
PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}, Quarantined, [f06e4a391386d6606f51c3f139c93ec2], 
 
PUP.Optional.Wajam, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}, Quarantined, [fc62b7cceeab4fe74a753a7a21e155ab], 
 
PUP.Optional.TopArcadeHits, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{CF190686-9E72-403C-B99D-682ABDB63C5B}, Quarantined, [b5a9f3906732a591e674a014d52d8e72], 
 
PUP.Optional.Amonetize, HKLM\SOFTWARE\CLASSES\Updater.AmiUpd, Quarantined, [ef6fbbc84d4cc670d782a93d06fd7e82], 
 
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\CLASSES\Updater.AmiUpd, Quarantined, [cb9393f055443cfafa5f4b9b45be47b9], 
 
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\LCGNMDIPGAJOFMPANHPDINHKGMEIFMDO, Quarantined, [9fbf2c571e7b82b46a7234ded52ebc44], 
 
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\LCGNMDIPGAJOFMPANHPDINHKGMEIFMDO, Quarantined, [6af4f98ac1d88da979642ee4a06354ac], 
 
PUP.Optional.Conduit, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{87D2D8FE-3975-40EB-A39D-A58203EEB5DC}, Quarantined, [9bc3c6bd0c8d88ae9dc95699b35039c7], 
 
PUP.Optional.Spigot, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{97837963-3134-4928-86DD-0F379C452FB4}, Quarantined, [bf9f1e65c7d21d193d20a7730df76799], 
 
Registry Values: 6
 
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\lcgnmdipgajofmpanhpdinhkgmeifmdo|path, C:\Users\Oscar\AppData\Local\CRE\lcgnmdipgajofmpanhpdinhkgmeifmdo.crx, Quarantined, [9fbf2c571e7b82b46a7234ded52ebc44]
 
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\lcgnmdipgajofmpanhpdinhkgmeifmdo|path, C:\Users\Oscar\AppData\Local\CRE\lcgnmdipgajofmpanhpdinhkgmeifmdo.crx, Quarantined, [6af4f98ac1d88da979642ee4a06354ac]
 
PUP.Optional.Conduit, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{87D2D8FE-3975-40EB-A39D-A58203EEB5DC}|URL, http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3300196&CUI=UN31371625011347016&UM=2, Quarantined, [9bc3c6bd0c8d88ae9dc95699b35039c7]
 
PUP.Optional.Conduit, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{87D2D8FE-3975-40EB-A39D-A58203EEB5DC}|SuggestionsURL_JSON, http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}, Quarantined, [1a4487fcaced62d488de01eea06331cf]
 
PUP.Optional.Conduit, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{87D2D8FE-3975-40EB-A39D-A58203EEB5DC}|FaviconURL, http://search.conduit.com/favicon.ico, Quarantined, [4618067d7722f046174f757acd362ad6]
 
PUP.Optional.Spigot, HKU\S-1-5-21-1409198672-455828296-2446602818-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{97837963-3134-4928-86DD-0F379C452FB4}|URL, http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=512435&p={searchTerms}, Quarantined, [bf9f1e65c7d21d193d20a7730df76799]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
----------------------------------------

 

I've also ran a scan with AdwCleaner, but did not take any actions. I'm usually extremely reluctant when it comes to messing with the registry, and quarantining the Malwarebytes results was kind of a rash decision from my usual perspective. I trust you'll let me know what's best, in any case. 

 

I'll be waiting to hear back from you, and thank you again for your assistance!

 

Have a good one :)



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:41 AM

Posted 05 March 2016 - 12:58 PM

Oscar:

 

Thank you for your ESET and MBAM logs.  Thank you also for your permission to address you by your first name.

 

The logs don't show any serious infection, just some Potentially Unwanted Applications (PUPs).

 

 

I've also ran a scan with AdwCleaner, but did not take any actions.

 

 

I would like to see your AdwCleaner log.  That was the next tool I was going to suggest running.

 

So far, I don't see anything that would cause me concern.  I have worked on computers for folks that had over 400 PUPs on their computers.  They complained their computers were slow.  No kidding! :)

 

So let's have a look at the AdwCleaner log and see if it reveals any reason for concern.

 

Have a great day, Oscar.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 loboloco51290

loboloco51290
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:41 AM

Posted 05 March 2016 - 02:39 PM

All right, sounds great!

 

 

Here are the adwcleaner logs:

 

# AdwCleaner v5.037 - Logfile created 05/03/2016 at 09:44:20
# Updated 28/02/2016 by Xplode
# Database : 2016-03-02.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : Oscar - OSCAR
# Running from : C:\Users\Oscar\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
Folder Found : C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Found : HKCU\Software\Myfree Codec
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
 
***** [ Web browsers ] *****
 
 
*************************
 
C:\AdwCleaner\AdwCleaner[S1].txt - [1340 bytes] - [05/03/2016 09:44:20]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1413 bytes] ##########
 
 
Hope this continues in the same direction (no concerns!), hehe :)
 
Thanks again Phil, and just let you know, I might reply only by monday.
 
Have a good week-end!


#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:41 AM

Posted 07 March 2016 - 01:01 PM

Oscar:

 

Sorry to be so tardy with my response.  I had a heck of a busy day yesterday and I just did not get around to responding.  Please accept my sincere apologies.   :bowdown:

 

Again, nothing serious there.  I would create a system restore point and then run AdwCleaner in "Clean" mode, just in case something goes funny.  Always a good idea.

 

You could also run the Junk Removal Tool (JRT) if you would like, but it just removes what it doesn't like, mostly adware, PUPs, and PUMs, without giving the user the opportunity to know what it is going to remove beforehand.  If you have made any elaborate customizations, JRT might detect those as Potentially Unwanted Modifications (PUMs) and remove them.  Personally, I think your computer is in good shape.  I am not seeing signs of any active or serious infections.

 

How is your computer running now?  If it is fine, then I think we can probably conclude that you are good to go.

 

Let me know if you want to proceed further.

 

Thank you and have a great day ... and once again, sorry for my late response.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#7 loboloco51290

loboloco51290
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:41 AM

Posted 09 March 2016 - 04:00 PM

Hello Phil, thank you for your response, and sorry about my own tardiness...

 

My computer is running pretty fine actually, so I guess I've been taking good care of it. I'll let things as they are for now; I don't think JRT is necessary as you said, plus I don't like that kind of aggressively proactive tool anyway.

 

Thank you again for all your assistance Phil  :thumbup2:

 

Have a good one  :grinner:



#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:06:41 AM

Posted 10 March 2016 - 08:35 AM

Oscar:

Great news that your computer is running just fine. :thumbsup:

Yes, like you, I tend to avoid running JRT unless I consider it would be of net benefit to the user, just because it is somewhat "indiscriminate" and the user doesn't have the option to select what will, or will not, be deleted.

You are most welcome for my assistance. It was my pleasure, on behalf of Bleeping Computer, to work with you to allay your security concerns.

Have a great day.

Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users