unknown iexplorer.exe running in task bar

Hi,

Thanks a lot for the article..

http://forums.majorgeeks.com/showthread.php?t=35407

It was excellent and it helped me to clean my computer. I have exactly followed it.

Now, coming to the point

when i open my task manager i can see a process iexplore.exe running. Before cleaning up my system i had two processes and the name was in capital letters IEXPLORE.EXE.

Now if i end this it starts automatically after few seconds.

Can you please help what is this?

And when i searched for iexplore.exe found these entries

C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989

One strange file
-------------------
IEXPLORE.EXE-2D97EBE6.pf - Now it says in the folder Prefetch (Only, does not start with C. I cannot rename it.



This is my setting with my computer
-----------------------------------------------
Windows XP Home Edition SP1

When i start my computer i have default services running and few applications like :

Windows Update,
Zone Alarm Pro,
Mcafee,
Broadband Medic.



Thanks a lot....

Pawan

 

Hi Pawan,

I hate to ask the obvious, but are you sure it's not your legitimate Internet Explorer? Is a browser window open when you are checking this?

Prefetch is new for XP and allows programs with heavy use to load more quickly. You should probably flush items from the prefetch folder every couple of months.

C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989 --> This one, I believe, is associated with Windows Updates.


I doubt that you have anything to worry about with these, but if, to be safe, you would like to submit a HijackThis Log for one of us to check, Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

Best
PP

 

Thanks PhilliePhan

Please find my attached log file for HijackThis1.99.




Thanks

Pawan

 

Hi Pawan,

Please move HijackThis to a Safer location such as C:\Porgram Files\HijackThis Here's how to do that:
To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To extract HijackThis to that folder:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Once HJT is properly situated, please rescan and attach a fresh HJT Log.

Also, please download the following tool and keep it handy in case we need to use it: LSP - Fix

Do you know what this is? Do you recognize it as needed?
C:\Documents and Settings\All Users\Application Data\griddeafwmaenc\Find inside.exe

Please address the above and I will try to check back as time permits. I'm quite busy these days, so please be patient!

PP

 

Thank you very much PhilliePhan

First of all Merry christmas and Happy New Year.

I have kept it now in program files. And i do not recognize Find inside.exe.

Please find my attached log.

One more thing is there any help available on the net to read log file generated by Hijack this. Just curious...


Thanks & Regards
Pawan

 

Hi Pawan,

Thank you for the Holiday wishes - I hope the coming year brings you happiness as well

There are a few Online resources that will analyze HJT Logs, but I prefer the eyes of an actual human being! An online analyzer is only as good as its database and malware changes all the time.

Anyhoo, off we go with your fix:

There are a few items in your HijackThis log with which I am unfamiliar. If you do not recognize them as needed, then you should probably remove them.

Also: IF you should lose the ability to connect to the Internet after removing New.net, then run LSP-Fix and just Click Finish. I do not expect you to need to do this.

NOW:
Please look in Add or Remove Programs for the following and Uninstall them if found:

HyperBar
New.Net

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it if possible:

Find inside.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/

R3 - URLSearchHook: HyperSearchHook - {13500A71-6CA4-4D5E-B042-69F5687F8C65} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {DCB3E225-337D-FAFE-F702-E18CE8D24DDB} - C:\DOCUME~1\Kumar\APPLIC~1\IdleOpen\typespam.exe ---> If you do not recognize this, then it should be removed.

O4 - HKLM\..\Run: [Wma Enc Wave Ante] C:\Documents and Settings\All Users\Application Data\griddeafwmaenc\Find inside.exe ---> If you do not recognize this, then it should be removed.
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [wave copy] C:\DOCUME~1\Kumar\APPLIC~1\DUMBEN~1\Seek 32.exe ---> If you do not recognize this, then it should be removed.

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net ---> These may now be gone
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O23 - Service: WebSphere Embedded Messaging Publish And SubscribeWAS_localhost_server1 - Unknown - c:/Program Files/IBM/WebSphere MQ/WEMPS/bin/bipservice.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\DOCUMENTS AND SETTINGS\Kumar\APPLICATION DATA\DUMBEN~1 ---> The Folder ( If you don’t recognize it, remove it – There may be more letters in the folder name)
C:\Program Files\Common Files\Hyperbar ---> The Folder
C:\Program Files\NewDotNet ---> The Folder
C:\DOCUMENTS AND SETTINGS\Kumar\APPLICATION DATA\IdleOpen ---> The Folder (If you don’t recognize it, remove it)
C:\Documents and Settings\All Users\Application Data\griddeafwmaenc ---> The Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP