Sign in with
Sign up | Sign in
Your question

Internet Explorer problem after virus

Last response: in Windows XP
Share
Anonymous
July 27, 2005 12:00:01 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I am working on a computer for a friend and have removed numerous trojans and
spyware from it. The machine is currently running XP Pro SP1a. When I first
got it, the desktop would not come up and no explorer windows or Internet
Explorer would work. The only way I could do anything was through task
manager.
After removal of the trojans and spyware, explorer.exe windows work just
fine. However, IE will still not work, even though it is present. If I
double click the icon for it or try to run it from the run command line, XP
reports it cannot find c:\program files\internet explorer\iexplore.exe . I
have reinstalled IE several times now with the same result.
If I rename iexplore.exe to iexplore.exe.exe, it will then work. If I click
Help-About in IE after starting it this way, it reports the version as "side
by side mode." Can anyone suggest how I might get IE working correctly
again. My friends would probably allow me to save their personal stuff and
reformat, but I'd like to save that as a last resort. Thanks for any
suggestions!
KP
Anonymous
July 27, 2005 7:05:16 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Sounds like you system is still infected. What did you use to clean it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Ken Pryor" <Ken Pryor@discussions.microsoft.com> wrote in message
news:F44902D7-D92F-4668-844E-C04EB7C97DC6@microsoft.com...
>I am working on a computer for a friend and have removed numerous trojans
>and
> spyware from it. The machine is currently running XP Pro SP1a. When I
> first
> got it, the desktop would not come up and no explorer windows or Internet
> Explorer would work. The only way I could do anything was through task
> manager.
> After removal of the trojans and spyware, explorer.exe windows work just
> fine. However, IE will still not work, even though it is present. If I
> double click the icon for it or try to run it from the run command line,
> XP
> reports it cannot find c:\program files\internet explorer\iexplore.exe .
> I
> have reinstalled IE several times now with the same result.
> If I rename iexplore.exe to iexplore.exe.exe, it will then work. If I
> click
> Help-About in IE after starting it this way, it reports the version as
> "side
> by side mode." Can anyone suggest how I might get IE working correctly
> again. My friends would probably allow me to save their personal stuff
> and
> reformat, but I'd like to save that as a last resort. Thanks for any
> suggestions!
> KP
Anonymous
July 27, 2005 7:05:17 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I used AVG, Housecall, Trendmicro Internet Security for the viruses and
Ad-aware, Spybot, MS Anti Spyware for the spyware.
KP

"pcbutts1" wrote:

> Sounds like you system is still infected. What did you use to clean it.
>
> --
>
>
> The best live web video on the internet http://www.seedsv.com/webdemo.htm
> NEW Embedded system W/Linux. We now sell DVR cards.
> See it all at http://www.seedsv.com/products.htm
> Sharpvision simply the best http://www.seedsv.com
>
>
>
> "Ken Pryor" <Ken Pryor@discussions.microsoft.com> wrote in message
> news:F44902D7-D92F-4668-844E-C04EB7C97DC6@microsoft.com...
> >I am working on a computer for a friend and have removed numerous trojans
> >and
> > spyware from it. The machine is currently running XP Pro SP1a. When I
> > first
> > got it, the desktop would not come up and no explorer windows or Internet
> > Explorer would work. The only way I could do anything was through task
> > manager.
> > After removal of the trojans and spyware, explorer.exe windows work just
> > fine. However, IE will still not work, even though it is present. If I
> > double click the icon for it or try to run it from the run command line,
> > XP
> > reports it cannot find c:\program files\internet explorer\iexplore.exe .
> > I
> > have reinstalled IE several times now with the same result.
> > If I rename iexplore.exe to iexplore.exe.exe, it will then work. If I
> > click
> > Help-About in IE after starting it this way, it reports the version as
> > "side
> > by side mode." Can anyone suggest how I might get IE working correctly
> > again. My friends would probably allow me to save their personal stuff
> > and
> > reformat, but I'd like to save that as a last resort. Thanks for any
> > suggestions!
> > KP
>
>
>
Related resources
Anonymous
July 27, 2005 7:58:33 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Download Hijack this, run it, save a copy of the log file and cut and paste
it back here to the group so that I can analyze it.
You also said you reinstalled IE how did you do that.

HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
news:1E392395-75C0-478D-B9B5-3EBA4FB9E976@microsoft.com...
>I used AVG, Housecall, Trendmicro Internet Security for the viruses and
> Ad-aware, Spybot, MS Anti Spyware for the spyware.
> KP
>
> "pcbutts1" wrote:
>
>> Sounds like you system is still infected. What did you use to clean it.
>>
>> --
>>
>>
>> The best live web video on the internet http://www.seedsv.com/webdemo.htm
>> NEW Embedded system W/Linux. We now sell DVR cards.
>> See it all at http://www.seedsv.com/products.htm
>> Sharpvision simply the best http://www.seedsv.com
>>
>>
>>
>> "Ken Pryor" <Ken Pryor@discussions.microsoft.com> wrote in message
>> news:F44902D7-D92F-4668-844E-C04EB7C97DC6@microsoft.com...
>> >I am working on a computer for a friend and have removed numerous
>> >trojans
>> >and
>> > spyware from it. The machine is currently running XP Pro SP1a. When I
>> > first
>> > got it, the desktop would not come up and no explorer windows or
>> > Internet
>> > Explorer would work. The only way I could do anything was through task
>> > manager.
>> > After removal of the trojans and spyware, explorer.exe windows work
>> > just
>> > fine. However, IE will still not work, even though it is present. If
>> > I
>> > double click the icon for it or try to run it from the run command
>> > line,
>> > XP
>> > reports it cannot find c:\program files\internet explorer\iexplore.exe
>> > .
>> > I
>> > have reinstalled IE several times now with the same result.
>> > If I rename iexplore.exe to iexplore.exe.exe, it will then work. If I
>> > click
>> > Help-About in IE after starting it this way, it reports the version as
>> > "side
>> > by side mode." Can anyone suggest how I might get IE working correctly
>> > again. My friends would probably allow me to save their personal stuff
>> > and
>> > reformat, but I'd like to save that as a last resort. Thanks for any
>> > suggestions!
>> > KP
>>
>>
>>
Anonymous
July 27, 2005 7:58:34 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Thanks for your help! Here it is:

Logfile of HijackThis v1.99.0
Scan saved at 11:13:48 PM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall...
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service - Unknown - C:\Program
Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe

Thanks again!
KP

"pcbutts1" wrote:

> Download Hijack this, run it, save a copy of the log file and cut and paste
> it back here to the group so that I can analyze it.
> You also said you reinstalled IE how did you do that.
>
> HijackThis
> http://www.pcbutts1.com/downloads/HijackThis.zip
>
> --
>
>
> The best live web video on the internet http://www.seedsv.com/webdemo.htm
> NEW Embedded system W/Linux. We now sell DVR cards.
> See it all at http://www.seedsv.com/products.htm
> Sharpvision simply the best http://www.seedsv.com
>
>
>
> "Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
> news:1E392395-75C0-478D-B9B5-3EBA4FB9E976@microsoft.com...
> >I used AVG, Housecall, Trendmicro Internet Security for the viruses and
> > Ad-aware, Spybot, MS Anti Spyware for the spyware.
> > KP
> >
> > "pcbutts1" wrote:
> >
> >> Sounds like you system is still infected. What did you use to clean it.
> >>
> >> --
> >>
> >>
> >> The best live web video on the internet http://www.seedsv.com/webdemo.htm
> >> NEW Embedded system W/Linux. We now sell DVR cards.
> >> See it all at http://www.seedsv.com/products.htm
> >> Sharpvision simply the best http://www.seedsv.com
> >>
> >>
> >>
> >> "Ken Pryor" <Ken Pryor@discussions.microsoft.com> wrote in message
> >> news:F44902D7-D92F-4668-844E-C04EB7C97DC6@microsoft.com...
> >> >I am working on a computer for a friend and have removed numerous
> >> >trojans
> >> >and
> >> > spyware from it. The machine is currently running XP Pro SP1a. When I
> >> > first
> >> > got it, the desktop would not come up and no explorer windows or
> >> > Internet
> >> > Explorer would work. The only way I could do anything was through task
> >> > manager.
> >> > After removal of the trojans and spyware, explorer.exe windows work
> >> > just
> >> > fine. However, IE will still not work, even though it is present. If
> >> > I
> >> > double click the icon for it or try to run it from the run command
> >> > line,
> >> > XP
> >> > reports it cannot find c:\program files\internet explorer\iexplore.exe
> >> > .
> >> > I
> >> > have reinstalled IE several times now with the same result.
> >> > If I rename iexplore.exe to iexplore.exe.exe, it will then work. If I
> >> > click
> >> > Help-About in IE after starting it this way, it reports the version as
> >> > "side
> >> > by side mode." Can anyone suggest how I might get IE working correctly
> >> > again. My friends would probably allow me to save their personal stuff
> >> > and
> >> > reformat, but I'd like to save that as a last resort. Thanks for any
> >> > suggestions!
> >> > KP
> >>
> >>
> >>
>
>
>
Anonymous
July 27, 2005 8:29:52 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I think the reason is that the virus relate your iexplore.exe.When you
run your IE,the virus is running again.You need repair your IE,Securety
Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm to
kone more.
July 27, 2005 11:41:54 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

cs_satan@cnns.net wrote:
> I think the reason is that the virus relate your iexplore.exe.When you
> run your IE,the virus is running again.You need repair your IE,Securety
> Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm to
> kone more.

Can you run explorer.exe via the task manager?
July 27, 2005 11:46:04 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

cs_satan@cnns.net wrote:
> I think the reason is that the virus relate your iexplore.exe.When you
> run your IE,the virus is running again.You need repair your IE,Securety
> Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm to
> kone more.

Can you run explorer.exe via the task manager?
Anonymous
July 27, 2005 12:22:02 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Thanks everyone. Well, after running yet another virus scanner, I have
discovered another trojan and another virus that the other virus scanners did
not find. I suspect this is the problem. I'm leaning towards recommending a
format to the owner of this machine.
KP

"RJ" wrote:

>
>
> cs_satan@cnns.net wrote:
> > I think the reason is that the virus relate your iexplore.exe.When you
> > run your IE,the virus is running again.You need repair your IE,Securety
> > Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm to
> > kone more.
>
> Can you run explorer.exe via the task manager?
>
>
Anonymous
July 27, 2005 1:17:04 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

To: PCButts
I missed your post above at first. I followed your instructions, but the
problem is as soon as I delete or rename iexplore, a new copy of it is
automatically placed in the folder to replace it.
Thanks!
KP

"Ken Pryor" wrote:

> Thanks everyone. Well, after running yet another virus scanner, I have
> discovered another trojan and another virus that the other virus scanners did
> not find. I suspect this is the problem. I'm leaning towards recommending a
> format to the owner of this machine.
> KP
>
> "RJ" wrote:
>
> >
> >
> > cs_satan@cnns.net wrote:
> > > I think the reason is that the virus relate your iexplore.exe.When you
> > > run your IE,the virus is running again.You need repair your IE,Securety
> > > Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm to
> > > kone more.
> >
> > Can you run explorer.exe via the task manager?
> >
> >
July 27, 2005 2:13:21 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Try Webroot spysweeper. Look for nail.exe in Windows folder. I
suspect the nail virus. While the following applies to explorer it
sound like it could be your problem:

The way to tell if you have Aurora/nail is two-fold:

First, check for Nail.exe in the C:\Windows directory. If it's there,
delete it. If it reappears, Aurora is at work on your system. The
other place to check is in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon. The Shell key will have the value
"Explorer.exe c:\windows\nail.exe". If you try to modify this setting
back to c:\windows\explorer.exe, the aurora software automatically
renames it back to include the reference to nail.exe.

The latest Symatec definition identifies this virus as "BetterInternet"
and provides a remover that doesn't stop the behavior noted above. To
stop the behavior noted above, I took the following steps:

(1) From a command prompt, go to the Windows/System directory and type
dir>nail.exe (this changes the contents of nail.exe and their
software doesn't try to remedy this situation)

(2) Reboot. Upon startup you'll get an error message, but ignore it.
You can now delete Nail.exe and it will not reappear.

(3) Finally, using RegEdit, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and change the shell key to
"c:\windows\explorer.exe"

Reboot and your system is now clean.
Anonymous
July 27, 2005 7:24:28 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Your log looks fine. Try this first download IE6 from here and save it to
your desktop
http://www.microsoft.com/downloads/details.aspx?FamilyI...
Move the iexplore.exe file out of the internet explorer folder or just
rename it. Cut everything between these lines and paste it into notepad.
Save the file to your desktop and name it installie.reg, make sure you
change the save as....drop down box to all files. Once saved double click on
the file to merge it into the registry, this will allow you to re-install
IE. Double click the IE6 setup file you saved earlier to re-install IE. Once
done go to windows update and install all the patches.

====================================================================================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
"IsInstalled"=dword: 00000000


====================================================================================

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
news:32CA53C2-C315-4A33-9A86-2407C0CB2146@microsoft.com...
> Thanks for your help! Here it is:
>
Anonymous
July 27, 2005 9:52:24 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Follow RJ's advice first then you can still do mine even if it will not let
you rename the file you will still be able to re-install IE. The main thing
is to get rid of the virus. I have a nail remover tool on my site at
http://www.pcbutts1.com/downloads/nailfix.exe

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
news:5666F40F-BB66-493E-88E4-6EC9B8A1B6A8@microsoft.com...
> To: PCButts
> I missed your post above at first. I followed your instructions, but the
> problem is as soon as I delete or rename iexplore, a new copy of it is
> automatically placed in the folder to replace it.
> Thanks!
> KP
>
> "Ken Pryor" wrote:
>
>> Thanks everyone. Well, after running yet another virus scanner, I have
>> discovered another trojan and another virus that the other virus scanners
>> did
>> not find. I suspect this is the problem. I'm leaning towards
>> recommending a
>> format to the owner of this machine.
>> KP
>>
>> "RJ" wrote:
>>
>> >
>> >
>> > cs_satan@cnns.net wrote:
>> > > I think the reason is that the virus relate your iexplore.exe.When
>> > > you
>> > > run your IE,the virus is running again.You need repair your
>> > > IE,Securety
>> > > Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm
>> > > to
>> > > kone more.
>> >
>> > Can you run explorer.exe via the task manager?
>> >
>> >
Anonymous
July 27, 2005 10:03:03 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Another thing I noticed is that the version of Hijackthis you used is not
current and it looks as if you may have ran it in safe mode. Download the
current version from here and run it while booted in normal mode. Posts the
results.
HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
news:5666F40F-BB66-493E-88E4-6EC9B8A1B6A8@microsoft.com...
> To: PCButts
> I missed your post above at first. I followed your instructions, but the
> problem is as soon as I delete or rename iexplore, a new copy of it is
> automatically placed in the folder to replace it.
> Thanks!
> KP
>
> "Ken Pryor" wrote:
>
>> Thanks everyone. Well, after running yet another virus scanner, I have
>> discovered another trojan and another virus that the other virus scanners
>> did
>> not find. I suspect this is the problem. I'm leaning towards
>> recommending a
>> format to the owner of this machine.
>> KP
>>
>> "RJ" wrote:
>>
>> >
>> >
>> > cs_satan@cnns.net wrote:
>> > > I think the reason is that the virus relate your iexplore.exe.When
>> > > you
>> > > run your IE,the virus is running again.You need repair your
>> > > IE,Securety
>> > > Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm
>> > > to
>> > > kone more.
>> >
>> > Can you run explorer.exe via the task manager?
>> >
>> >
Anonymous
July 28, 2005 4:35:07 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Sorry I haven't checked back in till now. My ISP has been down. I'm at work
right now, but will check on all mentioned above tonight hopefully and will
advise. Thanks very much for the help.
KP

"pcbutts1" wrote:

> Another thing I noticed is that the version of Hijackthis you used is not
> current and it looks as if you may have ran it in safe mode. Download the
> current version from here and run it while booted in normal mode. Posts the
> results.
> HijackThis
> http://www.pcbutts1.com/downloads/HijackThis.zip
>
> --
>
>
> The best live web video on the internet http://www.seedsv.com/webdemo.htm
> NEW Embedded system W/Linux. We now sell DVR cards.
> See it all at http://www.seedsv.com/products.htm
> Sharpvision simply the best http://www.seedsv.com
>
>
>
> "Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
> news:5666F40F-BB66-493E-88E4-6EC9B8A1B6A8@microsoft.com...
> > To: PCButts
> > I missed your post above at first. I followed your instructions, but the
> > problem is as soon as I delete or rename iexplore, a new copy of it is
> > automatically placed in the folder to replace it.
> > Thanks!
> > KP
> >
> > "Ken Pryor" wrote:
> >
> >> Thanks everyone. Well, after running yet another virus scanner, I have
> >> discovered another trojan and another virus that the other virus scanners
> >> did
> >> not find. I suspect this is the problem. I'm leaning towards
> >> recommending a
> >> format to the owner of this machine.
> >> KP
> >>
> >> "RJ" wrote:
> >>
> >> >
> >> >
> >> > cs_satan@cnns.net wrote:
> >> > > I think the reason is that the virus relate your iexplore.exe.When
> >> > > you
> >> > > run your IE,the virus is running again.You need repair your
> >> > > IE,Securety
> >> > > Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm
> >> > > to
> >> > > kone more.
> >> >
> >> > Can you run explorer.exe via the task manager?
> >> >
> >> >
>
>
>
Anonymous
July 29, 2005 2:32:01 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

You guys are awesome! It seems to be fixed, thanks to all of your advice. I
truly appreciate your help. Just for the sake of being careful, here is the
new Hijack log and I would appreciate it if you would give it the once over
and see how it looks to you.

Logfile of HijackThis v1.99.1
Scan saved at 12:22:13 AM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet
Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguiexe.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet
Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet
Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure
Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall...
O23 - Service: F-Secure product (BackWeb Plug-in - 4476822) - Unknown owner
- C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. -
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet
Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure
Corporation - C:\Program Files\F-Secure Internet
Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure
Internet Security\Common\FSMA32.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner -
C:\Program Files\Ahead\InCD\InCDsrv.exe

Thanks again!
KP

"Ken Pryor" wrote:

> Sorry I haven't checked back in till now. My ISP has been down. I'm at work
> right now, but will check on all mentioned above tonight hopefully and will
> advise. Thanks very much for the help.
> KP
>
> "pcbutts1" wrote:
>
> > Another thing I noticed is that the version of Hijackthis you used is not
> > current and it looks as if you may have ran it in safe mode. Download the
> > current version from here and run it while booted in normal mode. Posts the
> > results.
> > HijackThis
> > http://www.pcbutts1.com/downloads/HijackThis.zip
> >
> > --
> >
> >
> > The best live web video on the internet http://www.seedsv.com/webdemo.htm
> > NEW Embedded system W/Linux. We now sell DVR cards.
> > See it all at http://www.seedsv.com/products.htm
> > Sharpvision simply the best http://www.seedsv.com
> >
> >
> >
> > "Ken Pryor" <KenPryor@discussions.microsoft.com> wrote in message
> > news:5666F40F-BB66-493E-88E4-6EC9B8A1B6A8@microsoft.com...
> > > To: PCButts
> > > I missed your post above at first. I followed your instructions, but the
> > > problem is as soon as I delete or rename iexplore, a new copy of it is
> > > automatically placed in the folder to replace it.
> > > Thanks!
> > > KP
> > >
> > > "Ken Pryor" wrote:
> > >
> > >> Thanks everyone. Well, after running yet another virus scanner, I have
> > >> discovered another trojan and another virus that the other virus scanners
> > >> did
> > >> not find. I suspect this is the problem. I'm leaning towards
> > >> recommending a
> > >> format to the owner of this machine.
> > >> KP
> > >>
> > >> "RJ" wrote:
> > >>
> > >> >
> > >> >
> > >> > cs_satan@cnns.net wrote:
> > >> > > I think the reason is that the virus relate your iexplore.exe.When
> > >> > > you
> > >> > > run your IE,the virus is running again.You need repair your
> > >> > > IE,Securety
> > >> > > Expert can help you.Goto http://securityexpert.cnns.net/IErepair.htm
> > >> > > to
> > >> > > kone more.
> > >> >
> > >> > Can you run explorer.exe via the task manager?
> > >> >
> > >> >
> >
> >
> >
August 6, 2005 11:28:19 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I finally fixed this problem. I was running AUTORUNS from SYSINTERNALS
(you guys are awesome). There was this entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options

+ explorer.exe File not found: C:\WINDOWS\System32\grpmnt.exe

I deleted then fixed the registry entry that I previously changed and
it now works.
!