IE keeps running in background, even in safe mode. (Includes hijackthis log)

Posted on 2009-04-15
Last Modified: 2013-11-22
hi, i scanned with adaware, trend micro and kaspersky. trend micro removed some trojans. kaspersky removed some. but still Iexplorer.exe runs in the background after startup. when i end it, it will come back after awhile. same thing in safe mode ! this is bugging me. help
Running processes:










C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

C:\Program Files\4t Tray Minimizer\4t-min.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe





C:\Program Files\Opera\Opera.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Java\jre6\bin\javaws.exe

C:\Program Files\Java\jre6\bin\javaw.exe

C:\Program Files\Internet Explorer\Iexplore.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe

O4 - Startup: UltraMon.lnk = ?

O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll

O15 - Trusted IP range:

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll

O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" -r (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: IPSEC Services PolicyAgentWMPNetworkSvc (PolicyAgentWMPNetworkSvc) - Unknown owner - C:\WINDOWS\system32\amcompata.exe

Open in new window

Question by:Michhoho
    LVL 1

    Author Comment

    here's what prev.exe detected (attached image)

    some are "cloaked"

    when i do dir/a ua*.dll in system32, it says " file not found "

    i can't run spybot s&d. teatimer will run, but spybot cannot load at all, even in safemode
    LVL 47

    Accepted Solution

    Use MalwareBytes or Combofix... or just Combofix and attach the log here

    Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.

    If you can't access the above link then use this link and rename the file before saving to your desktop.

    Please download ComboFix by sUBs:(if it won't run, redownload but rename before saving to your desktop.)

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    LVL 1

    Author Closing Comment

    thanks! combofix was able to fix the problem. but i had to rename combofix file to something else. i renamed malwarebytes setup file, and only then i could install it. now everything is fine now. thanks
    LVL 47

    Expert Comment

    Glad to know the problem is solved.
    Keep an eye on it for a day or 2 before uninstalling Combofix, as its uninstallation will delete its backup and reset System Restore. That's why we needed the log to make sure it's clean.

    To uninstall Combofix:
    Go to Start > Run and 'copy and paste' next command in the field:

    ComboFix /u

    The above process will remove Combofix and its files, delete the created backup and reset system Restore.


    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Malicius website protection from system 32? 15 60
    Norton Blue Screen 11 74
    Website BlackListed 22 76
    Windows 7 keeps blocking Antivirus 11 55
    It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now