TechSpot

Iexplorer.exe

By austin-tech
May 21, 2008
  1. Computer Specs:
    Dell Optiplex GX745 Intel(R)
    Pentium(R) D CPU 3.00 GHz
    2.99 GHz, 1.99 GB of RAM
    Intel(R) Q965/Q963 Exoress Chipset Family
    Hitachi HDS721616PLA380
    Windows Service Pack 2 installed, and running Windows XP Professional Version 2002
    A touch screen monitor (along with an optical mouse and average Dell keyboard).

    (Would another other specifications be helpful?)

    Issue:
    This computer has three Iexplorer.exe processes running. One takes up aprox: 16,792 k, another takes up 41,052 k, and the last takes up 34,108 k. Norton Anti-Virus 2008 is blocking outgoing emails that the computer is trying to send - not emails that any of the users or I have tried to send, just the emails from whatever process, virus or malware that is trying to send them. If I use 'control' + 'alt' + 'delete' and select 'end process' for those IEXPLORE.EXE they will close, but just reopen later on anyway.

    Important:

    This is a lab computer were students and staff come down on a regular basis to work and use the internet, so I want to get this computer functional and keep it protected in the future. It would be wonderful to make sure this problem doesn't spread to more pc's on the network here, and I already have one other potential computer with this error happening so any advice on how to keep this issue contained would be great! Thanks!

    History:
    When I first began working on this computer it would freeze after a few minutes of start up, or after closing a window which said something about a 'program has encountered an error and needs to close' (I should have written this down!).
    The computer would also try to up-date and scan with AVG, and AVG would show warning notifications that there were viruses on the computer.

    If I tried to use AVG to scan or quarantine the items it found, it might work for the first few items or scan for a short while (5 or 10 min - I usually left the pc to do a scan while I worked on other computers) but then the computer would freeze.

    If I tried to go into Safe-mode the computer would blue screen with a message 'IRL_NOT_LESS_OR_EQUAL'.

    Eventually, through luck or by removing AVG anti-virus, I was able to get the computer to stay on without freezing or blue screening when entering safe mode. I installed Norton Anti-virus 2008 and spybot shortly after. My guess is that the infected file that AVG was blocking was an essential file for the computer to run, and having removed AVG I was able to let that process run free - for better or for worse. Again, another thing I should have written down. Retrospect is killer! But, lesson learned.

    Now, the Norton Help and Support pop up window comes up and lists anywhere from 60 - 300 notifications which are listed in the same window but as a # out of total #. If I close one of the windows it just cycles through all of the pop-up warnings about an email not getting through. Besides being slightly annoying to have these pop ups from Norton, something must be wrong with the computer. I could just avoid the pop-ups from Norton by turning off the outgoing email scanner, but that doesn't really fix the problem.

    I can now get into safe-mode just fine. There are no more blue-screens, and I haven't installed any new hardware ever while working on this computer.

    I have turned off system restore in the hopes that I could scan with anti-virus programs and keep the virus from coming back and although I have already removed some trojans from this pc, this IEXPLORE.EXE problem still remains.

    When I use 'control' + 'alt' + 'delete' I see that several IEXPLORE.EXE processes are running. Currently there are three running.

    From what I have read on the web it, and on this forum (I cannot add links yet because my forum posts are too low currently) it sounds like this is a virus or malware of some sort.

    What I Have Done so far:
    Un-installed AVG
    Installed Norton Anti-virus 2008
    Ran scans with Norton Anti-virus 2008 - removed Trojans - I can upload a list if you wish.
    Installed Spybot
    Ran scans with Spybot and removed items - I can upload a list if that is helpful.
    Installed and run SUPERAntispyware - removed the items it found.
    Downloaded, installed and ran VundoFix v7.0.5 - nothing was found.
    Downloaded, installed and ran Malwarebytes' Anti-Malware. Items found. Log to be included.
    I also downloaded and installed HJT, but instead of renaming it 'Crusty' I added an 'e' to the end - in the case that malware has re-modified again to find the new name this site suggests.

    I have read the links about virus and malware and am working through the rest of steps now, so please bear with me.

    During the process of these scans I have closed and shut down Norton Anti-virus because the notification window for Help and Support keeps popping up about the blocked outgoing emails. That windows a real nuisance because you have to close it for each individual email that is being blocked, and at 150 it gets pointless to bother trying to close it anymore. I also read that while running these scans listed above that it's a good idea to close anti-virus programs as well. Do I have that correct?

    Further Questions:
    I read somewhere that I should install spybot but un-check the option for teatimer. Can someone help me understand why?

    Update:
    5/21/2008
    I have run the programs listed above in the 'What I have Done So Far' section, and after a reboot it seems that the IEXPLORE.EXE is not running when I check with the Task Manager. I don't come back to work for a couple of days so I will see how it works in the meantime. Please feel free to give me any feedback about what I have done so far, or any suggestions you may have. Thanks!

    This is a post in process as I work through these steps. Thanks for your patience!

    I have read the page you linked (as I stated above), and listed the areas which I have done. I would like to show the hijackthis logs, but I am not sure what the best way to post the logs on this forum would be. These logs are quite long so is there some way to post them via a link? What would you suggest?

    Also, I have installed Norton 2008 - is this considered a poor choice of anti-virus protection? If so what anti-virus programs would you suggest for a non-profit organization (less expensive package deals and or free anti-virus software - we purchased the Norton 2008 software from the website techsoup.org at a great price.)

    Thank you for your advice so far!

    Update:
    6/3/2008
    HijackThis logfile included. I was unable to turn off Norton before the scan, I hope this doesn't interfere too badly. View attachment 33068
    First scan with Malwarebytes View attachment 33069
    Fist scan results with Superantispyware View attachment 33070

    Update:
    6/5/2008
    I have noticed that the teachers here at the school use USB drives to backup their documents, and this may very well be a trouble-spot for spreading viruses. Any suggestions that I could do to keep viruses to a minimum when these USB keys come in from home, then get used on the computers at the school? I have considered using a Mac to scan all of the USB's first (this is assuming that the viruses that may be on the USB are pc viruses only), then to let the teachers use the USB on the pc's.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    iexplorer is a Trojan which masquerades as IE. It includes is a process belonging to the AdClicker advertising program. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups.

    Your first mistake was removing AVG, the second was resorting to Norton. while you post was very thorough, you're going to need to run the HijackThis program and post you log so the good people here can help you find and fix the malware entries

    Please follow the malware cleaning instructions set up on the following:
    http://www.techspot.com/vb/topic58138.html
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I would just like to add that depends on the directory location it executes or runs from

    There are many different things it could be.

    Without seeing any logs my guess would be rapidblaster infection but it there are a bunch of other trojans/ rootkits that can cause this

    The current variants of RapidBlaster are usually around 72 kb in size, but that can easily change.
     
  4. austin-tech

    austin-tech TS Rookie Topic Starter

    Post updated. Thanks again for your help. (Also a post-count + so I can post a link in the above original post - you need at least 5 posts to post a link here)
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    post the hjt log as an attachment by clicking the paperclip icon above your reply
     
  6. austin-tech

    austin-tech TS Rookie Topic Starter

    Is there anything I should know about in these posted logs?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No log yet.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Have Hijackthis fix the following entry

    O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\

    Then let's run a kaspersky scan and attach the log In your reply

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  9. austin-tech

    austin-tech TS Rookie Topic Starter

  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Looks good, just need to get rid of those temp files and clear cache - use ATF cleaner.

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    After post a fresh Hijackthis since it's been a few days
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...