IEXPLORER running randomly in background

[surfersaiyan]

hey guys,

i got a dodgy file on my system the other day.. "a.exe" (downloaded to C:/program files/firefox).

zonealarm picked it up and i immediately prevented it from running, located it and shredded it. no recurrence.

but it seems since then that IEXPLORER.exe seems to run randomly in the background when i check windows task manager. is it possibly related?

i dont use IE and would be more than happy to disable the shister completely.

any tips?

 

[kimsland]

Oh so your Firefox downloaded a Virus of some sort, and it infected another program (IE)
Hmm, Maybe you should use IE7 (note Ver8 still in Beta)

Anyway, for the moment, do the following:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

 

[Blind Dragon]

One or more files with the name A.EXE creates or modifies the following registry keys and values:

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main DisableScriptDebuggerIE yes
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Error Dlg Displayed On Every Error no


And no you should not use IE7 - Internet explorer is the most used browser out there, and therefore the most targeted browser by malware writers.

That's a nasty infection if it penetrated your security see -> http://www.prevx.com/filenames/X8510371679546213-X1/A.EXE.html

With that being said I would encourage you to read Is your system infected? Read this before Cleaning or Formatting - prior to deciding if you would like clean your system.


***If you decide to clean your system please do the following in addition to following the 8 step preliminary instructions***

Prevx CSI

• Download from http://www.prevx.com/freescan.asp
• Launch Prevx CSI
• Select Check for updates
• Select Scan Now
• Select Tools and Settings
• Select Save Scan results
• Attach the log it saves back here

 

[surfersaiyan]

thanx for the advice and the slight sarcasm regarding IE was thoroughly appreciated kim!

i have to say the slightly smug feeling of an apparently 'clean' system vanished without trace upon running mbam then sas and then hjt. bugger.

i thought it was just a single dodgy file but those scans showed up heaps.

@blind dragon.

when attempting to download that Prevx CSI the file name was just a bunch of numbers and it weirded me out. so at this stage i havent done anything with that.

but if you guys'd take a look at my logs and let me know what you think, i would be very humbly appreciative.

cheers, the saiyan.

 

[kimsland]

Even someone with 80 posts has this issue, obviously it's not a new member issue
I wonder if the guide should really emphasize to actually REMOVE the found entries

Anyway...

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab)
Then do the above quoted message, but this time "Remove all found issues"

Edit:
And I humbly disagree with BD that you should not use IE7
When noticing users using IE (through the HJT logs) I never say use Firefox instead, nor would I say anyone should say such a poor advice to a user. Not that is the case in this thread though. Thankfully most of the world still use IE without issue, me being one. IE is not the problem As I mentioned once in a thread I argued that IE is actually ok to use. Get on the phone, don't you realize that our kids use IE in all public schools. Pure madness !

 

[surfersaiyan]

c'mon kim, you know me, i'm no 5 post monkey! :monkey: hehe.. but seriously, did the mbam log show that i hadnt deleted the selected items?:suspiciou

because i was sure i did, and having re-run mbam, sas and hjt it seems i did everything right, p) because all that nastiness the came up before seems to have gone.

does this mean i can go on another prno rampage? KIDDING.. i'm gonna try and behave myself a bit more now, be a bit more careful..

humble pie eaten graciously as usual with a side serve of embarassment.

the saiyan

 

[kimsland]

Well still infected anyhow, sadly

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Afterwards attach rapport.txt and a fresh Hijackthis log

 

[surfersaiyan]

cheers kim. i'm a bit baffled where these little sneakers keep popping up from, but you're the man here.

smitfraudfix done (in safe mode) and logs attached as requested.

come on come on come on this time!!

fingers crossed!! (cause they dont seem to do much finging).

 

[kimsland]

Hmm I'm not quite sure why all these runonce entries are there

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

Obviously you are using nLite ?

 

[surfersaiyan]

if you dont get it, then i dont either!!

am i clean yet? and what is nLite?

Edit:

i just looked up nLite, on techspot of course. i do run a version of xp pro called 'performance version' which has heaps of stuff stripped out. i wonder if the creator of this version used nLite to do that.. hmm

 

[Blind Dragon]

And I humbly disagree with BD that you should not use IE7
When noticing users using IE (through the HJT logs) I never say use Firefox instead, nor would I say anyone should say such a poor advice to a user. Not that is the case in this thread though. Thankfully most of the world still use IE without issue, me being one. IE is not the problem As I mentioned once in a thread I argued that IE is actually ok to use. Get on the phone, don't you realize that our kids use IE in all public schools. Pure madness !

it's not that IE is the worst browser, but it is still by far the most used browser and therefore attackers will try to find these vulnerabilities. Whatever browser is the most popular will always receive the most attacks

http://news.bbc.co.uk/1/hi/technology/7784908.stm

"Microsoft says it has detected attacks against IE 7.0 but said the "underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified. "

 

[kimsland]

Yes I've since learnt about this, it may have been approx a week ago when I did
There is already a workaround for this issue at MS, but I don't believe it has been fully rectified as yet. As a good measure I have completed all the IE recommendations, that were enabling Dep; manual registry editing\removing; security on high etc

But one last recommendation was to use another browser! (That doesn't help my original argument!)
So I'm presently on Firefox. !