Strange MSIE Behavior

[Mark Buckles/Harlan Labs]

I keep getting a pop-up on my desktop that says:

"Microsoft Internet Explorer. This window is busy.
Closing this window may cause some probelms.
Do you want to close it anyway? OK/Cancel"

I don't even use MSIE. When I halt iexplore.exe in
the Process tab of Task Manager, it just restarts
again later.

In an effort to disenable it, I went into the MSIE
program file and renamed iexplore.exe to
Xiexplore.exe, but something regenerates it and
re-adds it to the folder as iexplore.exe.

I tried to rename the folder, but I get this error
message:

"Cannot rename Internet Explorer: it is being used
by another preson or program. Close any programs
that might be using it and try again."

If I leave the computer running, the screen fills
up with error pop-ups:

http://www.harlanlabs.com/misc/desktop.jpg

How can I find what is invoking MSIE and make it
stop?

Our system:
Compaq Presario SR1110NX
Win XP Home Edition v5.1
MSIEv6.0.2800

THANKS!

Best Regards,
Mark Buckles
Harlan Labs
San Diego
http://www.harlanlabs.com

 

[Guest]

Once xp starts-up IE also starts,even if youre not connected to the
internet.Try updateing IE,start with SP1 for IE-dated 2002.

 

[Wesley Vogel]

And where did you come up with this info??

IE shouldn't start when XP starts unless a user has knowingly added a
shortcut to the Start Menu/Starup or unless he/she has some sort of a virus
or scumware that is doing this.

 

[Wesley Vogel]

Windows File Protection will prevent you from renaming or deleting
iexplore.exe (IE).

You either have a virus or scumware that is starting IE. Just removing the
shortcut from wherever IE is starting from will probably not fix the
problem. The virus or scumware will probably replace the shortcut. So, you
have to get rid of the virus or scumware. Since you stated that you can
kill IE with Taskmanager and IE restarts itself later, it is probably *not*
in one of the following folders.... might not hurt to check anyway.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
and
C:\Documents and Settings\Your Name Here\Start Menu\Programs\Startup
are two places to look. There are about a dozen places in the registry
where this can be happening.

Update your anti virus software and run a full system scan.

Free online virus scans:

Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Panda ActiveScan - Free online scanner
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php

Get Your AVG for free!
http://www.grisoft.com/us/us_dwnl_free.php

=============
My standard "you may have scumware" post follows..............

First. Make sure of these settings and nothing will install without you
answering YES. (Except what may install as part of some other software.)
Don't click YES if you don't know/trust the source.

Start | Settings | Control Panel | Internet Options | Advanced tab |
Make sure both of these are NOT checked.

 Enable Install On Demand (Internet Explorer)
[[Specifies to automatically download and install Internet Explorer
components if a Web page needs them in order to display the page properly or
perform a particular task.]]

 Enable Install On Demand (Other)
[[Specifies to automatically download and install Web components if a Web
page needs them in order to display the page properly or perform a
particular task.]]

Apply | OK

 Enable Install On Demand (Other)
Is part of the driveby downloading of unwanted programs. i.e. Scumware or
whatever will install w/o you even being aware of it.
=====

Second. If you need a scan right now.

Follow the instructions!
THE PARASITE FIGHT QUICK FIX PROTOCOL
http://aumha.org/a/quickfix.php

=====

Third.
It is known as scumware. Visit these sites. 1, 2, 3 and 4 are really good.
Download, install, run, update and run again; one or all. They are all
good, FREE utilities. Make sure you update every program, even if you
just downloaded it. You must have the latest updates. Without updates,
you have a gun without ammo.

1) CWShredder direct download:
http://216.180.233.163/~merijn/files/CWShredder.exe

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it from
ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/downloads.html

4a) HijackThis (direct download)
http://aumha.org/downloads/hijackthis.zip

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

=====

MVPS HOSTS file is a free download from:
http://www.mvps.org/winhelp2002/

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

=====

Problems uninstalling? Here's some advice.
http://www.kephyr.com/spywarescanner/uninstallproblems.phtml

Additional information & instructions.
A wealth of information here, boys and girls.

THE PARASITE FIGHT QUICK FIX PROTOCOL
http://aumha.org/a/quickfix.htm

THE PARASITE FIGHT
Finding, Removing & Protecting Yourself From Scumware
http://aumha.org/a/parasite.htm

Bugs, Glitches & Stuffups
http://www.mvps.org/inetexplorer/Darnit.htm

Dealing with Unwanted Spyware and Parasites
http://mvps.org/winhelp2002/unwanted.htm

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315

Spyware and Deceptive Software
http://www.microsoft.com/mscorp/twc/privacy/spyware.mspx?gssnb=1

What you should know about spyware
http://www.microsoft.com/security/articles/spyware.asp

Cleaning Up XP
http://www.kellys-korner-xp.com/xp_c.htm#cleanup

 

[Mark Buckles/Harlan Labs]

Windows File Protection will prevent you from renaming or deleting
iexplore.exe (IE).

You either have a virus or scumware that is starting IE. Just removing the
shortcut from wherever IE is starting from will probably not fix the
problem. The virus or scumware will probably replace the shortcut. So, you
have to get rid of the virus or scumware. Since you stated that you can
kill IE with Taskmanager and IE restarts itself later, it is probably *not*
in one of the following folders.... might not hurt to check anyway.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
and
C:\Documents and Settings\Your Name Here\Start Menu\Programs\Startup
are two places to look. There are about a dozen places in the registry
where this can be happening.

Update your anti virus software and run a full system scan.

<snippage>

Thank you for your help!

I took your advice and updated Norton (actually, I bought a fresh copy
of Norton Anti-Virus 2005 with the Internet Security option), ran a
full scan, and Norton said that it found the Socks.exe virus. I told
Norton to fix it, but when I restarted the computer, the Norton window
popped up to proclaim that:

High Risk
Norton AntiVirus has detected a virus on your computer.
Object name: Socks.exe
Virus Name: PWSteal.Ldpinch.B
Action Taken: Unable to repair this file

So the Norton scan did not knock my socks off...

How do I get rid of Socks? Also, there is a file in C:\windows named
system.exe that looks suspicious (but Norton didn't report it).

Best Regards,
Mark Buckles
Harlan Labs
San Diego
http://www.harlanlabs.com

 

[Wesley Vogel]

Socks.exe = Backdoor.Rsocks.12 [Kaspersky], BackDoor-ATC.cfg [McAfee],
BackDoor-ATC.svr [McAfee], RSocks, security risk or a "backdoor" program
[F-Prot]

I am not suggesting that you purchase PestPatrol. But they have info
here...
Socks.exe = RSocks 1.2
http://www.pestpatrol.com/pestinfo/r/rsocks_1_2.asp


PWSteal.Ldpinch.B
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.ldpinch.b.html

PWSteal.Ldpinch.B
http://www.google.com/search?hl=en&lr=&q=PWSteal.Ldpinch.B&btnG=Search

Did you get the latest updates after you installed Norton Anti-Virus 2005???
If you didn't, you need to.

How to run LiveUpdate
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1999121613163206

system.exe is *NOT* a Windows XP file. Nor does it look like something that
you want to keep.

Update Norton Anti-Virus 2005. If you can set it to automatically update,
do that. An un-updated AV tool is like an empty gun. Worthless! I don't
use Norton, so I know nothing about setting that up.

Every Anti Virus company seems to name the same virus/trojan with a
different name. These may all be the same thing.

system.exe = Trojan.Mitglieder.B
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.b.html

system.exe = Trojan.Mitglieder.D
http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.d.html

system.exe = Troj/Tofger-B
http://www.sophos.com/virusinfo/analyses/trojtofgerb.html

system.exe = W32/Colevo-A
http://www.sophos.com/virusinfo/analyses/w32colevoa.html

system.exe = WORM_COLEVO.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_COLEVO.A

system.exe = Glacier
http://www.pestpatrol.com/PestInfo/g/glacier.asp