2 rouge instances of IEXPLORE.EXE running

D

D3v1an7

[H]ard|Gawd
Joined
Oct 22, 2003
Messages
1,256
I'm not sure that this is the correct place for this so if it isn't, mods please move it.

I have a customer's pc at home that is giving me grey hairs. After cleaning everything else off of it, I still have two rouge instances of IEXPLORE.EXE running in the task manager. When I try to end them, they close and then immediately start up again.

I have already removed quite a few malicious pieces of software as well as viruses but the solution to this is eluding me.

What I have already tried/done:
Updated Adaware 6.0 SE
Updated Spybot S&D
Newest version of CWShredder
Newest version of Stinger
Fully Updated Norton Anti-Virus scan
Unknown version of Webroot SpySweeper scan

I apologize for not being able to post a hijack this log. The computer I am working on is at home and I am now at work.

There are no suspicious processes running in the task manager that could be regenerating IEXPLORE.EXE unless something is running under svchost.

I can't find any suspicious folders on the computer that could point me in a direction to research this further.

Unfortunately I have a couple of handicaps on this repair.
1. There is no NIC in this computer so I can't get it online to run an internet virus scan.
2. I am between houses right now so I don't have unrestricted access to broadband internet.

If anyone knows of any other tools I could use to locate the cause of this I would be very appreciative.

Thanks
 
Buy a copy of XP Lite, and completely remove IE. Turn System Restore off first, so it doesn't put both instances back on the machine. Then, if the owner insistes on using IE, put it back. I know, I know...It's a radical idea, but it is all that comes to mind at the moment.
 
This lady doesn't know much about computers. If I try tell her to use something else, I will only be creating more work for myself.

I have researched this pretty thoroughly and have come up with exactly squat. My only other alternative is a Nuke and Pave.
 
Download a fresh copy of AVAST with the AVAST UPDATE and run it, see if that finds anything.

Also check the registry for anymore instances of the viruses or adaware (can be tedious).
 
Is that better than a fully updated version of Norton 2002 combined with Stinger?

Is that stand alone? If not, will I have the option of running a boot scan prior to installing the software?


I was thinking, what if this isn't spyware. What if this is DOS or Spam software that has been installed by a hacker through a backdoor trojan that I have already removed?

How could I detect that?

Also, does anyone know of any DLL files that can be used to regenerate processes in the event that they are ended? If I can find this file, I should be able to get the upper hand on this infection.

Thanks
 
blackrino9 said:
Is that better than a fully updated version of Norton 2002 combined with Stinger?

Is that stand alone? If not, will I have the option of running a boot scan prior to installing the software?


I was thinking, what if this isn't spyware. What if this is DOS or Spam software that has been installed by a hacker through a backdoor trojan that I have already removed?

How could I detect that?

Also, does anyone know of any DLL files that can be used to regenerate processes in the event that they are ended? If I can find this file, I should be able to get the upper hand on this infection.

Thanks
Click to expand...

Personally I've lost total faith in all forms of Norton AV, I seen it comprimised too many times. AVAST not once.

It is stand alone and does run a very thourough boot scan.

Im not too sure about your DLL question but if I were to guess, I would say yes.

If youve installed spyware & adaware I like to say that youre spyware free but may still have a a virus. Turn of your System Restore then re-run norton, or AVAST, if the virus/trojan is in there while SR is on then it will not be detected.

Let us know your results, post some more symptoms and if you now can, maybe a screen shot or two.
 
The reason that I made the curious suggestion that I did is because if you can completely uninstall IE, except the shell integration features, then maybe you can find and delete any references that are not legitimate. XP Lite can remove IE from XP, but I think the program costs around $30, or so. Still, it may be worth it to the lady, if she has a lot of information on the machine that isn't easily backed up. You don't want to Ghost the problem, either. Anyway, once the machine has been cleaned to your satisfaction, you can put IE back. There are places on the net that will tell you how to remove IE without a special program, but the procedure is tedious and tricky. You could kill the install completely. I can't think of a way to clean up the problem without getting IE off the machine, however...at least for awhile. What we don't know at this point is whether there is something going on that came in from outside, or if the problem is some bizarre Internet Explorer fault. In any event, it probably needs a wipe, either IE or (shudder the thought) the whole drive. I don't take reformatting lightly, by the way, and try not to do it. I have machines that are running since 1997 on the original install, so I would jump through hoops before I resorted to that...


...and we're jumpin' already. ;)


Maybe if you can get us that HijackThis log, we can avoid all the hassle.

Regardless, get back to us because I would like to know how this one plays out.
 
I found the answer to my problem with a little bit of Reg hunting. Check out what I found.

-------------------------------------------------------------------------------------------
HKLM/SOFTWARE/MICROSOFT/SHARED TOOLS/MSCONFIG/SARTREG/grim face nurb bits

C:\DOCUMENTS AND SETTINGS\APPLICATION DATA\mail web grim face\
close dumb.exe and
globalrulebyte (system file)

--------------------------------------------------------------------------------------------
HKLM/SOFTWARE/MICROSOFT/SHARED TOOLS/MSCONFIG/SARTREG/deaf road

C:\PROGRAM FILES\tick base cake\
data online bind.exe
bpmvdhov.exe
find.exe
fork vc cash.exe
messalowuser.exe
ba74d174 (system file)

----------------------------------------------------------------------------------------------
I'm not sure which one was the cause or what they are but after I removed them I didn't have the problem any longer. A quick check on google shows 0 results for everything that I removed so I doubt that any of this stuff is legitimate.

The registry entries were hidden from Hijack This and MSCONFIG. The only way to see those entries was to view then in the registry.


I saved all the files to my thumb drive and exported the reg entries and I plan on submitting them to Ad-Aware to examine and include in their defs.
 
Thanks for all the help. I appreciate the different points of view and suggestions for alternative paths for tracking down the problem.

I'm definately going to look into getting AVAST for a stand alone virus scanner. If it is everything you say it is and can be run from a thumb drive or cd I will probably become a faithful user.

[H]ardForums ROCK!
 
You must log in or register to reply here.
Back
Top