Jump to content

iexplorer.exe in the background playing sound ads and sending links to other adware


Recommended Posts

I've been having a problem for at least a week. A dllhost.exe with the description COM surrogate appears then opens up iexplorer.exe in the background and playing really annoying sound ads and making malwarebytes and avast go crazy with their shields saying they're blocking threats and I have no idea how to get rid of this virus or whatever it is. I have to keep closing the iexplorer.exe to shut the damn ads up until I think it bugs out and stops playing ads and doing its other things until I restart the computer.

I have tried scanning with Malwarebytes, Avast, Adwarecleaner, Junkware Removal Tool, Tdsskiller, and Farbar Recovery Scan tool. They all seem to report nothing or just get rid of whatever the virus leaves behind but not the virus itself. 

I just wanted to find the right version of an old simant game that went freeware and downloaded the wrong thing.

Got these logs just incase 

FRST.txt

Addition.txt

HitmanPro_20160710_1931.log

Link to post
Share on other sites

1 hour ago, Mrdugong said:

I have tried scanning with Malwarebytes, Avast, Adwarecleaner, Junkware Removal Tool, Tdsskiller, and Farbar Recovery Scan tool. They all seem to report nothing or just get rid of whatever the virus leaves behind but not the virus itself. 

 

:welcome:

You report that all these tools "report nothing".

Link to post
Share on other sites

When this "rogue audio"  is in the foreground and in a web browser, there are many ways to get it off the screen.
I would suggest to do a few keyboard presses to get rid of the windows on-screen.
Press and hold *ALT*-key on keyboard and then tap the *F4* function key a to get the foreground windows closed and done away with.  ( repeat use of ALT + F4 sequence).

 

And, there is always the ability to end the web-browser program thru using Windows' *Task Manager* applet.
Click the Start button and type:
_taskmgr.exe_
and then press Enter.
In the processes tab, find the process for whichever browser you are running:
_iexplore.exe_ 

 

and then click _End Process_ or _Terminate_.

 

 

Link to post
Share on other sites

I am sending a Fix script which is going to be used by the FRST tool. They will both work together as a pair.

on the folder  D:\Downloads Data

Please RIGHT-click the FIXLIST and select SAVE AS   and save it directly ( as is) in the folder  D:\Downloads Data

 

*NOTE*: Both  FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Double click FRST64  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the Fixlog.txt in your reply.

 

Fixlist.txt

Edited by Maurice Naggar
Link to post
Share on other sites

Nothing happened. I tried running the fixlist with FRST and it said it did its fixes and restarted my computer but Task Manager still shows COM surrogate popping up and launching the iexplorer.exe before it disappears and I still have to keep ending the explorers before they play their ads and make my antivirus start blocking a lot of threats.

Link to post
Share on other sites

Hi.  

If you did run the FIX option with FRST, then do look for the report file named Fixlog.txt  and send ( attach ) in a reply.
Try not to visually judge what is running by just looking at Task Manager list.   Lets focus on using security software, like ours and the antivirus.

For a next step, and as just a one-time use, the following.
1 )   Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

  • Link 2
    Link 3
    Link 4
  • Double-click on the Rkill desktop icon to run the tool.

  • If using Vista or Windows 7,8, 8.1, 10,  right-click on it andRun As Administrator.

  • A black command-prompt  box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

  • If not, delete the file, then download and use the one provided in Link 2.

  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

  • If the tool does not run from any of the links provided, please let me know.

  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.

  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL


IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.


2)
Please do a Threat & Rootkit Scan:
Start the Anti-Malware program.
Please look at the Dashboard screen. Would you please press the blue line marked *Update*  and let it update itself.
Click the *Settings* icon ( on the top bar) > then click **Detection and Protection** subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan icon ( up on the top row ), then click on Start Scan button >> .

A Threat Scan will begin.


With _some infections_, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart.    ( as needed )


Continue with the rest of these instructions.


When the scan is complete, be sure to press Review results and look at all of the listed items ( if any ).
It there are found items, be sure to have each line item check-box marked with a check-mark  in order to remove them.
click REMOVE Selected button.


Wait for the prompt to restart the computer to appear ( if any ), then click on Yes.
After the scan has completed, Click on the **History tab** > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click the EXPORT button at the bottom left.
Click *TEXT file*
Be very aware as to what folder and what NAME you give this report.  You have to make a note so you can send it.

Then attach that file with your next reply.

 

Edited by Maurice Naggar
edited for 2nd step ( new scan)
Link to post
Share on other sites

I tried running RKill and it said it stopped 3 processes but I did not know what they were then ran malwarebytes and it still didn't pick up a thing. Tried running the 64 version of RKill because I thought the other version didn't work right and it didn't do a thing but I accidently overwritten the first log so here's this and the fixlog.

If I can find the file that gave me the virus would it help in any way? Never thought adware stuff would be so hard to get rid of.

Rkill.txt

Fixlog.txt

Link to post
Share on other sites

RKILL is only for a one time only.  In retrospect, you should have not run it a second time;  but you could have stopped & posted for guidance.
Let us not run that any more.

As to adware, in general:  Our software is not a anti "adware".  It is a anti "malware"  ( to detect & remove malicious malware programs).
Adware can be a very real nuisance and very difficult to remove.
While we do identify and remove some adware variants, our main focus is on malware so there are many adware variants that we do not target (mostly for legal reasons as they do have a eula and an opt out feature in most cases)

The FRST fix run is good.  Just as designed.

I'd caution to not use the term "virus" unless and until a known security program reports that.

Question for you:  Did you run the Threat & Rootkit Scan   ( step 2 in my last response)?
If not, then do that.  Then send me the SCAN report from HISTORY in Malwarebytes Anti-Malware.

 

Link to post
Share on other sites

Sorry it's just when I usually have problems with a virus or something like it Malwarebytes is the one that gets rid of it and I don't know where to go for this kind of help

Though when the adware came back after restarting my computer to do a power outage RKill DID stop the iexplorers.exe from appearing but no scanners I have picked anything up and I did run the threat and rootkit scan.

I got more of the logs

Rkill.txt

malewarebytes log.txt

FRST.txt

Addition.txt

Fixlog.txt

Link to post
Share on other sites

You do not need to keep on sending FRST & Addition report files. I see the Threat scan report from Malwarebytes shows NO malware.  That is excellent.

This pc has Avast.  Run a scan with Avast and let me know if it reports any viruses or trojan.  Thanks.   and let me know detail if there is something else that needs attention as far as a infection is involved.

Link to post
Share on other sites

Avast didn't pick up a thing. Though now on some sites i had Ublock (an adblocker) disabled are making malwarebytes and avast's shields alert me about potential threats but I have no idea if its related. 
 

I am REALLY stumped on what to do with this other then just run Rkill on after restart to shut this adware crap up.

Are there any forums related to adware I can go to for help I think they might know more about this?

Link to post
Share on other sites

It is a good thing that Avast reports no viruses.
Now then, as to the RKILL, that was only intended by me for only just a one-time-only use.  Please do not keep using it.  You can now delete the RKILL.

Now then, as to adwares, I would suggest a number of good practices.
Go into the Options ( settings) of Internet Explorer  ( and any other web browser you have).
Make sure that the POPUP blocker is ON.
Set the option on for rejecting (decline) 3rd-party cookies.

And in addition to all that:
Use a good browser extension ( add on) ad blocker.  If your pc has no ad blocker add-on for your browser(s), I would suggest uBlock Origin.
For Mozilla Firefox, use the Mozilla page at this link
https://addons.mozilla.org/addon/ublock-origin/

For Google Chrome, see
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm

For Internet Explorer browser:
https://adblockplus.org/en/internet-explorer

For Opera browser, see
https://addons.opera.com/en-gb/extensions/details/ublock/

ALSO this too
To help totally block these types of  "popups" I would recommend to *only use Firefox browser* that also has the addon for
NoScript Suite Lite.
and just only use that when surfing the web.

Link to post
Share on other sites

I still keep having iexplorers.exe appearing as background processes and playing loud music and trying to do other adware stuff and making my shields go crazy but adwcleaner DID report and remove something related to winessentials.exe which RKill did get in its logs awhile ago. Though it's not reporting anything else.

Link to post
Share on other sites

AS I think I already pointed out, Rkill was only intended as a one-time only run. STOP using it any more !!
If iexplore ( the real Internet Explorer) is popping out then something very odd is going on.
You may well need to reboot the system into SAFE mode with NETWORKING.    ( maybe later on)

I would urge you to stop completly from doing any web surfing of any sort.  No shopping.  No banking.  No web use via browsers !!   unless it is for the purpose of fixes I suggest here.

These steps are for Mrdugong only. If you are a casual viewer, do NOT try this on your system!
If you are not Mrdugong and have a similar problem, do NOT post here;  start your own topic

I am suggesting the use of a tool named ZOEK to do a mini-cleanup & to get a new diagnostic report.
I am sending a file that is a custom script.  It will go with ZOEK.
Please download ZOEK  and save it to your desktop (preferred version is the .exe one) from this link  
http://download.bleepingcomputer.com/smeenk/zoek.exe

Save (from this email)  the attached text file: zoekscript.txt to your desktop.

Disable your antivirus , so it doesn't interfere with the running of zoek.exe. You can find instructions how to disable your security applications
http://www.bleepingcomputer.com/forums/topic114351.html
 or
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html

Please do a run with  zoek.exe with the attached customized script as follows:   This involves a DRAG and drop on the DESKTOP.

So you need to have a clear view to the DESKTOP area.


Now drag zoekscript.txt with your mouse   onto Zoek.exe on your desktop  

Please approve any UAC prompt to allow this action to proceed.

Please answer "Yes" to the following prompt to allow the zoek script to run.



This will cause Zoek.exe to start automatically.  Please be very, very patient while zoek is scanning.

When zoek is finished running, a log will open (if a reboot is required it will open afterward).
Please let me know how it went.  And kindly attach the new log zoek-results.log

When all done, please be sure to turn back ON the antivirus program.   & do NOT do any web surefing of any sort.  There is much more to do here.

 

zoekscript.txt

Link to post
Share on other sites

I ran the zoek and script and It did its thing. Why shouldn't I run Rkill more than once? It's the only thing that stops the iexplorers from popping up otherwise I have to watch task manager for an hour or 2 to kill the iexplorers before the iexplorers stop playing music and sending adware.

They don't open up any windows they just stay in the background. Internet explorer itself never appears just the background processes. I can open up internet explorer and nothing seems to happen no adware no pop ups or anything. I normally browse with chrome by the way if that helps.

zoek-results.log

Link to post
Share on other sites

RKILL is just not something that is a permanent use solution.  Please understand that.  It is only intended as a one time only use !!

IF iexplorers   keeps appearing and re-appearing we need to "see" that either thru diagnostic reports.  Or a picture-snapshot from you for the screen where you "see" those.

Here is a how to   http://www.wikihow.com/Take-a-Screenshot-in-Microsoft-Windows

Link to post
Share on other sites

Weird, I ran a full scan last night with avast while I was sleeping because it takes a long time and when I woke up Malwarebytes had done ran a scan by itself and picked up some pups responsible for this adware crap which It then got rid of. Funny enough Avast still didn't pick it up.

When I restarted my computer the adware seems to have just stopped. No Iexplorer.exe, no binessentials.exe, no com surrogate, and sites i disabled ublock on never had my shields say it blocked a threat.

I think somehow it's FINALLY GONE! I hope. I thought adwcleaner got rid of it once but I was wrong just hope malwarebytes makes sure it's gone. Also got the log from the scan.

malewarebytes log2.txt

Link to post
Share on other sites

Thanks for the MBAM scan report.  That all was about PUP.Optional.BinEssentials.  Just one unwanted add-on that was found & removed.

Is the odd/ rogue audio all gone away ?   ( the thing that was at the start of this thread.)

Things should be good to go.

Here are my suggestions:
To make sure that Malwarebytes Anti-Malware has all the latest definitions, look for the blue-icon for MBAM on the Taskbar, right-click on it and select *Check for Updates*.

Go into the Options ( settings) of Internet Explorer  ( and any other web browser you have).
Make sure that the POPUP blocker is ON.
Set the option on for rejecting (decline) 3rd-party cookies.

And in addition to all that:
Use a good browser extension ( add on) ad blocker.  If your pc has no ad blocker add-on for your browser(s), I would suggest uBlock Origin.
For Internet Explorer browser:
https://adblockplus.org/en/internet-explorer

For Mozilla Firefox, use the Mozilla page at this link
https://addons.mozilla.org/addon/ublock-origin/

For Google Chrome, see
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm


*ALSO this too*
To help totally block these types of  "popups" I would recommend to *only use Firefox browser* that also has the addon for
*NoScript Suite Lite.*
and just only use that when surfing the web.

We have a free version Malwarebytes Anti-Exploit (MBAE) that protects against exploit attacks in your browsers and Java, and a paid version that also protects additional applications such as MS Office.
https://downloads.malwarebytes.org/file/mbae_current/

I would recommend you install the Anti-Exploit in free use mode.

 

Link to post
Share on other sites

A problem did stick around though. When I opened up winrar to get some mods for a game the "Your winrar has expired" window appeared with an ad in it that Malwarebytes blocked with its shield. I thought it was the one rar file but any winrar file I opened had the same problem. 

Just updating winrar seems to have gotten rid of it. No idea if it's related.

Link to post
Share on other sites

For Your  Information:
The IP Block message indicates that a potential risk was blocked by the malicious website protection.
It by default will always show each IP block occurrence.
The Malwarebytes Anti-Malware Website Blocking feature will advise customers when a known or suspected malicious IP is attempted to be reached  (outgoing) or is trying access your PC.

Incoming threats can be ignored, our software is blocking the attack and there is nothing more that can be done.

No action is required unless you’re also experiencing malware symptoms or there are multiple IPs  (ex;123.23.34 and 4.44.56).
A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or P2P software to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert

Windows Vista and Windows 7 & 8 will show the process, but Windows XP does not have the structure in place for this to be displayed by our software

Please see/review this reference on MBAM’s IP blocks
https://support.malwarebytes.org/customer/portal/articles/1835325?b_id=6438

<
Keeping all utilities and applications up to date is so important.
Check on other update issues as well, by getting, installing and using Secunia Personal Software Inspector (PSI) on a regular basis.
See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector ( by Flexera)
http://www.bleepingcomputer.com/tutorials/tutorial174.html

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.
 

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.