iexplore?

Admittedly, I am not the most computer-literate person in the world (which is probably why i ended up with so much spyware in the first place). I have done literally every tutorial offered on this site, and I think I have gotten rid of most of my problems, but there is still something wrong. Almost immediately on startup (I say almost because it is not listed as a startup program), IEXPLORE.exe opens and runs in the background, leading to popup ads and a huge drain on RAM. I have tried every anti-spyware program in the book (AdAware, Spybot, ewido, etc.), and still I have this problem. Can anyone help?

 

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Thanks a lot. Here is my HJT log.

 

You do not have HijackTHis installed as requested, it should be installed at C:\Program Files\HJT.

Also your system is seriously out of date, it appears you are using an upatched original version of XP. You should update your system install SP2 and get the updates after SP2.

You can have HJT fix the following:

Post a new HJT log.

 

In response to your last post:

When trying to install SP2, an error message appeared saying that the installation could not continue becuse system32.dll was already in use (all applications had been closed).

After running another HJT scan, the items that you had identified (which I had fixed) appeared again. Attatched is the log of my latest HJT scan.

 

You still do not have HijackThis installed as requested, it should be installed at C:\Program Files\HJT.

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments and a fresh HJT log. You will have to do 2 posts to post all 4 logs.

 

Since I last posted I have been able to install sp2 and all the updates that AutomaticUpdate found for me. I also followed your last instructions. However, the Panda Online Scan got stuck while scanning one of my files and so I am unable to attach a log. Attatched to this post are the logs from Qoologic and RKFiles.

 

Attached is a fresh HJT log (still containing the items that I fixed earlier)

 

Look in Add or Remove Programs in the Control Panel and unistall the following:

Next have HijackThis fix the following:

Do you have anything from McAfee installed on your system, your HJT log indicates that at one time you did.

Also I want to to go back and run everything from start to finish in are Read Me First.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Post a new HijackThis log.

 

Just went through everything in the tutorial again. All scans came up empty (although I did need to run the online scans in normal mode). I was unable to remove LimeShop.

I have now noticed that the popup adds have stopped. However, iexplore.exe still runs in the background. When I terminate the process, it reopens and closes indefinately. Also, after running a new HJT scan, the items which I have cleaned several times before have reappeared.

I used to have McAfee AntiSpyware installed but I removed it.

Attatched is my newest HJT log.

 

Download
- ExplorerXP
- Process Explorer

Install ExplorerXP and Process Explorer

Now run Process Explorer and Locate iexplore.exe,right-click and select kill process.

Next using the Search in the Start menu, select All files and folders, in the first box type the following: ??xplore.exe, click-on search. Delete all instances of ??xplore.exe, where ?? can be any 2 random characters. CAREFUL DO NOT Delete iexplore.exe.

Now reboot and post a fresh HJT log.

 

Three instances of iexplore.exe were found, one in C:\Program Files\Internet Explorer and the other two in Windows folders (one in ServicePackFiles and the other in SoftwareDistribution). Should I be deleting any of these?

Also, killing the process iexplorer.exe triggers the same cycle of reopening and closing.

 

If the File is in C:\WINDOWS\system32 and not iexplore.exe then delete it.

 

None of the files are in C:\WINDOWS\system32 but there is one in a windows folder called software distribution. Should I be deleting that file or is it harmless?

 

Leave it there.

- Run CCleaner before doing the below.

- Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

- Run HJT and save the log.

Now Post all three logs.

 

Did what you suggested. ewido came up blank. Attatched are the ewido and WinPFind logs.

 

And a fresh HJT log.

 

Delete this File: C:\WINDOWS\SYSTEM32\drivers\etc\1.hosts

This Utility isn't necessary and can be uninstalled, your choice. TuneUp Utilities 2004

Now disable or Exit anything that may interfer with these fixes.

Have HJT fix the following:

Run Regedit and navigate to this key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad locate the value with IEFilter.dll and delete it. Before making any changes to your registry make a backup first.

Reboot and post a fresh HJT log.

 

Removing the registry value had no discernable effect. iexplore.exe is still running in the background and the objects you pointed out (which I have now cleaned 4 or 5 times with HJT) are still there.

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there! Unzip the contents of the lptxxx.zip into the TSC folder.

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log.

 

Sysclean scan came up blank. I'm attaching the Sysclean log as well as my HJT log in case I missed something.

 

Boot into Safe Mode and have HJT fix these lines:

Now Reboot and Scan with HJT this did the Lines come back? If so disconnect from teh Internet, Physically remove your ethernet cable from the NIC. Reboot into normal mode and have HJT fix those lines again. Now reboot and scan with HJT are the lines gone?

Reconnect to the internet and post a fresh HJT.

 

After booting into safe mode, I was able to remove the IEFilter.dll line permanently (and iexplore.exe is no longer running in the background). However, I was still unable to get rid of the three BHOs. Attached is my newest HJT log.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Service ( ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Service Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight

C:\WINDOWS\System32\Service.exe

Choose Kill Process

Now scan and have HJT Fix this line if it exists:

O23 - Service: Service - Unknown owner - C:\WINDOWS\System32\Service.exe

Reboot post a new HJT log.

 

I couldn't find the process C:\WINDOWS\System32\Service.exe in the HJT process manager (there is a services.exe and a runservice.exe). The O23 line was also not present when I scanned again with HJT. However, the three BHO objects are still present.

 

Run regedit and nagivate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

Locat and delete the following:

{0A75880A-5EF2-7811-1E21-D59EE3E51912}
{1254DDB1-7BC6-C740-B877-8D2C60B2DC76}
{F6A122FE-F71A-8708-2C8A-A0DA3B10FDC3}

Reboot post a new HJT log.

 

Errors deleting all three keys.

 

Try using Registrar Lite

 

That seems to have done the trick. The lines no longer appear in my HJT scan. I'm attatching what I hope will be my last HJT log. Thanks for your help.

 

OK, your HJT log looks good. Any other issues?

 

Nope. Everything appears to be clean.