Iexplorer (X2) showing up in Task Manager, but I'm running Firefox!!

I've tried many of the fixes that others have tried with this problem -- but to no avail. I've run Ad-Aware SE, SpyBot and Ccleaner (in safe mode with no internet connection); I've tried downloading and running Microsoft Spyware -- it won't install; I've run Trend Micro's Housecall -- no viruses, BitDefender found a couple of trojans and fixed them -- but the 2 instances of iexplorer are still running when I check the processes running in Task Manager - and they take up valuable memory! What can I do?

 

Welcome to MajorGeeks.com, please follow the steps below:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

 

Okay, here's how the tutorial procedures went:

I disabled system restore, enabled viewing of hidden/system files etc. and I'm only running AVG as my virus protection, although I have been using Spybot S&D, SpySweeper and Stinger and SpyWareBlaster on a regular basis (BUT I had them installed in 'Program Files' -- not in a folder all their own as suggested on y our site - they've since been reinstalled in a spyware folder)

I couldn't install Microsoft Anti-Spyware -- just kept disappearing/closing on me. I did install Ad-Aware, Ccleaner and Spybot with no problems.

I ran Kaspersky Online Scanner -- found trojans, couldn't figure out how to get it clean them, so.....
I ran Bitdefender -- found the same trojans and some other suspicious cookies and fixed them.
Also ran Trend Micro progam -- found nothing.

Then I disconnected from the internet and ran (in safe mode) Ccleaner,
Ad-aware, and Spybot S&D -- found nothing.
I didn't use CWshredder or Kill2Me, as they didn't seem to apply to me.

Those damn Iexplore.exe precesses were still there, so I downloaded, installed and /or ran the alternative scans:

Ewido: found and cleaned 4 "high" threat bugs, and a bunch of suspicious cookies.
Stinger: found nothing
Avast: found nothing
A-squared: identfied Mirc as malware, and even tho' I use it, I let it clean it.

In order to run HJT in normal mode I used run/msconfig and selected normal mode -- but when I tried to reboot, I was told that windows couldn't open, as a file was missing or corrupt: <windows root>system32\hal.dll. I rebooted using the the F8 key and started Windows in normal mode that way. I checked run/msconfig again and normal mode was stil selected, so I am assuming that it opened the way that you want it to before running HJT.

HJT is attached.

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log.

 

wow, that was a long scan!! Took about 6 hours -- is that normal?? Scan resulted in no problems. While in safe mode, I noticed that the two Iexplorer processes aren't running -- so perhaps I should be running it in normal mode??

The newest HJT log is attached.

Thanks for helping, by the way!!

Mary Lee

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

F0 - system.ini: Shell=Explorer.exe C:\windows\system32\lsass64.exe
F1 - win.ini: run=C:\windows\system32\lsass64.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O23 - Service: CAISafe - Unknown owner - C:\Program\ISafe.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program\VetMsg.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\lsass64.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Newest HJT attached -- Iexplore processes still running

 

another update -- a friend brought over XPlite, which I used to uninstall Internet Explorer, Shockwave VirtualMachine, and MSN Explorer. The two processes of Iexplorer disappeared from the list of processes running . I then re-installed Internet Explorer, (if for no other reason than I need it for Windows Updates and a few sites that still require it) and the virtual machine thing, with the result that one of the processes is now running again in the background (the one that uses up more of the resources, naturally ) Does this help with the diagnosis at all?? Do I maybe just have a bad install of Windows?? (My son-in-law just keeps whispering in my ear 'reformat, reformat' like a mantra!)

ML

 

yet another bit of info -- both the unwanted iexplore.exe processes are still running -- I guess the other was just waitin' in the wings!

ML

 

Attach a current HJT log.

 

most recent HJT log

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

PrcView.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

NOW:
Navigate to and DELETE the following if they should remain:

C:\SpywareTools\PrcView.exe


FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

 

Done all that . . . but the damn things are still there!!! I think I may just have to uninstall Internet Explorer completely.

HJT log attached again . . .

 

Just be patient and we will get it resolved! There still remains a few issues I need to confirm, I see something related to eTrust EZ Antivirus, do you have this installed and if so you need to uninstall this.

Are you familiar with SP2 Connection Patcher & C:\DOCUME~1\MAYAWA~1\APPLIC~1\ARMYST~1\Ping Creative Tray.exe ??

 

I don't have the eTrust thing installed - - at least I've never heard of it!!

re:

I've been wondering about this entry for a while now . . . it's actually referring to something called Armystopmeta -- what ever that is! I googled it, I checked out Symantec and McAfee sites to see if it is mentioned there, but no where is it mentioned -- except for a reference to the term Armystop on some foreign language sites (Czech or Russian perhaps?) Either way, I've never been able to get rid of it . . . and no virus/spyware program sees it as threatening. Not sure what to do with it -- could it be the source of my problem??

 

Forgot to refer to the Sp2 Patcher thing -- haven't a clue what that is -- thought it was somehow related to the the Warez program that my daughter uses to download music

 

The SP2 Connection Patcher changes limit of concurrent TCP connections of Windows Service Pack 2, it's up to you whether you want to keep this or not.

This doesnt seem to be legit, I would remove this and then delete the file and see if problem remains.

 

WooHoo!! They're gone!! At first, every time I tried to get rid of the Armystopmeta stuff, a message popped up saying that access was denied because the program was in use. I thought (or should I say HOPED) that it was somehow connected to my always-open-running-in-the-background Iexplorer.exe. I searched the registry for any other instances of this file or references to it. What I found (that none of the virus/trojan/adware/spyware scans found) was a reference to a file called "Boob User Locks Drive" (in C:\Documents and Settings\All Users.WINDOWS\Application Data\boob user locks drv). Inside were several oddly named files -- some I was able to delete, but one gave me the same "access denied, program in use " message. I guessed that these were the files that were keeping my internet explorer running. Only by combining the complete disconnection from the internet AND uninstalling Internet Explorer was I able to get rid of them. Doing just one of these two things didn't work.

But THEY'RE GONE!! Woohoo!!!

Thanks BJ!! You're my knight in shining armour!

 

Are you having any further problems?

 

My computer hasn't run this fast and clean in a very loooooooong time!!! I guess this problem has been going on for quite a while (at least since my last reformat -- 7 months or so ago). I'd just gotten used to how slow my computer had gotten


BTW - have you ever heard of this 'Armystopmeta' thing -- or is it just a random word created by what ever it was?? For that matter, what do you think I had? A trojan??

Thanks again!!

Mary Lee

 

Just a form of malware, there are thousands out there these days.