[Resolved] iiiexplore.exe

[danb110]

Running Windows 2000 with Tiny Personal Firewall. I'm unable to load Internet Explorer 5.5 without continuously permitting the firewall to use the file iiiexplore.exe to contact 63.219.178.183. The file iiiexplore.exe is located in the Window system directory and was just created. I have made no recent software changes. If I create a filter rule and accept usage of iiiexplore.exe, the modem is inundated and continuously transmits. I can't find any documentation concerning a file named iiiexplore.exe, virus or otherwise. Any guidance is greatly appreciated

 

[jm100dm]

I would cancel connection privileges till you find out. View arrange Icons by date and see if there are other files created at that same moment.

jm100dm

 

[jm100dm]

You can go to that site by pasting the numbers in your address bar. Make sure to exclude the period at the end of your sentence. Or hit this link.

http://63.219.178.183/manual/index.html

Did you install Apache?

jm100dm

 

[jm100dm]

There are several links, at link below, to tools that you can use to find out what this is. I would start by running spybot and a virus scan.

http://forums.techguy.org/t110854/s40a1149509b1012e058147b9c8f4633d.html

Keep us posted.

jm100dm

 

[danb110]

Apache was previously installed, but I uninstalled it several months ago. Since the IP address 63.219.178.183 points to an Apache server, do you think it's software related and not a virus? Thanks for the help..

 

[TonyKlein]

Is the file really named iiiexplore.exe ??

As there's no Windows file by that name, it's bound to be a worm or trojan.

Would you please do this:

Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post the contents here.

 

[jm100dm]

Just to know for sure I would follow Tony's advice. He's a pro at this.

Jm100dm

 

[danb110]

I will go that link and I'll post the results I get from there,

Dan

 

[danb110]

The file name is spelled iiiexplore.exe, with three i's

 

[TonyKlein]

It's bound to be a baddie, and it will have to be removed.

The Startuplist log will help us pinpoint its startup location, as it has to launch from somewhere.

 

[danb110]

This is the generated report:

StartupList report, 1/27/2003, 10:49:15 PM
StartupList version: 1.51
Started from : A:\StartupList.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\ati2plab.exe
C:\CFUSION\cfam\program\ccmgr.exe
C:\CFUSION\bin\cfserver.exe
C:\CFUSION\cfam\Program\dfp.exe
C:\CFUSION\cfam\Program\wsm.exe
C:\CFUSION\cfam\Program\wsprobe.exe
C:\CFUSION\JRun\bin\JRun.exe
C:\CFUSION\jrun\bin\jrun.exe
C:\WINNT\System32\svchost.exe
C:\CFUSION\jre\bin\ntConsoleJava.exe
C:\CFUSION\jre\bin\ntConsoleJava.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\CFUSION\bin\Service_AuthSrvr.exe
C:\CFUSION\bin\smservauth.exe
C:\CFUSION\bin\Service_AzSrvr.exe
C:\CFUSION\bin\smservaz.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\CFUSION\cfam\bin\CANamingAdapter.exe
C:\WINNT\Explorer.Exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\System32\IIIEexplore.exe
A:\StartupList.exe
A:\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AtiPTA = Atiptaxx.exe
Synchronization Manager = mobsync.exe /logon
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
POINTER = point32.exe
Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
PrinTray = C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Config Loadator = IIIEexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Config Loadator = IIIEexplore.exe

--------------------------------------------------


Enumerating Download Program Files:

[CFForm Runtime]
InProcServer32 = C:\WINNT\System32\MSJAVA.DLL
CODEBASE = http://127.0.0.1/CFIDE/classes/CFJava.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37647.8285648148

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 4,744 bytes
Report generated in 1.572 seconds

 

[TonyKlein]

Wow, this thing has not one startup entry, but five of them.

It's best to do this:

Copy the bold text to Notepad, and save as Remove.reg.
Doubleclick Remove.reg, and answer Yes to the prompt to add its contents to the Registry.

Subsequently reboot, go to C:\WINNT\System32 and delete IIIEexplore.exe




REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Config Loadator" =-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config Loadator" =-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Config Loadator" =-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Config Loadator" =-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config Loadator" =-


Good luck,

 

[danb110]

Tony,
I replaced the registry entries and deleted iiieexplore as you instructed and the computer is running great now. Was that a trojan or worm that got onto my machine? I temporarily disabled my firewall to run some DSL speed tests and I'm thinking that's when I received it. Your help is much appreciated.

Dan

 

[TonyKlein]

It was most certainly a a worm, or more likely a trojan.

Hard to say which one, as these can have random or arbitrary file names.

Anyway, you're clean now, which is what counts!

Happy surfing!