iexplore.exe keeps starting up

for some days i have issues with files starting up for themselves.
It all started with firefox.exe, when i saw in taskmanager, i had 2 processes running for firefox, although i had only 1 running. When i killed the process (the one using less memory) it didn't affect FF. The same thing was happening with explorer.exe (also i could kill the process, and it didn't affect explorer)
I did some system scans with Avast, Nod32 (online scanner), ad-aware, S&D, a² free ed., spyware terminator. But nothing came up.
I also used Pc Tools Registry Mechanic and Regscrub.
As for now, the second process of firefox.exe and explorer.exe isn't starting up anymore (don't know what did the trick)
But i can't get rid of iexplore.exe that's keep starting up in taskmanager, although i have IE not opened (i don't even use IE)

 

a was a little 2 fast : the 2° process of explorer.exe has come back :cry

 

very strange happening.
Some hours ago, the Firefox icon was changed in dos-box alike icon. When i wanted to change it, it said it couldn't find Ofirefox.exe (that's because yesterday i changed the name from firefox.exe to Ofirefox.exe, to prefent it from starting, but since that didn't help i changed it back to firefox.exe)
So now i changed back the icon to the one of Firefox, but i noticed when i clicked "find target" (in the shortcut properties) a second explorer.exe started. I tried this several times, and everytime a second process of explorer.exe opened. Now i changed the icon back to firefox, and it's been about 3hours, and none of the processes (firefox.exe/explorer.exe/iexplore.exe) are starting a second time.

so for now everything looks fine.

Could it be, after using several scanners, none of them is able to find any worm/spyware/virus ???

 

Hi 6p4ck!
Welcome to Major Geeks!

When did you do the SP3 update?

I need for you to move HijackThis from your data stick to the proper location. To do this, please create a folder under C:\Program Files called HijackThis. After you've made this folder, pull your copy of HijackThis over to that location. Then rename your copy from HijackThis.exe to HiJack.exe

I would like for you to fix the following 06 item if you did not set it that way. Run HiJack.exe from that new location, and put a check next to the following item. Make sure all your browser windows are closed. Then click fix.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Now you can just close the program and continue as follows:

Go tot he READ & RUN ME FIRST and follow all the instructions, being sure that Spybot's Teatimer is disabled and that your computer is in normal startup mode. You'll see the instructions for each of these. When you've completed all of the instructions, please use the Manage Attachments button to attach your logs to your next two posts. (please do not post logs directly into your posts)

Thanks.
abri

 

Hi abri, thx 4 the help so far.

i'll look into it tomorrow when i have some more time (to waste)

btw, i've updated xp with sp3 this week, when the dutch version was available.

 

today, explorer.exe just started once for a second time. i've killed the process. Afterwards, i let hijackthis fix the 06-entry like you mentioned.

I've been reading through this guide : Basic computer maintenance everyone should do Things i've done before, nevertheless, couldn't hurt reading it.

Then went through this list to check i had programms containing spyware. Don't have none of them in my prgrlist.

Updated Java to the latest version.
Set MsConfig to normal startup mode.
Emptyd Recycle bin and used CCleaner to clean my pc of all temp files.

Tomorrow i'll go through this Procedure.

Then i'll post the results aswell.

 

i have been running some progr.
- SUPERAntiSpyware
- Spybot S&D
- Malwarebytes
- Combofix
- MGtools

 

logs of combofix and MGtools

after all these scans, the second explorer.exe keeps popping up in the taskmanager :cry

 

Could it be that simple ?

"4. Un-check [ ] Launch Folder Windows in a separate process"

i certainly give it a try, we'll c

 

that simple? ... one can always hope ...
well?

 

it's been some days, and the problem stays away; still very strange how this problem started (never had this before). Maybe an sp3 issue ?

 

well, your logs look pretty clean.

Because of the 0 it tacked on the name 0Firefox.exe, it sounds like something Windows might do, but I would like to ask chaslang to glance over your thread and see if that kind of thing is something he's seen before.

Hopefully it has fixed itself. XP has a great capacity for fixing itself. It's uncanny sometimes.

It's recommended to remove C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe from your system. I don't know how long you've had it on there, but if you've had it on there for a long time, then it is probably unrelated to the problem you described, so it wouldn't change anything.

Also, we recommend removing the following three HijackThis 04 entries, because you don't need them and it slows down your computer to have them loading at startup:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

And there's one file below I don't recognize. Do you know what it is? You can right-click it and check properties for more information.

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KOUS.exe

I like your "Registersleutels geïnfecteerd:". lol

abri

 

hi thx 4 the advice abri

Boonty.exe was something i needed to play games i could get 4 free from my isp. Since i switched from isp i don't really need i anymore. It is registered as a service (which i disabled), but there is no way to uninstall it. So i've removed the entire folder.

Kous.exe - i've seen it to but i don't really know what it is or where it's comming from. I can't even find it in that folder (even used the windows search). So i guess it's only registerd as a service, which i disabled to.

is there an other way to remove services from the services list ?

i removed the 04 entries.

 

hi chaslang,

when trying to uninstall any of the Java Runtimes, i'm getting Internal errors, so for the moment i'm not able to uninstall any the Java installs.
Errors when uninstalling :
Internal Error 2329. 32,C:\Config.Msi\f0d4d.rbf
Internal Error 2329. 32,C:\Config.Msi\f0d60.rbf
Internal Error 2329. 32,C:\Config.Msi\f0d6f.rbf
Internal Error 2329. 32,C:\Config.Msi\f0d8l.rbf
(filenames keep chainging every time i'm trying to uninstall the Java Env.)

so first i've got to look into this one, on how to uninstall these Javas.

 

ok found this little tool Microsoft Cleanup Utility and this did the trick. Java is removed. On to the next step.

 

the new combofix and mgtools logs

it did remove the KOUS.exe en Boonty service.

u guys r great. thx

 

Hi 6p4ck,

1) Did you install the following?

C:\Program Files\Arovax Shield
C:\Documents and Settings\All Users\Application Data\Arovax
C:\Program Files\Hazard Shield
C:\Documents and Settings\Administrator\Local Settings\Application Data\GameSpy

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Please delete the contents of the following folder. You may have to wait for the date to change in order to delet them, because Windows won't let you delete temp file from the current date.

C:\Documents and Settings\Administrator\Local Settings\Temp\

4) Then please delete this file:

C:\WINDOWS\system32\tmp2F.tmp


abri

 

1/ yes i installed Arovax (just out of curiosity), in the meantime i already uninstalled it
I also installed Hazard Shield (for testing purposes), some kind of new player on the anti-malware software market. I would like to c how it's behaving in detecting stuff. So this program is still on the pc.
I already uninstalled Gamespy (no need for it anymore)

2/ used the messenger disabler.

3/ removed all of the temp files

4/ deleted the file. What was so special about this1 ?

you guys really know how to finetune an OS.

When looking into C:\Documents and Settings\Administrator\Local Settings\Application Data i find some more folders from prgr that have been removed. May i manually delete those folders ? I find also lots of folders of uninstalled prgr in C:\Documents and Settings\Administrator\Application Data. Can i do the same over here ?

 

Hi 6p4ck,

You can remove any folders of programs which have been uninstalled. If the computer complains about this, you should check the folder to see if there are any files which may be part of an active service. (This is often the case with Symatec.) Most programs won't protest at all, but if one is part of an active service, you will need to stop and disable the service. If it is just an exe file and you know it is not needed because the program no longer exists, just delete the file first and then the folder. Where you're unsure, you can rename a file and move it somewhere else and leave it for awhile. If nothing bad happens, then you can remove it.

.tmp files should be just that - temporary. If they have names which are not identifiable and they don't go away and they're in certain directories where .tmp files don't usually linger, there is reason to think they shouldn't be there. Also, some files come up in google searches as those consistently removed as malware, others come up as complete blanks. Malware implied malicioius intent, but badly written software can be just as damaging for your computer and we look for evidence of that as well.

Please do the following and then I will post the final clean up instructions for you:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

3) Let me know if youi get a success message with the REGEDIT4.

4) Reboot your computer and work with it for a day to make sure all the symptoms you described are gone. If so, please continue with the following instructions in which we'll have you remove all the tools and logs you installed for the work here and set a clean restore point:

abri

 

1/ installed Erunt and took a registry backup.
2/ created fixME.reg
3/ and adding it to reg was successful
4/ uninstalled any prgr, logs, and prgr installed to clean up this mess.
5/ created a system restore point
6/ been reading through How to Protect yourself from malware!
According to this guide i'm using next programs 4 protection

1/ updated to sp3
2/ Virusscanner : Avast (been using it for years) + Nod32 online scan
3/ Firewall : not using any, i'm on a router with internal firewall.
4/ using CCleaner
5/ Antispyware tools : Spyware Blaster / Spybot Search & Destroy (teatimer not activated / Hazard Shield (with realtime protection) (now in testing fase), if i don't like it i switch back to Spyware Terminator.
6/ no IE over here but 7/using FF 3 rc1
8/ installed Java (latest version)

So i guess i have protection enough or so i get more paranoid and install some more/other prgr ?

for now my pc is running like a train sorry TGV

Once again, thx 4 all your help. Keep up the good job.

 

Hi 6p4ck!

I'll haggle with you only over this one: 3/ Firewall : not using any, i'm on a router with internal firewall.

The advantage of a two-way software firewall is that it allows you to monitor programs trying to get both in and out of your computer. The easy ones like Zone Alarm take very little resources and they've made themselves very easy to install with a new program recognition scan that picks up all the major known software from the start so you don't have to configure very much.

Other than that, all the best to you and your computer!
Enjoy it!
abri