[Resolved] iiiexplore.exe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

danb110

Thread Starter
Joined
Jan 27, 2003
Messages
6
Running Windows 2000 with Tiny Personal Firewall. I'm unable to load Internet Explorer 5.5 without continuously permitting the firewall to use the file iiiexplore.exe to contact 63.219.178.183. The file iiiexplore.exe is located in the Window system directory and was just created. I have made no recent software changes. If I create a filter rule and accept usage of iiiexplore.exe, the modem is inundated and continuously transmits. I can't find any documentation concerning a file named iiiexplore.exe, virus or otherwise. Any guidance is greatly appreciated
 
Joined
May 26, 1999
Messages
994
I would cancel connection privileges till you find out. View arrange Icons by date and see if there are other files created at that same moment.

jm100dm
 

danb110

Thread Starter
Joined
Jan 27, 2003
Messages
6
Apache was previously installed, but I uninstalled it several months ago. Since the IP address 63.219.178.183 points to an Apache server, do you think it's software related and not a virus? Thanks for the help..
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Is the file really named iiiexplore.exe ??

As there's no Windows file by that name, it's bound to be a worm or trojan.

Would you please do this:

Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post the contents here.
 
Joined
May 26, 1999
Messages
994
Just to know for sure I would follow Tony's advice. He's a pro at this.

Jm100dm
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
It's bound to be a baddie, and it will have to be removed.

The Startuplist log will help us pinpoint its startup location, as it has to launch from somewhere.
 

danb110

Thread Starter
Joined
Jan 27, 2003
Messages
6
This is the generated report:

StartupList report, 1/27/2003, 10:49:15 PM
StartupList version: 1.51
Started from : A:\StartupList.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\ati2plab.exe
C:\CFUSION\cfam\program\ccmgr.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\cfam\Program\dfp.exe
C:\CFUSION\cfam\Program\wsm.exe
C:\CFUSION\cfam\Program\wsprobe.exe
C:\CFUSION\JRun\bin\JRun.exe
C:\CFUSION\jrun\bin\jrun.exe
C:\WINNT\System32\svchost.exe
C:\CFUSION\jre\bin\ntConsoleJava.exe
C:\CFUSION\jre\bin\ntConsoleJava.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\CFUSION\bin\Service_AuthSrvr.exe
C:\CFUSION\bin\smservauth.exe
C:\CFUSION\bin\Service_AzSrvr.exe
C:\CFUSION\bin\smservaz.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\CFUSION\cfam\bin\CANamingAdapter.exe
C:\WINNT\Explorer.Exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\System32\IIIEexplore.exe
A:\StartupList.exe
A:\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AtiPTA = Atiptaxx.exe
Synchronization Manager = mobsync.exe /logon
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
POINTER = point32.exe
Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
PrinTray = C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Config Loadator = IIIEexplore.exe

--------------------------------------------------


Enumerating Download Program Files:

[CFForm Runtime]
InProcServer32 = C:\WINNT\System32\MSJAVA.DLL
CODEBASE = http://127.0.0.1/CFIDE/classes/CFJava.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37647.8285648148

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 4,744 bytes
Report generated in 1.572 seconds
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Wow, this thing has not one startup entry, but five of them.

It's best to do this:

Copy the bold text to Notepad, and save as Remove.reg.
Doubleclick Remove.reg, and answer Yes to the prompt to add its contents to the Registry.

Subsequently reboot, go to C:\WINNT\System32 and delete IIIEexplore.exe




REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Config Loadator" =-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config Loadator" =-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Config Loadator" =-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Config Loadator" =-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config Loadator" =-



Good luck,
 

danb110

Thread Starter
Joined
Jan 27, 2003
Messages
6
Tony,
I replaced the registry entries and deleted iiieexplore as you instructed and the computer is running great now. Was that a trojan or worm that got onto my machine? I temporarily disabled my firewall to run some DSL speed tests and I'm thinking that's when I received it. Your help is much appreciated.

Dan
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
It was most certainly a a worm, or more likely a trojan.

Hard to say which one, as these can have random or arbitrary file names.

Anyway, you're clean now, which is what counts!

Happy surfing! :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top