1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] iiiexplore.exe

Discussion in 'Virus & Other Malware Removal' started by danb110, Jan 27, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. danb110

    danb110 Thread Starter

    Joined:
    Jan 27, 2003
    Messages:
    6
    Running Windows 2000 with Tiny Personal Firewall. I'm unable to load Internet Explorer 5.5 without continuously permitting the firewall to use the file iiiexplore.exe to contact 63.219.178.183. The file iiiexplore.exe is located in the Window system directory and was just created. I have made no recent software changes. If I create a filter rule and accept usage of iiiexplore.exe, the modem is inundated and continuously transmits. I can't find any documentation concerning a file named iiiexplore.exe, virus or otherwise. Any guidance is greatly appreciated
     
  2. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    I would cancel connection privileges till you find out. View arrange Icons by date and see if there are other files created at that same moment.

    jm100dm
     
  3. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    You can go to that site by pasting the numbers in your address bar. Make sure to exclude the period at the end of your sentence. Or hit this link.

    http://63.219.178.183/manual/index.html

    Did you install Apache?

    jm100dm
     
  4. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
  5. danb110

    danb110 Thread Starter

    Joined:
    Jan 27, 2003
    Messages:
    6
    Apache was previously installed, but I uninstalled it several months ago. Since the IP address 63.219.178.183 points to an Apache server, do you think it's software related and not a virus? Thanks for the help..
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Is the file really named iiiexplore.exe ??

    As there's no Windows file by that name, it's bound to be a worm or trojan.

    Would you please do this:

    Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.
     
  7. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    Just to know for sure I would follow Tony's advice. He's a pro at this.

    Jm100dm
     
  8. danb110

    danb110 Thread Starter

    Joined:
    Jan 27, 2003
    Messages:
    6
    I will go that link and I'll post the results I get from there,

    Dan
     
  9. danb110

    danb110 Thread Starter

    Joined:
    Jan 27, 2003
    Messages:
    6
    The file name is spelled iiiexplore.exe, with three i's
     
  10. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    It's bound to be a baddie, and it will have to be removed.

    The Startuplist log will help us pinpoint its startup location, as it has to launch from somewhere.
     
  11. danb110

    danb110 Thread Starter

    Joined:
    Jan 27, 2003
    Messages:
    6
    This is the generated report:

    StartupList report, 1/27/2003, 10:49:15 PM
    StartupList version: 1.51
    Started from : A:\StartupList.EXE
    Detected: Windows 2000 SP2 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\ati2plab.exe
    C:\CFUSION\cfam\program\ccmgr.exe
    C:\CFUSION\bin\cfserver.exe
    C:\CFUSION\cfam\Program\dfp.exe
    C:\CFUSION\cfam\Program\wsm.exe
    C:\CFUSION\cfam\Program\wsprobe.exe
    C:\CFUSION\JRun\bin\JRun.exe
    C:\CFUSION\jrun\bin\jrun.exe
    C:\WINNT\System32\svchost.exe
    C:\CFUSION\jre\bin\ntConsoleJava.exe
    C:\CFUSION\jre\bin\ntConsoleJava.exe
    C:\Program Files\Tiny Personal Firewall\persfw.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\CFUSION\bin\Service_AuthSrvr.exe
    C:\CFUSION\bin\smservauth.exe
    C:\CFUSION\bin\Service_AzSrvr.exe
    C:\CFUSION\bin\smservaz.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\CFUSION\cfam\bin\CANamingAdapter.exe
    C:\WINNT\Explorer.Exe
    C:\WINNT\System32\Atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    C:\WINNT\System32\IIIEexplore.exe
    A:\StartupList.exe
    A:\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    AtiPTA = Atiptaxx.exe
    Synchronization Manager = mobsync.exe /logon
    SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    POINTER = point32.exe
    Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    PrinTray = C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    Config Loadator = IIIEexplore.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Config Loadator = IIIEexplore.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Config Loadator = IIIEexplore.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Config Loadator = IIIEexplore.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Config Loadator = IIIEexplore.exe

    --------------------------------------------------


    Enumerating Download Program Files:

    [CFForm Runtime]
    InProcServer32 = C:\WINNT\System32\MSJAVA.DLL
    CODEBASE = http://127.0.0.1/CFIDE/classes/CFJava.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37647.8285648148

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 4,744 bytes
    Report generated in 1.572 seconds
     
  12. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Wow, this thing has not one startup entry, but five of them.

    It's best to do this:

    Copy the bold text to Notepad, and save as Remove.reg.
    Doubleclick Remove.reg, and answer Yes to the prompt to add its contents to the Registry.

    Subsequently reboot, go to C:\WINNT\System32 and delete IIIEexplore.exe




    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Config Loadator" =-

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Config Loadator" =-

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "Config Loadator" =-

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Config Loadator" =-

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Config Loadator" =-



    Good luck,
     
  13. danb110

    danb110 Thread Starter

    Joined:
    Jan 27, 2003
    Messages:
    6
    Tony,
    I replaced the registry entries and deleted iiieexplore as you instructed and the computer is running great now. Was that a trojan or worm that got onto my machine? I temporarily disabled my firewall to run some DSL speed tests and I'm thinking that's when I received it. Your help is much appreciated.

    Dan
     
  14. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    It was most certainly a a worm, or more likely a trojan.

    Hard to say which one, as these can have random or arbitrary file names.

    Anyway, you're clean now, which is what counts!

    Happy surfing! :)
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/115601

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice