IEXPLORER running randomly in background

By surfersaiyan
Dec 10, 2008
  1. hey guys,

    i got a dodgy file on my system the other day.. "a.exe" (downloaded to C:/program files/firefox).

    zonealarm picked it up and i immediately prevented it from running, located it and shredded it. no recurrence.

    but it seems since then that IEXPLORER.exe seems to run randomly in the background when i check windows task manager. is it possibly related?

    i dont use IE and would be more than happy to disable the shister completely.

    any tips?
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    One or more files with the name A.EXE creates or modifies the following registry keys and values:

    * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main DisableScriptDebuggerIE yes
    * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Error Dlg Displayed On Every Error no

    And no you should not use IE7 - Internet explorer is the most used browser out there, and therefore the most targeted browser by malware writers.

    That's a nasty infection if it penetrated your security see ->

    With that being said I would encourage you to read Is your system infected? Read this before Cleaning or Formatting - prior to deciding if you would like clean your system.

    ***If you decide to clean your system please do the following in addition to following the 8 step preliminary instructions***

    [​IMG]Prevx CSI
    • Download from
    • Launch Prevx CSI
    • Select Check for updates
    • Select Scan Now
    • Select Tools and Settings
    • Select Save Scan results
    • Attach the log it saves back here
  4. surfersaiyan

    surfersaiyan TS Enthusiast Topic Starter Posts: 100

    thanx for the advice and the slight sarcasm regarding IE was thoroughly appreciated kim!

    i have to say the slightly smug feeling of an apparently 'clean' system vanished without trace upon running mbam then sas and then hjt. bugger.

    i thought it was just a single dodgy file but those scans showed up heaps.

    @blind dragon.

    when attempting to download that Prevx CSI the file name was just a bunch of numbers and it weirded me out. so at this stage i havent done anything with that.

    but if you guys'd take a look at my logs and let me know what you think, i would be very humbly appreciative.

    cheers, the saiyan.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Even someone with 80 posts has this issue, obviously it's not a new member issue
    I wonder if the guide should really emphasize to actually REMOVE the found entries :confused:


    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    And I humbly disagree with BD that you should not use IE7
    When noticing users using IE (through the HJT logs) I never say use Firefox instead, nor would I say anyone should say such a poor advice to a user. Not that is the case in this thread though. Thankfully most of the world still use IE without issue, me being one. IE is not the problem As I mentioned once in a thread I argued that IE is actually ok to use. Get on the phone, don't you realize that our kids use IE in all public schools. Pure madness ! :p
  6. surfersaiyan

    surfersaiyan TS Enthusiast Topic Starter Posts: 100

    c'mon kim, you know me, i'm no 5 post monkey! :monkey: hehe.. but seriously, did the mbam log show that i hadnt deleted the selected items?:suspiciou

    because i was sure i did, and having re-run mbam, sas and hjt it seems i did everything right, :)p) because all that nastiness the came up before seems to have gone.

    does this mean i can go on another prno rampage? KIDDING.. i'm gonna try and behave myself a bit more now, be a bit more careful..

    humble pie eaten graciously as usual with a side serve of embarassment.

    the saiyan
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Well still infected anyhow, sadly :(

    [​IMG] Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

    Afterwards attach rapport.txt and a fresh Hijackthis log
  8. surfersaiyan

    surfersaiyan TS Enthusiast Topic Starter Posts: 100

    cheers kim. i'm a bit baffled where these little sneakers keep popping up from, but you're the man here.

    smitfraudfix done (in safe mode) and logs attached as requested.

    come on come on come on this time!!

    fingers crossed!! (cause they dont seem to do much finging).
  9. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Hmm I'm not quite sure why all these runonce entries are there :confused:

    Obviously you are using nLite ?
  10. surfersaiyan

    surfersaiyan TS Enthusiast Topic Starter Posts: 100

    if you dont get it, then i dont either!!

    am i clean yet? and what is nLite?


    i just looked up nLite, on techspot of course. i do run a version of xp pro called 'performance version' which has heaps of stuff stripped out. i wonder if the creator of this version used nLite to do that.. hmm
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    it's not that IE is the worst browser, but it is still by far the most used browser and therefore attackers will try to find these vulnerabilities. Whatever browser is the most popular will always receive the most attacks

    "Microsoft says it has detected attacks against IE 7.0 but said the "underlying vulnerability" was present in all versions of the browser.

    Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified. "
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes I've since learnt about this, it may have been approx a week ago when I did :blush:
    There is already a workaround for this issue at MS, but I don't believe it has been fully rectified as yet. As a good measure I have completed all the IE recommendations, that were enabling Dep; manual registry editing\removing; security on high etc

    But one last recommendation was to use another browser! (That doesn't help my original argument!)
    So I'm presently on Firefox. !
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...