Something has infected the internet explorer exe...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mr_flea, Oct 7, 2004.

  1. mr_flea

    mr_flea First Sergeant

    A while ago I kept finding ad shortcuts on my desktop that kept coming back. Adaware and spybot found nothing, and norton didn't either. So I found a read/write monitoring program to see what was doing it. It turns out that iexplore.exe was writing them. I have no clue how whatever it is binded itself to the exe, and has managed to not be found by any of my scanners. Plus, since it's internet explorer and I need that to get windows updates, I can't just delete the exe. Does anyone have any ideas on how to fix this? Below are a few pieces of the logs from the program, and the full log can be found in the attached text file.

    11:33:00 PM iexplore.exe:2480 OPEN C:\DOCUMENTS AND SETTINGS\my username\DESKTOP\ SUCCESS Options: Open Directory Access: All
    11:33:00 PM iexplore.exe:2480 DIRECTORY C:\DOCUMENTS AND SETTINGS\my username\DESKTOP\ SUCCESS FileNamesInformation
    11:33:00 PM iexplore.exe:2480 DIRECTORY C:\DOCUMENTS AND SETTINGS\my username\DESKTOP\ NO MORE FILES FileNamesInformation
    11:33:00 PM iexplore.exe:2480 OPEN C:\DOCUMENTS AND SETTINGS\my username\DESKTOP\FREE IPOD.URL FILE NOT FOUND Options: Open Access: All
    11:33:06 PM iexplore.exe:2480 CREATE C:\Documents and Settings\my username\Desktop\ NAME COLLISION Options: Create Directory Access: All
    11:33:06 PM iexplore.exe:2480 CREATE C:\Documents and Settings\my username\Desktop\FREE IPOD.url SUCCESS Options: OverwriteIf Access: All
    11:33:06 PM iexplore.exe:2480 OPEN C:\Documents and Settings\my username\Desktop\FREE IPOD.url FILE NOT FOUND Options: Open Access: All
    11:33:06 PM iexplore.exe:2480 WRITE C:\Documents and Settings\my username\Desktop\FREE IPOD.url SUCCESS Offset: 0 Length: 18


    I haven't ever seen anything like this. It's like spyware and viruses combined into a horrible nightmare. Also, it queried for many more items on my desktop, but there were too many to paste, to see them look in the attached log. And in the log, ignore the numbers on the far left side, they have no relevance at all unless the order of the processes gets messed up somehow, which it hasn't.

    http://www.deepblueice.com/file upload/monitor.txt
     
    mr_flea, Oct 7, 2004
    #1
  2. mr_flea

    mr_flea First Sergeant

    argh... wrong forum.. any admins???
     
    mr_flea, Oct 7, 2004
    #2
  3. jarcher

    jarcher I can't handle a title

    have you ran hjt and checked your add/remove?


    no url's in your favorites folder? just the desktop?
     
    jarcher, Oct 7, 2004
    #3
  4. Gottheit

    Gottheit General Logic

    Question....Does it only do all this when you're running iexplore.exe, or have you noticed it also do when you don't execute it?

    Admittedly, I'm not sure what the problem is, but I know there are a number of free browsers out there that you can use. Which may solve your problem in a short term kind of way until you figure out what is really wrong...That is, if it only attempts to do this when you are running iexplore.
     
    Gottheit, Oct 7, 2004
    #4
  5. mr_flea

    mr_flea First Sergeant

    I regularly use mozilla firefox. I just started IE to get some security updates, as microsoft hasn't been kind enough to add support for 3rd party browsers (we'll see how long it takes before someone comes along and sues them)

    It's definately internet explorer, it was caught in the act by the file monitor (as shown above)

    I can't find anything in add/remove programs that I don't know the identity of.

    There are a few things in my favorites that I know I didn't add, but those could have been added by something else, they look like they got installed with one of the games I installed recently. There's a netscape ad there, but that came from AIM.

    HJT didn't seem to find anything, but if you want the log, I can post it.
     
    mr_flea, Oct 7, 2004
    #5
  6. jarcher

    jarcher I can't handle a title

    ha!
    can you remove those without the coming back?
    go ahead and attach it. .couldn hurt

    when running Ie, is there anything in your task manager(even for a split second) that appears questionable?
    or in your startup folder, services.msc or msconfig?
     
    jarcher, Oct 7, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'll move this to the Spyware Forum for you but as we tell everyone there follow this:

    Please follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    Check out the Alternate Scans too.

    And if that does not resolve the problems you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    After moving this I have to get some sleep!!
     
    chaslang, Oct 7, 2004
    #7
  8. jarcher

    jarcher I can't handle a title

    sorry chaslang, I hought I had posted that link in my first reply. . .asking him if he had been there and to go there if not. . .I guess I didn't
    I had to log back in to post the reply
    I got up because my daughter woke up sicker than . . .
    anyway. . .sorry. . .
     
    jarcher, Oct 7, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem! I just happen to make a rare stop by the lounge and noticed this. So I figured I'd hop in for a second before calling it a night.
     
    chaslang, Oct 7, 2004
    #9
  10. mr_flea

    mr_flea First Sergeant

    Sorry for not posting for so long, my computer went crazy. Apparently there were also about 5 viruses on it that norton failed to find, and the IE executable kept spreading those too, so I just reinstalled.
     
    mr_flea, Oct 14, 2004
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds