TechSpot

Multiple instances of iexplore.exe running in task manager

By edcox12314
Jun 17, 2009
  1. I am not very tech savvy but I have several instances of iexplore.exe running in my task manager. In addition, I will get random audio coming from what I can only assume are pop-up adds running in internet explorer. I downloaded hijack this and have attached the log. I ran this log thru an automated analyzer and tried to fix the issues identified but I am still having the issues and the items that I fix keep coming back when I run another HJT scan.

    HELP
     

    Attached Files:

  2. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    I guess everyone is laughing at the newbie. Oh well, I'm in the process of tying the 8 steps. Maybe that will bear some fruit.
     
  3. mflynn

    mflynn TS Rookie Posts: 2,793

    No one is laughing!

    2 Iexplorers is normal for IE8.

    Get us the 8 Steps!

    Mike
     
  4. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    I guess my initial post was a bit incomplete. The 2 instances run when I am not browsing. When I end the process, they come back and if I leave them running for any length of time I end up hearing streaming video in the the background and then eventually the computer crashes. Sorry for the smart alec remark, but I am a bit frustrated at this point.
     
  5. mflynn

    mflynn TS Rookie Posts: 2,793

    OK that clarified it so get us the 8 Step logs.

    Mike
     
  6. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    I'm having issues getting the Malwarebytes and Super AntiSpyware to load on my computer. I need to download the Malware software twice to get it to complete the install but once complete the software wont run. The Anti Spyware just wont install.
     
  7. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    The Malware program gets hung up once it gets to the finishing installation. The Antispyware installs ok but when I try to run it encounters and error and shuts down.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,793

    Boot to Safe Mode with networking and try again!

    Mike
     
  9. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    OK that worked. Here are the logs. Thanks in advance for having a look see.
     

    Attached Files:

  10. mflynn

    mflynn TS Rookie Posts: 2,793

    Oh Geeze! That's what Jed Clampett meant by "Wheee Doggie!

    Update and run both MBAM and SAS again as both had and removed much malware. We now need to confirm they find no more. Post the logs if they find anything. We are looking for clean logs. Try in normal mode but if you have problems go Safe mode.

    Only when you have clean logs above do the below.....

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Last a new HJT log!

    Mike
     
  11. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    OK here are the logs. The Combofix did not give me the option to install recover console
     
     
  12. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    Any response? What else can I do to get the computer back to normal?
     
  13. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    Once I have completed this process, will it be safe to back-up my data and application files (Word, Xcel, etc.) to an external drive for transfer to a new system if necessary.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'll try to finish you up. There are a lot of users with malware and fewer volunteers to help them!

    Please run the Norton Removal Tool for the left over Norton Internet Security Suite Service:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

    After you have run that tool, check this and make sure the entry is either gone or disabled:
    Open IE> Tools> Manage add-ons> there are 2 sections 1. add-ons currently used and 2. add-ons previously used> look in both sections for the Symantec Download Manager which may show as symdlmgr> highlight the entry> Disable.

    Only if all the malware has been removed.

    It appears that your router may not be installed or configured correctly due to this incomplete entry:
    There should also be an entry in 'running processes' but there is not. Please recheck the router installation.

    I recommend you remove the Ask Bar. If it is listed as the default search engine, change that:
    Internet Options> General tab> See 2/3 of the way down the section "change search defaults"? That's what you want. Click on the button "Settings" right next to that and you'll see:
    [​IMG]
    Click on the small text link "find more providers" on the lower left corner> Choose Google.

    (Note: AskBar might not be set as the default)

    Reopen HijackThis to do system scan only] and check the following entries if present:
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
    O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

    Close all Windows except hijackThis and click on Fix Checked

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Start> Run> msconfig> enter> Selective Startup> Startup tab> Uncheck the following if present:
    All Ask entries
    All Symantec/Norton entries
    Apply> OK

    Control Panel> Add/Remove Programs> highlight any Ask entries> Uninstall
    Then right click on Start> Explore> Programs> right click on any Askfolder> Delete.

    Reboot the computer. Ignore and close the nag message you will get after checking 'don't show this message again.'

    Please run a full system scan with AVG. Save the log and attach to your next reply.
    Follow with new scan from HijackThis. Attach new logs.

    Do any of the original problems still exists? Which?
    Are there any new problems? What?

    EDIT: You'll see this when you come back with the logs. We are glad to help and appreciate it when what we suggest is followed. And it can be a team effort if one member is more experienced in a particular system area.
     
  15. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    Thank you, I will run these processes this evening and post the requisite logs. The assistance I am recieving from the forum is greatly appreciated, thanks again.
     
  16. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    Here are the logs requested. The AVG log was an issue finding and removing two threats but it would only let me save it in a csv file. I have copied the results below. I did not have Hijackthis fix the "04-Global Startup NETGEAR WG111v2 Smart Wizard.1nl=?" because I am running a little unorthodox since the router is not connected to my PC. I am connected to the router wireless via a plug in receiver. The multiple instances of iexplore.exe are gone and I think all symantec and Ask entries seem to be gone. The restart of the computer takes forever with all the new items (Adware, Comodo, etc) and my wireless connection is a little unstable. Any other suggestions

    "C:\Program Files\Trend Micro\HijackThis\backups\backup-20090617-065451-107.dll";"Virus found Dropper.Rozena";"Moved to Virus Vault"
    "C:\WINDOWS\system32\corpo.dll";"Virus found Dropper.Rozena";"Deleted"
     
  17. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    Computer is still a little unstable, especially the wireless connection and internet explorer is very slow to load.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I have already addressed the wireless connection. Did you follow my suggestion?
    I am going to speed up the load time, the surf time and the shutdown time by stopping all unnecessary processes from starting up and running in the background. NOTE: This does not mean you can't use these programs- you can start each of them manually if and when needed:

    Please reopen HijakThis to 'do system scan only' Put check by each of the following. Do not click on FixChecked untill you have finished checking all of the entries here:
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
    C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart
    O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    Please close all Windows except for HijackThis and click on Fix Checked.


    Boot into Safe Mode
    [*] Restart your computer and start pressing the F8 key on your keyboard.
    [*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Go to Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK each of the following if present:
    ALL Adobe entries
    ALL Java entries
    realsched.exe
    iTunesHelper.exe
    LWS.exe
    ProcessQuickLink2.exe
    \bin\iPodService.exe
    Logishrd (web cam)
    QCVFX\COCIManager.exe
    Google Toolbar Notifier
    ALL HP\Digital Imaging entries
    realsched.exe
    AppleSyncNotifier.exe
    QTTask.exe
    iTunesHelper.exe"
    Reader_sl.exe"
    LWS.exe and any other Web Cam entries
    jusched.exe
    MSCONFIG.EXE
    VS7DEBUG (MDM.EXE)
    ProcessQuickLink2.exe
    ALL Kodak Gallery entries
    Google updater
    Intuit Updater
    iPod

    Then: Start> Run> type in services.msc> find each of the following Services and hange Startup type as given:
    Google Updater Service (gusvc)> Disable
    Intuit Update Service (IntuitUpdateService)> Manual
    iPod Service> Manual
    Java Quick Starter (jqs)> Disable
    Process Monitor (LVPrcSrv)> Manual
    Pml Driver HPZ12 > Manua

    Handling individual programs (still in Safe Mode):
    JAVA:
    • Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start.
    • Stop auto update:. Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> Click YES when asked to confirm> OK
    • Make sure only the current version of Java v6u14 is in Add/Remove Programs in the Control Panel. Uninstall any other versions.

      ADOBE READER:
    • Change the Adobe LM Service to Manual Startup.
    • Only the most current version (now v9) should be listed in Add/Remove Programs.

      REAL PLAYER:
      Quote:
    • If you use Real Player disable the auto-update feature in your Tools- Preferences- Automatic Services- AutoUpdate (In RealPlayer).
      Right click on Start> Explore> Programs> Common> Real Update> right click> delete the file "realshed.exe"

      QUICK TIME
    • Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
    • Rename the qttask.exe file:
      Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.

      ITUNES Big resource user!
      (iTunesHelper.exe)
      Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
    • UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory.

    Reboot into Normal Mode: NOTE: ignore the nag message nd close after checking 'don't show this messge again.' Stay in Selective startup.

    Let me know how the system runs after this.
     
  19. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    The computer boots up much faster and seems to be running a bit more efficiently, until I run internet explorer. I tried to reply to this post using IE and was unable to send the reply. In firefox there are no problems. Maybe my system is a little underpowered to run IE 8. Anyway, IE is not my browser of choice so as long as it causes no issues while its not running I really don't care. I am still running Comodo, Super Aniti Spyware and AVG at startup. Is that necessary? Do I have enough security now to avoid "infections" in the future. Any tips on "safer computing"? Thank you very much for all your help, this is our only computer until we get our new laptop (HP G60) so this has been quite inconvienient an your help has be invaluable and again very much appreciated.
     
  20. aqua

    aqua TS Rookie Posts: 64

    maybe your IE8 is corrupted,try uninstalling.
    in micrososft site there is a guie how to remove it,,then update agagin to IE8
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    IE8 is suppose to be a big memory user and bloated. Try uninstalling IE8 and dropping back to IE7- see how much difference it makes.

    The basic security should be:
    One antivirus program: AVG
    One firewall: Comodo
    2 or more syware/adware programs: Superantispyware..

    Of the above, consider changing the antivirus to Avira or Avast. We notice that AVG misses some malware that other AV programs find. Suggest you take SAS off of Startup. That will slow you down. Add Spywarebaslter:

    Recommended Free Anti Virus:
    Avast Free:http://www.avast.com/eng/download-avast-home.html
    Avira Free:http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html

    Spyware/Adware Programs:
    Spybot Search & Destroy: http://www.techspot.com/downloads/149-spybot-search-and-destroy-detection-update.html

    SpywareBlaster: http://www.techspot.com/downloads/568-spywareblaster.html

    You can apply all the "pruning" I did to your current system to the new one- some, maybe not all will be on that one also.

    The following is one of the best written for how you got infected and what to do to prevent malware in the future:
    I'd like to make sure all the malware was found and removed:

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please rescan with HijackThis and post fresh log in next reply. We'll go from there.
    Report any current system problems.
     
  22. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    OK, I've uninstalled IE8 and rolled back to IE7 with all current security updates. I'm running AVIRA instead of AVG and downloaded Spyware Blaster (Spybot download did not work). i disabled the AVIRA and tried several times to run the Eset Scanner, but it kept hanging up at around 14%. IE7 seems to work better than IE8 and but I have made Firefox my default brower. I've attached an updated Hijackthis log.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No problem. But I'd like you to run a full system scan with Avira> save the log> attach to next reply.

    No malware in HijackThis>

    Open HJT> 'do system scan only'> check the entries below:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276}
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab


    Close all but HJT> click on Fix Checked

    Open IE> Tools> Manage Add-ons> locate the following two entries> highlight> Disable:
    Eset online scanner
    yucsetreg or yucconfig.dll.

    Empty the Recycle Bin.

    IF you are not having the original problems and the AV scan is clean, I'll have you remove cleaning tools.

    This was for >> (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
     
  24. edcox12314

    edcox12314 TS Rookie Topic Starter Posts: 20

    OK the AV scan found a few items that I had it "repair" and have attached the log. Could not find Eset online scanner and yucsetreg or yucconfig.dll in IE Add-ons. While scanning with AV Comodo picked up something. I have attach a Comodo log as well. IE is working far better (I used it to reply here) and the system is fairly stable in most respects. The Comodo find was a little troubling but no ill effects yet.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    AV found and quarantined many Trojans. Some remain in the restore points. Do NOT use System Restore or you will reinfect the system.

    Please delete the quarantined items, then Empty the Recycle Bin.

    One of the Trojans is a backdoor password stealer. I advise you to change all your passwords, check internet banking carefully.

    I might have missed this, but it appears that you are using the Comodo Internet Security program that contains both a firewall AND an antivirus program, thus the log. Basically the 2 AV found the same thing, but you need to remove one of the AV programs. You should only run one AV, Please delete anything left in quarantine by the Comodo AV>

    I want you to remove the infected restore points:

    The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
    Do a Disc Cleanup, either with one of the cleaner programs like CCleaner or through through OS disc cleanup.
    Empty the Recycle Bin.

    After you do this, run the antivirus scan again and attach log.

    Are you deleting what the AV programs find and quarantine, then emptying the Recycle Bin> IF you are not, please do that, then run another scan with Avira.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.