TechSpot

Invisible "iexplore.exe" which makes me lose focus

By Tompieee
Jan 2, 2010
  1. Hello there.

    In my 'task manager' I got an "iexplore.exe" process running.
    It appears each 30sec-1min even after ending it manually.
    When it appears, it takes away the focus of the screen which I'm using.
    Though the explorer itself remains invisible.

    I've been searching some information around this problem.
    It's been solved on these boards before, but I wouldn't have a clue how to solve the problem for my case.
    Since non of the programs themselves seemed to solve it and it had to be done manually somehow.

    <It can be found here>

    So far I have run AVG (free), Ad-Aware (latest version), Spyware Doctor and Ccleaner without any result.
    Java updated, real time done.

    I'm hoping to have a fast and useful answer.
    Thanks already!

    Tom

    <Working on the 8 steps>
     
  2. Tompieee

    Tompieee TS Rookie Topic Starter

    Can't install programs

    I tried following the 8 steps mechanism,
    but seems like I can't install the programs which are needed.

    I got the process running in Task Manager,
    but the setup doesn't appear,
    which makes it impossible to install these:
    • Mbam-steup
    • SUPERAntiSpyware
    • HJTInstall

    I hope it's still fix-able!

    Greetings
    Tom
     
  3. Tompieee

    Tompieee TS Rookie Topic Starter

    I got it fixed

    If other people have the same problem as I do
    I know how to solve it!

    To start with:
    If you can install the programs as I did,
    try to change the name of the .exe file!

    i.e.: mbam-setup.exe ---> mmmbam-setup.exe

    I did this with all 3 the install files and I was able to run them afterwards.
    Don't forget to change the .exe file in the Program Folder aswell!

    How did it got solved?
    In the end Malwarebytes' Anti-Malware has solved the problem.
    I installed the program and updated it.
    Then I checked at the settings tab --> Terminate Internet Explorer during removal.

    After the scan it found 2 items in C:\Windows\System32
    • H8SRTbaisltbuht.dll
    • H8SRT
    Those were deleted and the problem was solved.

    Thanks anyhow for the nice forum.

    Tompieee
     
  4. Tompieee

    Tompieee TS Rookie Topic Starter

    It's not fixed

    Yesterday seems to be an illusion.

    I restarted the computer again,
    and noticed something went wrong.
    The speed was abnormal and so was the wireless connection.
    I checked task manager and found the iexplore.exe active again.

    Here are the 3 files you asked for in the 8 steps.

    Thanks
    Tom
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job Tom! I was just going to stop by and ask you to continue.

    Please tell me what your status is with an antivirus program. I only see this one entry:
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

    There is a lot to do and it's important you do it in the order I have given. I encourage you to print it all out so you can easily follow alone.

    H8SRT is the Trojan (Rootkit.TDSS). Unfortunately it isn't as easy as deleting one file. In addition to this the DNS changer was found, so let's work on that first:

    DNS Changer: Please print this out and follow it exactly:

    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    __________________________
    New Directions
    You also have the Rootkit TDSServ so now we work on that:NOTE: I have edited the instructions for th TDSSServ Rootkit. If you have NOT done the other, please do this instead:
    • Download TDSSKiller.
    • Extract the zipped file to your desktop.
    • Go to Start ->Run. Type/Copy and Paste the following text into the prompt:

      Code:
      "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
      The screen will resemble this black screen:
      [​IMG]
    • This will have the program write a detailed log
    • When its work is over, upon detection of malicious services and files the utility prompts for a reboot to complete the disinfection.
    • Click OK.
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
    • You should get a screen like this:
      [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).Follow the prompts and attach the report to your next reply.
    End new directions

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Eset NOD32 Online AntiVirus Scanner HERE
    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please include all reports and logs in your next reply. Hopefully this will remove most if not all of the malware entries. And we can go from there. By the way, I'll have you remove all the cleaning tools and old restore points when the system is clean.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    NOTE: I have changed the directions and programs for the TDSServ Rootkit. in Reply #5. If you have not started on the original, please use the new instead. If you did start on the original complete the process and attach all appropriate reports and logs.

    This is only for the TDSSserv infection- all other remains the same.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...