IEXPLORER.EXE process always starts at logon

CougTek

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
I'm finalizing the cleanup of an infested computer. I had to disabled everything with msconfig and do a chkdsk /r before being able to install anything. I passed MalwareBytes, Superantispyware, Spysweeper, Spybot S&D, Adaware 2008 and Avira Antivir. I removed every temporary files I could find and passed Ccleaner too. The Windows XP license the customer installed is unfortunately not genuine and the system refuses to boot in safe mode, although it boots ok in normal mode. I removed all old Java installations and installed the last available version (6 update 10).

All the above steps are the usual routine I perform on infected systems. This one though, still has two IEXPLORER.EXE process starting at logon for one of the user accounts (the remaining two are ok). One of the process uses a lot of RAM (often more than 120MB) and the other uses less than 10MB. All the anti-malware tools I use show no remaining spyware, but a rogue IEXPLORER.EXE process at startup is a clear sign that at least one crap is still hidden somewhere.

The only thing I still haven't used is Smithfraudfix, but I doubt it will do the trick (and it is a lot more effective in safe mode anyway). I do not want to reinstall Windows because I almost always refuse to re-install a pirated copy of Windows for legal reasons.

Google didn't help much.

I'm out of ideas.
 
T

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
You haven't mentioned HijackThis, ProcessExplorer or SecurityTaskManager. What do any of these programs show running?

I'm guessing you've already checked the user run entries in your registry? Not to mention the obvious (auto) Startup menu?
 
F

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
You've run 5 anti-spyware apps but only one AV app. You might want to run another one in case the issue is one that Avira missed.
 
P5-133XL

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
time said:
You haven't mentioned HijackThis, ProcessExplorer or SecurityTaskManager. What do any of these programs show running?

I'm guessing you've already checked the user run entries in your registry? Not to mention the obvious (auto) Startup menu?
Click to expand...

If he's disabled everything via MSConfig, then the startup folder, and run entries in the registry have already been disabled.
 
Mercutio

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,297
Location
I am omnipresent
There *are* other places that can start a program. Services, for example. Or putting things in win.ini. Hijack This should be run at the very least, and Process Explorer.
 
CougTek

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
I didn't have faith in it, but SmithFraudFix did fix the problem. No more IEXPLORER process poping out of nowhere. I know I should have used HijackThis, but I was hoping not to have to (yes, that is laziness).

Thanks all for your suggestions.
 
You must log in or register to reply here.
Top