Sign in to follow this  
Followers 0
plastic

iexplore.exe virus help

44 posts in this topic

ok, lets get teh IE is the virus shit out of the way.

situation:

barbie's system.

iexplore.exe is located as it should be in c:\program files\internet explorer. however it is all lowercase now.

ther is also an iexplorer entry in c:\windows\system32, it is associated as ajpeg file (odd).

it is protected so I can't delete it, only rename it, or force a move.

I have run adawareSE 1.06

I had installed at the time of infection Norton AV2005.

I have run Mcaffe Stinger.

no hits from any of them.

I have tried to replace teh iexplore.exe in c:\program files\nternet explorer, only to watch it mysteriously be over written 30 seconds later.

at anytime that her system boots, two instances of iexplore.exe are loaded into the process tree even before IE is launched. I have to kill the process tree for it to go away.

Now I do have DEP enabled, and have the process trapped in the firewall.

I also cleaned the lmhost file it traded out that forced norton live update to default to 120.0.0.1

so her data is safe with noone being able to access it, but the system gets a bit wobbly after time.

so anyone run across this one before? I am finding virtually no help on google, or nortons site.

Share this post


Link to post
Share on other sites

Reformat Harddrive.

After reformat double click on internet exploerer.

Go to mozilla.com

download firefox.exe v1.06

install firefox.exe

right click on Internet explorer

click delete

all set

Share this post


Link to post
Share on other sites

You sure you are reading th9ings right?

There is a process named explorer too, essentially your desktop.

iexplore is supposed to be in lower case.

The iexplore jpeg is the icon.

additionally, if you close explorer, it will reopen itself.

Share this post


Link to post
Share on other sites

deleting the iexplore.exe file causes firefox to not work.

and i use firefox exclusively.

she does not (till now) less snobby nerd talk, and more snobby nerd action.

you know your crap? help me fix it.

Share this post


Link to post
Share on other sites

I had a virus and explorer.exe was infected. Go into dos and delete that file and replace it with the one on the CD. Don;t need to format.

Make sure all other viruses are kaput first aswell.

Share this post


Link to post
Share on other sites
You sure you are reading th9ings right?

There is a process named explorer too, essentially your desktop.

iexplore is supposed to be in lower case.

The iexplore jpeg is the icon.

additionally, if you close explorer, it will reopen itself.

im reading it right. explorer and 2 iexplorer on boot with no IE open.

when I open an IE, a third process opens up. I delete the first two, and the IE window still stays open, so those intial process are not IE windows.

I verified everything on my system.

there is NO iexplore.exe with a jpq association in MY c:\windows\system32.

the iexplore.exe on MY c:\program files... is all upppercase.

when my systems first boots there are no iexplore.exe process running unless I actualy open up an IE window, and then there is only the ONE.

Windows firewall is trapping on the first iexplore.exe process the second it fires up during boot on her system. nothing of the sort on mine.

Share this post


Link to post
Share on other sites
I had a virus and explorer.exe was infected. Go into dos and delete that file and replace it with the one on the CD. Don;t need to format.

Make sure all other viruses are kaput first aswell.

it has reassociated some .DLLs i think. too many other programs are needing to access the iexplore.exe in c:\windows\system32 that should not need to. for example firefox.

and i cant really just replace the one in system32, as there should not be one there.

Share this post


Link to post
Share on other sites

just cleaned about 12 references out of the registry. hopefully I killed it. there were 2 questionable ones that I left for fear they may cause problems with ther DLLs.

rebooting her system now

::crosses fingers::

Share this post


Link to post
Share on other sites

for posterity sake

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Share this post


Link to post
Share on other sites

well first reboot it was half done, IE was loading off the proper dll call, but the bad iexplorer was still running too.

i scrubbed the rest of the registry and now nothing will launch as the file associations are all fuxored. this is a nasty little bug. gonna have to repair the associations.

so i have to DL the anti spyware stuff from MS, or was it in an update and I can find it hidden somewhere?

Share this post


Link to post
Share on other sites

Do you know how long the system has been in this condition?

If so, try simply rolling back the system with System Restore.

Share this post


Link to post
Share on other sites

Well, first try to run this

http://www.microsoft.com/security/malwareremove/default.mspx

Maybe hijackthis could help to analyze startup list? Spybot also have bit similar functionality. Ad-aware programs are the better more you use, seems none of them detect all, so cross-using couple is rather good idea.

http://www.majorgeeks.com/download3155.html (hijackthis)

http://www.safer-networking.org/en/index.html (spybot)

To me, problem sounds like some rootkit, or just some virus that nav doesn't detect. Maybe some blacklight beta could also help

http://www.f-secure.com/blacklight/

If available, I would recommend restoring from backups prior to hack. Make a system restore point before starting to remove entries, what you detect by hijackthis. If unsure, plz post to highjackthis log file here, and we'll see what we can do?

Share this post


Link to post
Share on other sites

ok, couple of good suggestions. I will try them when I get home.

house call found nothing.

the MS spyware beta requires validation to download now, and I am still trying to verify with corp IT that I have a good key, or if I need them to get me a new one.

this virus or malware what ever it is, has done a few nasty things.

it disables windows firewall on start up, and also creates an exception for itself incase you enable it. (i fixed that by starting the service manually, and then blocking all exceptions)

it won't allow me to install the Nvidia firewall.

it has created a mutex instead of a semaphore object, so until i can find the mutex host thread, I can't kill the object as only the host object can unlock the thread, so deleting the nasty bastard causes teh mutex to kick ina nd einstall it.

i cleaned the registry of all refrences to the bad exe, but after doing so I can not launch any programs as rundll32 is associated to the bad exe and anything that requires that runtime environment (almost EVERYTHING) wont launch as it can't find an association to run it.

so I have to restore my reg backups thus retoring this damn thing.

restore points wont work, as I did a major upgrade right before this happened (changed mobo and chipset, CPU video et all) and the restore points are disabled. it is very possible that the restore points that would do me some good were killed by this nasty bug as well.

unfortunately years and years worth of data and expensive applications are stored on this system. a reinstall/format would be devistating to barbie. and until I confirm my key status, that is not an option.

any other thoughts?

Share this post


Link to post
Share on other sites

hmm, won't give up withoutta fight ..

for the windows authentication paste line to loc and before check:

javascript:void(window.g_sDisableWGACheck='all')

Or alternatively if not working, just go in IE to

tools -> internet options->programs tab->manage add-ons

seek for 'windows genuine advantage, publisher microsoft', and disable it. Should get H4x0r3d and you can continue.

If you're going for repair install, check http://www.webtree.ca/windowsxp/repair_xp.htm has some guidelines. (take network cable off for repair install, cause it undoes servicepacks, and makes windoze security even cheesier)

Some more things you could try :

UnHackMe :

http://www.greatis.com/unhackme/

F-secure online scan :

http://support.f-secure.com/enu/home/ols.shtml

processguard

http://diamondcs.com.au/processguard/index.php?page=download

rootkit revealer

http://www.sysinternals.com/Files/RootkitRevealer.zip

Share this post


Link to post
Share on other sites

Plastic I had this same virus on my computer. I tried to clean the registry and was unable to completely whipe it out.

Ended up having to reformat. It seems to be able to hide it's self in the registry as even when I ran a registry search for iexplore.exe it would not turn up yet it was still showing up in my start up tree.

Here is some info on it from Google.

Note: iexplore.exe is also registered as the Trojan.KillAV.B virus, which systematically attempts to disable your AntiVirus solutions and also affects some windows system tools. This is a registered security risk and should be terminiated and removed from the Windows registry

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.