TechSpot

2 iexplore.exe processes in Task Manager since healing trojans

By wsbarnhill
Mar 14, 2009
  1. Hello,

    I'm new to TechSpot. Although I've read the site guidelines, rules, etc., please excuse any ignorance on my part.

    History
    On Friday, 3/07/09 my PC was infected with a threat while running AVG Free Edition 8.0. While using the internet, my Internet Explorer 8.0 sessions began to be replicated as if I were repeatedly pressing Ctrl+N. I knew something had made its way to my PC. I had to end internet sessions via Task Manager. After rebooting, I noticed the threat kept resetting my Tools/Internet Options/Privacy level from Medium to Accept All Cookies. At this point the PC's response time ranged from really dragging to no response (such as when checking my Yahoo mail). Performed a complete system scan using AVG Free Edition and it found one trojan named FakeAlert.HJ in addition to tracking cookies. I also find a file had been placed into my temporary internet files folder named E.exe which I manually deleted. The PC issues described above still persisted.

    I then downloaded and installed a trial (full working copy) of AVG's new Internet Security 8.5 version which is supposed to detect and quarantine any threat whatsoever including malware & root-kits. Discovered AVG Free Edition does not check for malware. After rebooting from the AVG Internet Security install, AVG reported it found a threat - File: A2SRCHAS.DLL Threat: IAC. Performed another full system scan using the new AVG I.S. 8.5 just installed but no new threats were found. On Monday, 3/10/09 AVG updates were available and more trojans were found.

    I have attached an AVG Internet Security Ver. 8.5.276 Virus Vault.log which includes all the threats found and quarantined by the new AVG I.S. 8.5 which was installed on 3/07/09. The log is sorted by date & time for your convenience.


    Existing Problem
    With AVG I.S. 8.5 running I still have one issue. First of all, there are two iexplore.exe processing showing in Windows Task Manager which, as I understand, is not kosher. Also, after visiting certain web sites (ie: officedepot), one of the iexplore.exe processes spikes up to 100% of CPU usage and Internet Explorer freezes which I finally have to cancel in Task Manager.

    In addition to the AVG Internet Security Ver. 8.5.276 Virus Vault.log (mentioned above), I have also attached my Gateway Laptop System Info.txt and a HijackThis.log.

    I would like to thank you all for this site and for caring enough in taking time to help others.

    Scott
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

    Hello wsbarnhill

    Please run the steps in this guide:
    8-step Viruses/Spyware/Malware Preliminary Removal Instructions ->
    http://www.techspot.com/vb/topic58138.html

    Please attach logs from:
    Malwarebyte
    Superantispyware
    Hijackthis


    In your next reply
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you Touch- nicely done!

    This is not correct. AVG v8 has both an antivirus program AND a spyware program. It is more likely that AVG "missed" the malware, which is why many of us suggest changing to Avast or Avira.

    Reset Cookies: I
    This will prevent the Tracking Cookies. You should NOT make any change to 'allow all Cookies' UNLESS you also UNCHECK 'allow third party Cookies'.

    When you post the three logs (update and rescan with HijackThis AFTER running the other two programs) we'll deal with the entries that need removal.
     
  4. wsbarnhill

    wsbarnhill TS Rookie Topic Starter

    Completed 8-Step Removal Instructions

    First of all I would like to say 'Thanks for responding' and thanks for the tip on overriding the cookie settings in Internet Explorer. It's really weird that Touch recommended running the 8-step removal processes prior to posting. I had only performed a couple of steps based on the research I had performed on this forum.

    Prior to my initial post, I was completely blind to the recommendation, which displays at the top of the Virus & Malware removal forum, to run the 8-step removal process before posting. Wondering why I was receiving no responses, I checked TechSpot again last night hoping I missed something when I noticed I had not performed the 8-step removal process. Then Touch confirms my suspicion today. Sorry.

    Anyway, attached you will find the requested logs. TechSpot would not allow me to upload the AVG Internet Security Ver. 8.5.276 Virus Vault.log or the Gateway Laptop System Info.txt which lists the system info. of my PC. Please refer to my initial thread for these attachments.

    Thanks in advance for your help & suggestions.

    Scott
     

    Attached Files:

  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Run the Norton Removal tool

    Restart

    Install Avira free AntiVirus

    Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
    You need to run this multiple times, until all hidden Malwares are uncovered and removed
    (Note: Leave Avira enabled by default during the scan, and remove any Viruses if detected)

    Reply back with a clean Malwarebytes log, and fresh HijackThis log
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kimsland, please take note:

    wsbarnhill, it appears that you have the AVG Internet Security Suite installed and that you have added the Identity Protection, per these processes:
    Since this is a program that you have paid $55.00 for, you will likely want to keep it.

    You do have an entry left over from the Norton/Symantec protection though and should run the Norton Removal Tool as kimsland suggested.
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    The main source of your problem is caused by the installed Weatherbug program. This program brings and adds a lot of trash and I strongly advise you to uninstall it. The basic removal is as follows:

    1. Make sure the program is not running before uninstalling it. If there is a WeatherBug icon in the system tray (in the lower right hand corner of the screen) you'll need to right-click on it and choose "Exit WeatherBug" or "Terminate Weatherbug".

    2. Once the program is closed, you can remove it easily from the Add/Remove Programs section of the Control Panel by following these steps:
    * Click START (lower, left of computer screen)
    * Select SETTINGS and CONTROL PANEL
    * Double click ADD/REMOVE PROGRAMS
    * Select "WeatherBug" (or other programs) from the list of applications
    * Click ADD/REMOVE and follow the instructions

    To delete the AWS directory
    Extra removal instructions for Windows XP
    Finally, there is an extra icon in the Internet Explorer bar that is left even after uninstalling Weatherbug, to remove this extra content button, use HijackThis and remove the following line
    NOTE: update and rescan with Malwarebytes AFTER doing the above, the do a 'System Scan Only' with HijackThis. We'll need to see if other entries need to be removed.
     
  7. wsbarnhill

    wsbarnhill TS Rookie Topic Starter

    Hello Kimsland & Bobbye,

    Yes I do have the AVG Internet Security Suite installed (includes the Identity Protection) but it is only the 30-day trial version. So I have not paid a penny. The only reason I installed this in the first place is because the AVG free edition, which I was initially using, did nothing to catch the initial trojans. After reading Kimsland's recommendation to replace it with Avira, I had already planned to do so tonight after work.

    I'll also do what you recommended concerning removing the Weatherbug. I'll make sure I post a fresh copy of Malwarebytes & HijackThis logs.

    Thanks again.
     
  8. wsbarnhill

    wsbarnhill TS Rookie Topic Starter

    New Malwarebytes & HijackThis logs

    Kimsland
    I completed all the steps from your last post including uninstalling the trial version of AVG Internet Security 8.5 (including running the removal tool avgremover.exe), running the Norton Removal tool, and installing Avira free AntiVirus.

    I also updated and ran Malwarebytes two times which was needed to arrive at a clean scan.

    Bobbye
    WeatherBug was not in the list of available programs to remove. Did a search (via Windows Explorer) against the C: drive and only one directory was named WeatherBug. There were no files in the folder. FYI, the complete path found was: C:\Program Files\Common Files\Real\WeatherBug. The last mbam-log-2009-03-19 (21-02-30).txt log I posted revealed that file MiniBugTransporter.dll was quarantined & deleted from the WeatherBug folder along with the associated registry key.

    No AWS directory was found after searching the C: drive.

    Found no extra icon in the Internet Explorer bar referring to WeatherBug. Also, HijackThis showed no reference to 09 – Extra button: WeatherBug - ……………….

    I’ve attached fresh logs from Malwarebytes and HijackThis.

    Thanks again.
    Scott
     

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Scott, I gave you the full uninstall for Weatherbug. Apparently the cleaning programs sufficiently removed it.

    If you checked the HijackThis log, you would have seen that we're going backwards! You now have three: IEXPLORE.EXE, So we are missing something.

    Please download VundoFix.exe HERE and Save to your desktop.
    Download SDFix HERE and save it to your Desktop.
    * Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
    Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    Update and rescan with HijackThis and attach new log.
     
  10. wsbarnhill

    wsbarnhill TS Rookie Topic Starter

    Here are the VundoFix, SDFix & HijackThis logs

    Hi Bobbye,

    I ran VundoFix v7.0.6 as you instructed. Once it finished scanning I was alerted there were no infected files found. At this point I was expecting to see a ‘Remove Vundo’ button, which you advised to click, but there wasn’t one. Instead, v7.0.6 has replaced the ‘Remove Vundo’ button with a ‘Fix Vundo’ button. Once I clicked the ‘Fix Vundo’ button the software confirmed I had no infected files with a small window which displayed ‘No files were found, VundoFix V7.0.6 will now close.’. with the only option of an OK button which I clicked.

    Also ran SDFix per your instructions and it finished with no problems.

    I’ve attached the following logs:
    VundoFix.txt
    Report.txt (from SDFix)
    New HijackThis.log (ran when no internet sessions when running)

    Just FYI, since initially running the 8-step virus & malware removal process I have experienced only one occurrence (that I could prove) while on the Internet where the CPU usage spikes to 99% - 100% for iexplore.exe. During the time I was constantly having this iexplore.exe CPU usage issue, visiting Office Depot’s web site (not allowed to post their URL here) would always instigate the problem. Now I can visit the same site without any CPU usage issues. In fact, the 98% - 99% is now attributed toward the System Idle process.

    But as I just mentioned above it has happened once that I'm sure of and it was today - iexplore.exe spiked to 99% while checking Yahoo mail but this time it finally timed out without having to end the process via Task Manager. This happened after running VundoFix & SDFix and initially writing this post today. The Internet also seemed slow last night (before running VundoFix & SDFix) but I didn't check the CPU usage in the Task Manager. Something does seem to still be amiss.

    Also, I’m still experiencing multiple iexplore.exe processes when viewing Windows Task Manager while on the Internet. For instance, after opening the first Internet Explorer browser session I can see two iexplore.exe processes. While still on the Internet, if I open a new tab (Ctrl+T) on the same browser session, the Task Manager will then show three iexplore.exe processes. But I don’t always get another iexplore.exe to show for each new tab opened. For example, if I have a total of five tabs open (including the original tab) on a given browser session, Task Manager shows four iexplore.exe processes. The version of my Internet Explorer is 8.0.6001.18372. Is it normal to have multiple iexplore.exe processes showing when using this version?

    Also, if I run HijackThis while on the Internet with the multiple tabs open, the HijackThis.log will reveal the same number of iexplore.exe processes that are shown in Task Manager. I would say this must have been the case when I posted the HijackThis.log on my last post which showed three iexplore.exe processes, but I can't be sure. I've been careful not to have anything running (including the Internet) when running any of the fix software you guys recommend. If I run HijackThis without being on the Internet, the HijackThis.log will reveal no iexplore.exe entries, as is the case with the log I’ve attached with this post.

    Thanks again for all your help.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for telling me about the change in the Vundo button.

    You should know that IE8 separates each tab into an own process. This way, a tab can crash without crashing the whole browser window. Each browser window is using memory which is slowing computer as a whole. And my apology for not being up on this- the 'student' teaches the 'teacher'!

    However, when running the scans, it would be best to have the browser closed and in that state, you wouldn't show multiple iexplore.exe unless malware is running in the background, hiding using the iexplore name.

    The CPU usage you asked about can be best understood if you examine the processes being used: if you prepare a system for Shutdown, closing all Windows and Email, then look at the Processes tab you should see use in 3 processes: System Idle, System and taskmgr. The three add up to 100%. At this point, if there is any other process using more than 1-2 in the CPU column, that's the one that will be suspect.

    You might want to take a look at my post "IE8- What are they thinking"? HERE:
    It might get you think about trying another browser. It answers some of the question you asked about CPU usage, memory leak and the bottom line that IE8 is bloated to the point of being "fat"!
    So when you say this:
    it makes perfect sense because launching the browser IS the connection.

    1271 MB installed RAM should be sufficient for Windows XP-unless-you are multi-tasking and/or using labor intensive programs.

    Update Adobe: Most current version: Adobe Reader 9.1
    You have unnecessary processes loading at startup and running in the background. If 'speed' is an issue, we can stop them. Are you having any other problems? After reading the description of IE8, do you understand what you're seeing re: the multiple processes? If not, we can remove the cleaning tools and old restore points.
     
  12. wsbarnhill

    wsbarnhill TS Rookie Topic Starter

    Follow-up on multiple iexplore.exe processes in Task Manager

    Hi Bobbye,

    Thanks so much for tuning me in to FoxIt & the recommendation for using another web browser. I download & installed the latest FoxIt reader and the latest Firefox. I must say I love the speed of Firefox. And what's up with the time it took to download the .exe and install Firefox? It was a non-issue. The entire process couldn't have taken more than 2-3 minutes. I never knew IE 8 was such a memory hog. And yes I do understand the write-up on IE 8.

    I've been developing software professionally since '84 with a focus on mainframe & midrange systems. I remember the days of pre-Windows PC's (DOS based) when the only thing you had to worry with was config.sys, autoexec.bat and those aggravating IRQ conflicts. With the advent of Windows for Workgroups 3.1 I've never had enough time to research what those 100's of Windows files actually do behind the scenes, much less trying to remove viruses & trojans myself.

    As far as I'm aware I don't have any symptoms of trojans, etc. Just FYI, on 3/20/09 Avira's AntiVir Personal edition did catch & quarantine a trojan named TR/Crypt. ULPM.Gen. (c:\windows\system32\wuyedawa.dll).

    I wanted to ask:

    • Is it okay at this point to uninstall IE 8 since Firefox is fully operational?

    • As I mentioned above I'm now running Avira's AntiVir Personal edition. I also now have SuperAntiSpyware but the free version doesn't offer real time protection - I'm thinking about upgrading so I will not have to run it manually every day. Between using AntiVir and SuperAntiSpyware should I be pretty much covered against threats?

    • Should I still need to run Malwarebytes' Anti-Malware from time to time?

    • What about a firewall instead of Windows firewall? If you recommend another firewall product would your preference be Comodo or Zonealarm?

    And, I'd like to send a very big Thank You your way for helping me out. I sure do appreciate it.

    Thanks in advance for answering my questions above.

    Scott
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Scott, your decisions were good and your question are coming from a good place- here's the followup. I will need just one more updated HijackThis log from you.

    1. Did you uninstall all the Adobe Reader entries in Add/Remove Programs in the control Panel. If not, do that. You will be amazed how bloated it is compared to FoxIt!
    2.
    Yes.
    3.
    4.
    No. (#3) The minimum security programs are one antivirus program, one firewall and at least two spyware/adware programs. Here are some suggestions:
    I strongly suggest that SpywareBlaster be one of the programs, no matter what else you decide on.

    The Windows firewall only listens at incoming ports. A bi-directional firewall is better as it listens to both incoming and outgoing.

    Yes, good idea. But you can take it off of Startup-it doesn't need to load every time you boot.

    I am pleased that you were able to take kimsland's suggestion of removing AVG in favor of Avira. At this point, we don't know if the Trojan is actually new or if AVG missed it. concerned though that Avira had found a new Trojan that did not appear in any of the other cleaning programs. We need to make sure there are no other files for it.TR/Crypt. ULPM.Gen

    Let use an online scan and follow with update and new logs for HijackThis:
    Kaspersky' online scan
    Open Kaspersky Online Scanner in Internet Explorer HERE. (Don't use IE8 for this)

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    If the logs are clean, we will remove the cleaning programs and old restore points-I'll know after seeing them.
    Of course, you're so right about having to deal with so much more as Windows advances and more hackers and crackers are born!
     
  14. wsbarnhill

    wsbarnhill TS Rookie Topic Starter

    Kaspersky & HijackThis logs attached

    Hi Bobbye,

    Yes, I uninstalled the Adobe Reader - there was only one entry for the actual Reader. However, the following Adobe entries still remain in Add/Remove programs:
    • Adobe AIR
    • Adobe Flash Player 10 ActiveX
    • Adobe Media Player
    • Adobe Shockwave Player

    Just to confirm, Avira encountered Trojan TR/Crypt. ULPM.Gen after running the cleaning programs. But I’m pretty sure Avira had already scanned the entire system at least once. It may be the Trojan was not already present on the PC but was trying to make its’ way in.

    I ran Kaspersky's online scan and have attached the associated log in addition to a new HijackThis log.

    Should I wait until the cleaning tools and old restore points are removed before installing long-term spyware/adware programs and a Comodo or ZoneAlarm firewall?

    Also, concerning cookie handling in Firefox browser. When running IE 8 I was instructed to:

    What is the equivalent in Firefox? The Privacy options I’m seeing in Firefox are:

    Accept cookies from sites (check box)
    Accept third-party cookies (check box)​
    Keep until: (drop down)​
    • They expire
    • I close Firefox
    • Ask me every time

    I’m assuming I’ll need to uncheck “Accept third-party cookies” but am not sure how to handle the “allow per session Cookies” (found in IE 8) or what to choose in the Firefox “Keep until:” drop down.

    Thanks again for your help.

    Scott
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for the delay Scott.

    Cookie settings for Firefox:
    These are not related to the Adobe Reader:
    You can investigate each to see if you want to keep, especially the Adobe Media Player.
    [/QUOTE]

    You need to UPDATE and run Malwarebytes again. We are still dealing with a PUP>
    After running the program, do a seach in your system for waynet.dll Delete any and all entries for this file if found.

    Please run Avira again. Hopefully Trojan TR/Crypt. ULPM.Gen was quaraantined and if so, go ahead and delete it.

    Follow with new scan of HijackThis and attach results.
    You can remove IE8. You should still have IE7 on the system.
     
  16. wsbarnhill

    wsbarnhill TS Rookie Topic Starter

    New Malwarebytes, Avira & HijackThis logs

    Hi Bobbye,

    Thanks for the confirmation on the Firefox cookie settings.

    Per you suggestion, I installed AdBlock Plus along with Easy List.

    I removed Adobe Media Player since I don’t use it.

    I updated and ran Malwarebytes and have attached a new log.

    Waynet.dll was not to be found on my entire system. So I searched the registry and did find references to waynet.dll & weatherbug. From a previous post you gave me complete removal instructions for weatherbug but it must have already been removed because none of the references you had me look for were found.

    I ran Avira again and have attached the log. Then I deleted the Trojan TR/Crypt. ULPM.Gen from the quarantine.

    Ran HijackThis again and have attached a new log.

    Before I remove IE 8, I wanted to ask you a question. Tonight I tried to connect remotely to the midrange computer (aliases: AS/400, iSeries, Systemi – all represent the same computer) at work on which I develop software. On the remote access screen that I always receive, I select the default server name and have a Connect button which, in the past, I've always been able to click. However, now it’s not recognizing that I’m clicking the Connect button and does nothing. I noticed on the remote access web page there are instructions which read:

    "Connect" button not working?

    Try this:
    On the top menu of Internet Explorer, click "Tools"
    Click "Manage Add-ons"
    Click "Enable or Disable Add-ons"
    Click "Microsoft Terminal Services Client Control (redist)"
    Click the "Enable" radio button at the bottom-left of the screen
    Click the "OK" button - exit Internet Explorer and reconnect.

    Since I'm no longer running IE 8, I tried to mimic the same instructions in Firefox. However, in Firefox, Microsoft Terminal Services Client Control (redist) was not shown in Tools/Add-ons/Get Add-ons (nor could I find it via the search or Browse All Add-ons found within Get Add-ons) nor was it shown in Tools/Add-ons/Extensions. I’m at a loss what to do in Firefox to allow the “Connect” button to work again when trying to log in to work. I searched the internet but couldn’t find any direct answers pertaining to Firefox.

    I welcome any suggestions you might have to solve this problem. The reason I even attempted to log on to work was for testing to make sure I wouldn’t have any problem when I go on-call soon. Just FYI, when installing Firefox a few days ago I did choose to import the IE 8 settings into Firefox to prevent any custom settings from being lost.

    As always, a big thank you for your continued help.

    Scott
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Scott, I am not familiar with what IE8 requires, but it sounds like the Service for Terminal Service might not be running:
    Start> Run> services.msc> right click in Terminal Service> Properties> set Startup Type to Manual> Start the Service.
    NOTE: Fast User Switch is dependent on this Service to Run.

    Here is the description of what this Service is needed for:
    http://www.blackviper.com/WinXP/Services/Terminal_Services.htm

    I am not aware of an Active X object add-on for this. The Services are found in the Administrative Tools in the Control Panel. While there may be particular Services, in general, they are a part of computer management for Windows- not IE or Firefox, although their settings will influence how the browsers work.

    See if setting the Terminal Service handles your problem. Your logs are all clean. We can remove the cleaning programs and old restore points if you're ready:

    http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:
    Let me know if you need more help. It's been a pleasure helping you.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...