Internet Explorer problem after virus

G

Guest

I am working on a computer for a friend and have removed numerous trojans and
spyware from it. The machine is currently running XP Pro SP1a. When I first
got it, the desktop would not come up and no explorer windows or Internet
Explorer would work. The only way I could do anything was through task
manager.
After removal of the trojans and spyware, explorer.exe windows work just
fine. However, IE will still not work, even though it is present. If I
double click the icon for it or try to run it from the run command line, XP
reports it cannot find c:\program files\internet explorer\iexplore.exe . I
have reinstalled IE several times now with the same result.
If I rename iexplore.exe to iexplore.exe.exe, it will then work. If I click
Help-About in IE after starting it this way, it reports the version as "side
by side mode." Can anyone suggest how I might get IE working correctly
again. My friends would probably allow me to save their personal stuff and
reformat, but I'd like to save that as a last resort. Thanks for any
suggestions!
KP
 
G

Guest

I used AVG, Housecall, Trendmicro Internet Security for the viruses and
Ad-aware, Spybot, MS Anti Spyware for the spyware.
KP
 
P

pcbutts1

G

Guest

Thanks for your help! Here it is:

Logfile of HijackThis v1.99.0
Scan saved at 11:13:48 PM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1114712068768
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service - Unknown - C:\Program
Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe

Thanks again!
KP
 
G

Guest

Thanks everyone. Well, after running yet another virus scanner, I have
discovered another trojan and another virus that the other virus scanners did
not find. I suspect this is the problem. I'm leaning towards recommending a
format to the owner of this machine.
KP
 
P

pcbutts1

Your log looks fine. Try this first download IE6 from here and save it to
your desktop
http://www.microsoft.com/downloads/...cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en
Move the iexplore.exe file out of the internet explorer folder or just
rename it. Cut everything between these lines and paste it into notepad.
Save the file to your desktop and name it installie.reg, make sure you
change the save as....drop down box to all files. Once saved double click on
the file to merge it into the registry, this will allow you to re-install
IE. Double click the IE6 setup file you saved earlier to re-install IE. Once
done go to windows update and install all the patches.

====================================================================================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
"IsInstalled"=dword: 00000000


====================================================================================

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
 
G

Guest

To: PCButts
I missed your post above at first. I followed your instructions, but the
problem is as soon as I delete or rename iexplore, a new copy of it is
automatically placed in the folder to replace it.
Thanks!
KP
 
R

RJ

Try Webroot spysweeper. Look for nail.exe in Windows folder. I
suspect the nail virus. While the following applies to explorer it
sound like it could be your problem:

The way to tell if you have Aurora/nail is two-fold:

First, check for Nail.exe in the C:\Windows directory. If it's there,
delete it. If it reappears, Aurora is at work on your system. The
other place to check is in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon. The Shell key will have the value
"Explorer.exe c:\windows\nail.exe". If you try to modify this setting
back to c:\windows\explorer.exe, the aurora software automatically
renames it back to include the reference to nail.exe.

The latest Symatec definition identifies this virus as "BetterInternet"
and provides a remover that doesn't stop the behavior noted above. To
stop the behavior noted above, I took the following steps:

(1) From a command prompt, go to the Windows/System directory and type
dir>nail.exe (this changes the contents of nail.exe and their
software doesn't try to remedy this situation)

(2) Reboot. Upon startup you'll get an error message, but ignore it.
You can now delete Nail.exe and it will not reappear.

(3) Finally, using RegEdit, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and change the shell key to
"c:\windows\explorer.exe"

Reboot and your system is now clean.
 
P

pcbutts1

P

pcbutts1

Another thing I noticed is that the version of Hijackthis you used is not
current and it looks as if you may have ran it in safe mode. Download the
current version from here and run it while booted in normal mode. Posts the
results.
HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
 
G

Guest

Sorry I haven't checked back in till now. My ISP has been down. I'm at work
right now, but will check on all mentioned above tonight hopefully and will
advise. Thanks very much for the help.
KP
 
G

Guest

You guys are awesome! It seems to be fixed, thanks to all of your advice. I
truly appreciate your help. Just for the sake of being careful, here is the
new Hijack log and I would appreciate it if you would give it the once over
and see how it looks to you.

Logfile of HijackThis v1.99.1
Scan saved at 12:22:13 AM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet
Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguiexe.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"http://www.google.com/"); (C:\Documents and Settings\Michelle\Application
Data\Mozilla\Profiles\default\xt341en2.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet
Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet
Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure
Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{F556A6EE-5601-493D-9829-965DFF511307} - (no file) (HKCU)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1114712068768
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: F-Secure product (BackWeb Plug-in - 4476822) - Unknown owner
- C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. -
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet
Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure
Corporation - C:\Program Files\F-Secure Internet
Security\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure
Internet Security\Common\FSMA32.EXE
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner -
C:\Program Files\Ahead\InCD\InCDsrv.exe

Thanks again!
KP
 
R

RJ

I finally fixed this problem. I was running AUTORUNS from SYSINTERNALS
(you guys are awesome). There was this entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options

+ explorer.exe File not found: C:\WINDOWS\System32\grpmnt.exe

I deleted then fixed the registry entry that I previously changed and
it now works.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to disable internet searching from file browsers addressbar 2
Help with Internet Explorer 8 problem 7
Latest IEXPLORE.EXE virus that even starts in SAFE MODE!!!!! 3
Internet Explorer 7 Problem 2
Internet Explorer 3
internet explorer homepage 4
INTERNET EXPLORER NOT WORKING. 7
Problems with Internet Explorer 1

Top