2 iexplore.exe running - Tried many solutions

Status
Not open for further replies.

Emre

Posts: 31   +0
Hi, i'm new to this site so i hope i won't do anything wrong. Now, i've got a big problem; i downloaded a software which i thought was trustable, got tricked, now i am pretty much in trouble. When the malware-spyware-virus-whatever first got installed, i had windows defender, mcafee and malwarebytes up and running, none of them were able to see or stop the process. Of course, when the malware started replicating itself and spreading, i googled every single malicious software trace my pc found and searched 2 long days for a solution. I downloaded PC Tools Spyware Doctor, SpyHunter, SuperAntiSpyware and scanned my pc with all 6 of the tools many times. They found and removed many threats, i deleted many cookies and some registry files, although i wasn't able to stop the 2 iexplore.exe's from opening. They are running at the same time, while there is no explorer open and when i try to close them, they reopen themselves. I looked at the other threads and a few people had similar problems but before using them i knew i had to post a hijackthis log (which is something i am new to, again.) and let you examine it. I really need your help; i can't find anywhere else on the whole web to help me.


edit : i looked around in your forum more, found you suggested another person to delete
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
i took that advice and deleted it.
I also deleted a "O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)" too.

The only change in my hijack log is that for now.


edit nr. 2 : my newest superantispyware scan found only cookies (well, 75 of them) most of them were not harmful although i chose to delete them. Not attaching the scan log as i could see nothing other than cookies. Hope someone will be interested in this problem of mine - haven't been replied for 15 hours now. (oh and now i can stop iexplore.exe processes via task manager if i close both of them very fast and do it a few times. They reopen themselves 5-6 times and then won't open again.) At the same time, now i seem to have something related to my connection too; don't know if it's my internet provider or not but the connection stops working for like ten minutes every day. I will post another hijackthis log to this thread
 
alright just because nobody answered your question i thought too help ou a bit i too was facing this problem but that appeared one day and disappeared suddenly the next day.but your seem to be different
do one thing click on the process and click on go to the file location and check if both of them are pointing to the same file or not.

Hope some expert may look into your problem ,No offense.
 
Hi Emre :wave:

I'm not one of the malware experts but can mention a couple things.

First, remember this is a weekend and everyone who helps on here does so on a voluntary basis... so the weekends can be a bit quieter. So it can sometimes take awhile for someone to respond (and take an even longer time on the weekend!) so certainly don't take anything personally (i don't think you did)

With that said, on to your topic. Since you had an infection you should read this post, follow the steps indicated, and post the logs as indicated.

As for your HJT, i'd note
1. Do you know what these are? suspicioius to me (unless u know them)
O4 - HKLM\..\Run: [Internet Ooze] "C:\ProgramData\Greyreadmereadme.5m6fw"
O4 - HKLM\..\Run: [Balm Inter First Four] "C:\ProgramData\grid corn plan.mbjssrk"
2. You can upgrade your java to version 6 update 10

Also, just fyi, i did see the iexplore.exe in previous log. I'm not saying it wasn't marewalre related BUT
- The full path for both were: C:\Program Files\Internet Explorer\iexplore.exe which is correct (malware often puts itself into different directories, using same file name)
- Next time check the user for both instances. Normally you see one. Because you're the only user running ie. If a second user is running ie you will see two. So you also want to look at the users for those types of cases
 
I didn't even think it was weekend and that people wouldn't be here :) Thanks for pointing it out. I will do scans with malwarebytes and sas - attach their logs in my next post. As for the ie, i'm not using internet explorer in any way, they open by themselves and won't just close easily. It obviously is the job of something harmful. Now updating my java too btw. Thanks a lot for the response (i would really not realise it is weekend, seemingly midterms really do pack a big fat punch in my face.)
 
Hi Emre

Reboot clean run no other Apps.

As LookinAround suggested go there and do all 8 Steps carefully and completely!

Attach all the logs.

Then Reboot to Safe Mode only (not with networking) and run MalwareBytes and SAS Full Scans again until they either come up clean or find something they can not clean.

Then reboot back to normal and attach yet another HJT log.

Mike
 
Newest form. I really can't believe how i got tricked into poisoning my own computer after all these years :)
 
Hi Emre

You did an absolutely fabulous job. If with the others I have been dealing with would follow instructions.

I want your opinion of look and feel how is the computer running now?

Meanwhile I am composing another post! So standby a few!

Mike
 
Emre you logged off hopefully for other reasons don't stop till the Fat Lady sings!!!!!!!!!!!!!!!!!!!!!!!!!!

Basically due to the fact that you have so many svchosts running (I see nothing in the logs except some useless startups) I still have suspicions. Hence this hopefully last 2 procedures.

These 2 will either fix or expose the final problems.

Reboot clean run no Apps!

Download SDFix to Desktop among other things it runs GMER and Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into regular Safe Mode (not with networking)

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SDFix. Double-click to enter SDFix.

Double-click to execute RunThis.bat. Type Y to begin.

SDFix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished, hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.

Attach the Report.txt file to your next post.

=========================================
Immediately without executing other Apps do the following

Download OTScanIt:

http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe

Close all Apps and Browsers

Download and save to Desktop and Dbl Click to extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open, save log, post back as an Attachment.

=========================================

Then reboot and post yet another hopefully final HJT log.

Mike
 
Thanks for the help, although i wasn't able to access both of the sites :) it's because of the links i think, they lead me to good old "404 not found"s; can you repost them or edit your post to show the whole names? The computer is better but i still know something is not right. I experience abnormal things when closing, rebooting, a few graphic card errors and stuff i don't get normally. When i do what your last post states i think they will be gone.



edit : (It's really late in my country right now, that's why i'm logging off now, will see your new post tomorrow i guess. You've been most helpful, Mike, if we are able to get this thing up and running flawlessly again, i guess i owe you a drink some day!)


Ok, i was able to find both of the programs later when i wisened up and googled. No need to repost anything.
 
Thanks Emre perhaps my links changed and i did not know it!

Good night
Mike

EDIT: I repasted the same links from the same source and they now work?????
 
I couldn't get SDFix to work, i guess because of something related to vista but i got the OTScanIt log right here. Took a look, it's so long... :) 654 kb, i tried to upload in rar format but i know you wouldn't open it, it didn't let me do so. I had to maximise my creativity ( :p ) and break the scan log into 4 pieces, that way the site would let me upload it. Please copy txt 1,2,3 and 4 files and paste it to each others end, that is our otscanit log. When i come home i will look here again. Thanks.
 
Spyware doctor caught something trying to access it's server, it is named "Trojan.Storm_Infection_Server". Although on web it says Spyware Doctor can remove this, it can't find the file (SDoctor is updated and i did a full sys scan.)


Windows Defender won't update itself, Error code : 0x80070422
 
OK Emre

I think Spyware Doctor is finding traces which we will handle shortly.

I forgot both that you are running Vista and that SDFix will not run in Vista. Sorry it is easy to do a lot to keep up with.

D/L Xclean_Micro

http://www.xblock.com/download/xclean_micro.exe

No install needed, run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

Then boot to safe mode only and run first SAS then MWBAM. Both of these sometimes need to be run twice or more.

But configure SAS as below.

In SAS Under Configuration and Preferences, click the Preferences button.
Then Scanning Control.
In Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Leave the others as they are.

Click Close button to exit control center.
On main screen, Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan.

It will take while as it scans your computer.

After the scan, a summary box will popup. Click OK.
Make sure all in the white box has a check next to it, click Next.
It will quarantine what it found, and pop up a log file. Attach log file back to Thread.

If asked to reboot, click no and

run MWBAM once more and even again until clean.

If you missed the log file or cannot post perhaps in Safe Mode then....

To retrieve the log do the following:

After reboot, double-click the SUPERAntispyware icon on desktop.
Click Preferences-Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. It will open..
In notepad, then save as sas.log.
Close SAS.

Attach saslog back to thread with a new HijackThis log.

Mike
 
Thanks for your help, will start doing all of these now; you'll have all you wanted asap.

Edit: Here you go

Ok, now i seem to have no adware at all, no 2 iexplore.exes or nothing like that, but something freaked me out just now. I had 2 explorer.exe's this time, both coming from the same sys32 directory (the normal one that they should run from, i know the drill.) i looked at the folder options from my computer, the choice you would tell me to uncheck is not checked (the one that makes several copies of explorer.exe appear.) i stopped both two explorers and from "run" i opened normal explorer. No other explorer.exe's have popped; but i still think i may have been hacked in some way. Is this the case? Or is more than one explorer.exe possible to just pop up for any reason that may not point a hacker nerd extremely interested in my bank accounts that i wouldn't ever manage on internet?
 
Hi Emre

This is possible without issues

There are settings for running Explorer Folders and IE and others to run in a seperate process.

Open some folders and IE then run taskmgr and watch them as you close.

I think they will all be gone after you close everything.

Let me know!

Later my friend,
Mike
 
Status
Not open for further replies.
Back