Topic: how do I get rid of iexplore.exe

[dreadlocklover]

Malwarebytes keeps popping up and telling me it has successfully blocked access to a malicious website:  60.150.14.111, and 112 and 113.
This happens every 60 seconds or so.
I have obviously got some kind of worm but Spybot and Avast can't seem to identify it so that I can zap it.
Can anyone help me?
Roxy

[Homina8or]

Malwarebytes keeps popping up and telling me it has successfully blocked access to a malicious website:  60.150.14.111, and 112 and 113.
This happens every 60 seconds or so.
I have obviously got some kind of worm but Spybot and Avast can't seem to identify it so that I can zap it.
Can anyone help me?
Roxy

"iexplore.exe" is the process that runs for Internet Explorer.  If you are using this browser, then iexplore.exe should be running when you have the browser open.  How long since you first noticed this problem?  Did you receive an e-mail with an attachment or install any new software recently?  Also, click on this thread as a starting point:
Malware Advice

[Glitch]

Welcome aboard, dreadlocklover...

Let's start here:

Download and rename HijackThis.msi (HJT)

• Double-click on the HijackThis.msi to begin.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
• Close HijackThis and rename it.
• Go to C:\Program Files\Trend Micro\HijackThis.exe
• Right click on HijackThis.exe and select Rename.
• Type in sniper.exe and press Enter.
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HijackThis.
• If using Windows Vista, Right-click and Run As Administrator.
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in Notepad.
• Copy and Paste the entire contents of the log in your next post.
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

[dreadlocklover]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:03:32, on 02/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\PROGRA~1\SEARCH~1\SEARCH~1\DATAMN~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\ShortKeys2\shklite.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: SearchCore for Browsers - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\SEARCH~1\SEARCH~1\BROWSE~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\SEARCH~1\SEARCH~1\DATAMN~1.EXE
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [FormAutoFiller] C:\Program Files\FormAutoFiller\faf.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: ShortKeys Lite.lnk = C:\Program Files\ShortKeys2\shklite.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - AppInit_DLLs: C:\PROGRA~1\SEARCH~1\SEARCH~1\datamngr.dll C:\PROGRA~1\SEARCH~1\SEARCH~1\IEBHO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8508 bytes
as requested.  I have no idea at all what I am doing so hope this is what u require.  BTW I use Firefox all the time not internet explorer, I believe this is a malware wormy kinda thing.

[Homina8or]

A quick cursory look at what you posted and the following stood out:

O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O2 - BHO: SearchCore for Browsers - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\SEARCH~1\SEARCH~1\BROWSE~1.DLL

Searchqu toolbar has been installed on your pc and it cannot be uninstalled the conventional way through your control panel.  Below is a link to a site that has detailed instructions on how to remove searchqu toolbar from your browser:

http://deletemalware.blogspot.com/2011/05/how-to-remove-searchqu-uninstall-guide.html

The interesting thing about the searchqu toolbar is that it is written by Bandoo Media who claims that their freeware has no malicious software.  What makes me wonder about that claim is why is it so difficult to unistall their toolbar then?  If anyone else on our board would take a look at the log and see if there is anything else I missed it might be helpful.  Another note, searchqu is usually installed as an add-on to software you download and install on your pc.  Therefore, whatever program you installed with searchqu may be suspect as well.

[Glitch]

dreadlocklover...

Please perform the following:

• Make sure Malwarebytes is currently updated.  If you are having problems retrieving the updates, you can manually download them from here. You can double-click mbam-rules.exe to install.
• After the update, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to a convenient location like the Desktop.
• The log is also automatically saved and can be viewed later by clicking the Logs tab in MBAM.
• Copy and Paste the contents of the report in your next reply.
• Exit MBAM.

Note:  If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK on both and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Let's also give SUPERAntiSpyware a shot:
Download SuperAntispyware Free Edition (SAS)

• Double-click the icon on your desktop to run the installer.
• When asked to Update the program definitions, click Yes
• Note:  If you encounter any problems while downloading the updates, manually download and unzip them from here.  Just double-click the SASDEFINITIONS.EXE file to perform the update.
• Next click the Preferences button.
• Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
• Click the Scanning Control tab.

Under Scanner Options make sure only the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining
• Please leave the others unchecked

Continuing...

• Click the Close button to leave the control center screen.
• On the main screen click Scan your computer
• On the left check the box for the drive you are scanning.
• On the right choose Perform Complete Scan
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK
• Make sure everything in the white box has a check next to it, then click Next
• It will quarantine what it found and if it asks if you want to reboot, click Yes

To retrieve the removal information please do the following:

• After reboot, double-click the SUPERAntiSpyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.  it will open in your default text editor (preferably Notepad).
• Save the notepad file to your desktop by clicking (in notepad) File > Save As...
• Save the log somewhere you can easily find it. (normally the desktop)
• Click close and close again to exit the program.
• Copy and Paste the log in your next post.

NOTE: Don't use both programs at the same time.  Scan with one, save the log, close the program, and then scan with the next one.  If either of these programs take an unreasonably long time (more than 2-3 hours), you are welcome to abort the scan if you wish.  If that is the case, let me know and I will have you try something else instead.
Post Merge: January 03, 2012, 03:11:37 amHopefully, one of our Malware Specialists will take a look at your logs to provide more insight and remedy your current situation...

Please be patient...and hopefully, they will reply soon.

[dreadlocklover]

Thank you for all that help.
Malware is installed on my pc and I am fairly sure I have the updates.
However it did not recognise this worm.
I shall attempt to remove it as you suggest.
I do hope that someone can look at that report in detail as I am sure there is a lot wrong with my pc, but I already paid £180 to 2 different "pc technicians" and nothing has changed except the first one said my hard drive had crashed while he was "restoring it" and so he replaced it with this awful cream thing from before the war called a viglen genie and it groans and wheezes all the time. 
I have firefox and have to give instructions 3-9 times before a screen changes.  Its terribly slow and I have absolutely no idea why.
I have run out of ideas!!

[Glitch]

You're welcome...

However, please...follow the directions in my last post.  In order to assist you, we will need the logs from Malwarebytes, as well as SuperAntiSpyware.

You already have Malwarebytes installed.  So, update it...run the Quick Scan and submit the log.  Close Malwarebytes...then download/install/update SuperAntiSpyware and run that, as well...following the directions in my last post.

We do not charge for our services...and nothing we ask you to download and install is invasive on your computer.  We help, because we want to...it's what we do.

Once we get this malware removed...we'll be more than happy to assist you regarding the performance of your PC.

[dreadlocklover]

Well, I finally rid myself of the Malware problem by un installing Malware Bytes.
I will re install it now and let you have a log.
Thanks for your help.
Roxy

[CBMatt]

It is indeed important to closely follow instructions given by our staff here, but it is still good see that you made a little bit of progress.  Now, once you've got your log, go ahead and post it and we can provide further instructions.

[Glitch]

It appears this topic has been abandoned by the original poster.  This topic will now be locked.  If you're the original poster and need this topic re-opened...please, contact a Staff member.