Multiple instances of iexplore.exe in background

Status
Not open for further replies.

newbie77

Posts: 9   +0
It sounds like I also have the common problem of multiple iexplore.exe running in the background. I can kill them off, but they keep starting back up. I don't know if it's related (it seems like it), but my audio driver keeps getting corrupted and no sound comes out of the speakers when the processes start. I can re-install the driver, but within minutes or less, the sound goes away again.

I've attached the log files per the instructions.

Your help is very much appreciated.
 

Attachments

  • mbam-log-2010-07-18 (22-41-48).txt
    896 bytes · Views: 2
  • gmer.log
    4.7 KB · Views: 1
  • DDS.txt
    29.1 KB · Views: 1
  • Attach.txt
    30.2 KB · Views: 2
It look like you have had a lot of problem configuring the Sigmatel Audio. Have you checked to see if there is an update on their home site?

Multiple antivirus programs:
You have also installed and removed AVG several times. Now you are running both AVG and McAfee. There are numerous error because McShield if trying to start and fails. It appears that your antivirus program is actually Avira.. Having multiple AV programs makes the system more vulnerable and slows it down.
The logs show the following:

1) You installed Avira: 2010-07-17
2) 2 Copies of AVG9> updated on 2010-07-16
3)McAfee was already running. Current update on 2010-07-15 20:38:38
Please decide which you want to keep and remove the other. Here are tools to help- only download tool for programs you are removing:
McAfee Removal
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.
To uninstall Avira:
  • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
  • Wait for the list of installed programs to load, then click the name of the Avira program.
  • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
  • Press Yes, to confirm the removal and then OK.
  • . Click Next until Finish. The software is removed.
Please reboot the computer when finished.

Multiple iexplore.exe processes are normal for IE8. But malware can also 'hide' in the entry. One of them on your system is Name: IEudinit
Filename: ieudinit.exe
Command: C:\Windows\ieudinit.exe /waitservice
Description: Added by the Troj/Ezio-I Trojan.
File Location: %WinDir%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry
========================================
There are some other entries that need to be moved. After you get the antivirus program down to one and rebooted:


Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
==========================================
Choose v2.0.4:
Download the HijackThis Installer HERE and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
================================
Please uninstall all the old versions of Java- you have several and these are vulnerabilities.. Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Paste the logs into your next reply.
 
Thanks for the quick reply.

I've removed McAfee virus software and kept Avira. When I ran Combofix it kept saying that Avira was actively scanning, although I turned off everything I could find within the Avira console. If I'm missing something and Combofix was not able to run properly, please let me know.

Log files are attached. I tried pasting them, but ran over the limit for number of characters. Sorry.

One other question, I've updated Java, but I also have a "J2SE Runtime Environment 5.0 Update 6" Is this a different program than Java (TM) 6 Update 21 or is it an older name? Should I remove the J2SE Runtime Environment?
 

Attachments

  • Combofixlog.txt
    36.2 KB · Views: 2
  • hijackthis.log
    9 KB · Views: 1
Most unusual! Did you see all those Avira entries in the Combofix log? It looks like you actually have 2 separate processes:
1) AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
This is an antimalware scanner from Antivir. Image and description here: http://www.2-spyware.com/remove-antivir.html

2) AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)
This is the free Avita antivirus program. Description and image here: http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html

Surely this naming was meant to confuse the average person! Additionally, you had the AntiVir Desktop Service running. I have moved it and stopped the Service. If you decide to use it in the future, you can download it again. But because of the confusion it causes and the fact that the spyware scanning part is not well reviewed, you can do better.
==================================
Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\program files\31937.dat
c:\program files\28312.dat
c:\windows\system32\gcwqipbn.zct
c:\windows\system32\5368E566E1.sys
c:\windows\system32\E166E56853.sys
c:\program files\Avira\AntiVir Desktop\sched.exe

Folder::
c:\documents and settings\All Users\Application Data\avg9(2)
c:\program files\Common Files\McAfee
c:\program files\McAfee
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\Norton
c:\program files\Norton Security Scan
c:\documents and settings\All Users\Application Data\Norton		

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GCWQIPBN]
"ImagePath"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"=-

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-2365357053-2355510586-3484095229-1007\Software\Microsoft\Windows\CurrentVersion\Shell 
[HKEY_USERS\S-1-5-21-2365357053-2355510586-3484095229-1007\Software\Microsoft\Windows\CurrentVersion\Shell 

Driver::
GCWQIPBN
AntiVirSchedulerService
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into your next reply.
====================
See next post when finished.
 
Since you have multiple antivirus processes running, I removed what should be the 'left-overs'. But to make sure, I'd like you to run this security check.

Be sure you have rebooted after finishing the above programs. Don't do a Restart> shut down, then Startup again, then run this:

Security Check

Download Security Check and save it to your Desktop.
  • Double-click SecurityCheck.exe to run.
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
 
Bobbye, thanks for your continued help. I really appreciate it. Once again, the Combfix log is too large to paste. I've tried to delete some of the redundancies, but it's way too big.


I don't know what is going on with Avira/AntiVir. It is my intention to keep only Avira, and I can't find any evidence of AntiVir in my system. I'd get rid of it if I knew how.

The Security Check log is:


Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.0.42.34
Adobe Reader 9.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
 

Attachments

  • Combofixlog.2.txt
    54.5 KB · Views: 1
Your system should be flying now with all the 'left over' redundant AV programs! I don't know why Combofix is reporting all those Avira entries. I've never seen them put out like that!

About Avira: as far as I can tell, you have an old version installed:
Avira AntiVir PersonalEdition Classic 7.06.00.268

Current Free AV:
Avira AntiVir Personal - Free Antivirus 10.0.0.567

-or-
You have downloaded the newer version but it did not overwrite the older version. Check Add/Remove Programs and look for the Avira entries there. Then check the program folders using Windows Explorer: Windows Key + E: Click on My Computer> Double click on Local Drive (C)> Programs> find the Avira folder(S?) and do a right click> Properties to check the version.

If you have both versions, remove the older on and be sure the new one is updated.

I need to check 2 Registry keys:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\popcinfo.dat
Folder::
c:\documents and settings\Wright\Application Data\McAfee
Registry::
RegNull::
[HKEY_USERS\S-1-5-21-2365357053-2355510586-3484095229-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3B90BD17-40C3-8093-1E54-43F8BD842568}*]
[HKEY_USERS\S-1-5-21-2365357053-2355510586-3484095229-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7D1A2018-1948-A0F2-7D57-8F391EC51C95

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Are you still getting games from this site? If not, it should be removed as it usually brings adware with the games and occasionally spyware: hxxp://www.popcap.com/webgames/popcaploader_v10.cab

NOTE: the above has been changed as to not have it as a hyperlink. If you want to check the site, change the hxxp to http.

Tell me please what problems out of the original remain- if any.
 
Thanks a bunch Bobbye,

I don't know what to think about the Avira issue. I completely uninstalled it, searched for any file named Avira (nothing), looked in msconfig under both Services and Startup and there was nothing. Yet Combofix still came up with the error message. I've since gone back and re-installed the latest version of Avira.

I've learned a little more about the symptoms today. First, as I said before there are multiple iexplore.exe running in the background. I never use Internet Explorer. Occasionally audio advertisements start up and if I quickly go into taskmanager and delete the iexplore.exe processes, the advertisements stop instantly. I've also found out that they don't corrupt the audio drivers, they simply screw up the Wave volume. I installed a volume control and as soon as I change the wave volume, the sound comes back. I saw the same complaint on another thread.

Don't know if it's related, but the Internet Options in my Control Panel is also messed up. When I double click it, a window appears for a brief moment then goes away. If I try to open Internet Explorer 8, all of the menu and toolbars are missing. I don't care about IE8, but would like to know if it's a virus issue or something else.

I've tried to paste the log file, but again it's too big, even if I delete the redundant Avira error messages.

Thanks for taking a look.
Steve
 

Attachments

  • Combofixlog.3.txt
    41.6 KB · Views: 1
Steve, I should have had you run this sooner. We are seeing the multiple iexplore.exe problem with malware frequently:

Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni
 
OK, here's the report from Remover. I have no idea what it means, but I'm assuming an unknown boot code isn't a good thing!

Thanks Bobbye.


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00
Boot sector MD5 is: b19ee33a0168d5f0bb9afbe12e2bc035

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    EXIT
  • Go File > Save As> Choose Save as type ALL FILES
  • Type fix.bat in the FILE NAME box
  • Save fix.bat[/b] to your Desktop.
  • Double click on fix.bat to Run
    (You may see a black box appear- this is normal)
  • When done, run remover.exe again and post its output.

Do NOT reboot computer!
 
Thanks a bunch for the help.

I ran the fix.bat and two windows appeared. Once seemed to run successfully and the other didn't seem to do anything. Don't know if this is a problem.

Here is the remover.exe output


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
I'm still having the issue of pop-up audio ads running spontaneously and then they appear to set the wave volume to zero and, thus, the sound goes away. When I look at the volume control, the wave volume setting doesn't show zero, but if I click on the sliding volume bar the sound comes right back on.

The pop-ups appear to somehow hijack iexplore.exe because when the adscome on, I can go to task manager and kill the iexplore.exe processes and they immediately stop.

The sound issue is an annoyance for sure, but my bigger concern is that I still have something on my computer that shouldn't be there and I'm reluctant to use the computer for any banking or business purposes until I can get rid of it.

Thanks.
 
Found something a little different today. Still getting the pop-ups, but no iexplore.exe running at all. I don't know what has changed, I haven't done anything to the system still we last conversed.

Stupid primescratchcards.com!
 
The intermittent pop-up audio ads are about it. They occasionally seem to reset my wave volume to zero so my sound goes away. Other than that, I haven't seen any more issues.

Thanks,
Steve
 
Well, you did do something- you cleaned the MBR! Post #10.

This problem seems to be all over- it's a trio of pop-up IE Windows, audio in the background and WAVE sets to zero. Running the fix.bat helps as you've seen. I am still trying to nail down the audio/WAVE problem. Stick with us. I would guess that all of us who assist with cleaning are trying to grab this one!

Which browser is your default? If it's Firefox, see if using these add-ons will help with the audio:

AdBlock Plus
Easy List
 
Status
Not open for further replies.
Back