Friday, October 21, 2011

IEXPLORE.EXE virus Manual Removal


This is actually an old infection and this can be easily killed so I ignored sharing this one before.  However, some units here in our office has been again infected by this virus that is why I have to manually kill those again as our antivirus seems to not recognize this one.

What is IEXPLORE.EXE?

This is actually the executable filename of Microsoft Internet Explorer.  But since some virus propagator decides to be a little naughty, they named the process the same name.  If I am creating a virus, I might name a virus with a certain Microsoft processes as well so it can fool a lot of people thinking it is legal.

Since this virus has the same processes’ name with that of Internet Explorer, how will we know if what you are seeing in the Task Manager is the virus or the real Internet Explorer?  Simple, if there is no open Internet Explorer, then it is a virus.  If there is an open Internet Explorer, close it. After closing Internet Explorer and there still is an instance of IEXPLORE.EXE, then that is a virus.

What does this virus do?



Like with most of the viruses, it eats a lot of resources which will slow down your unit.  Once free resources is very low, you will have problem accessing anything.  Some signs of a very low free resources is inability to display properly UI of anything in your computer (missing section of title bar, forms became transparent in some section),  inability to connect to shared folders in the network, etc.

Understanding further this virus:

a.  It creates an autorun.inf file in root directory with these instructions:

[AutoRun]
open=backupuser.exe
shellexecute=backupuser.exe
shell\Auto\command=backupuser.exe



Note:  To view everything, go to Folder Options and select “Show hidden files and folders” and untick  “hide protected operating system files“, and also untick “Hide extensions for known types“.

In the root of the drive, you will see a hidden exe with an icon of a standard folder named backupuser.exe.  If you will not untick “hide extensions” as mentioned above, you will be fooled into thinking that that exe is a folder and of course double-clicking it will result to further infections.

b.  It lodges itself among the services (click Start button, Run, type MSConfig, Enter, and go to Services Tab) bearing the name Windows_XP (clever huh?).



c.  The actual service can be seen via services (click Start, Run, type Services.msc, Enter) and if you double-click it, it will point you to the other file portions inside \Program Files\Common Files\Microsoft Shared\MSInfo:



d.  In the current processes (right-click taskbar, Task Manager, Processes Tab), it hides under the name IEXPLORE.EXE (as mentioned above).

e.  In registry, it creates the necessary entry for services to be loaded:



Is manually killing this virus hard? 

No!  That is why I never thought of including this in the previous manual virus removal tutorials.  You can actually remove this without any 3rd party tool.  Here we go:

Steps on manually removing IEXPLORE.EXE virus:

a.  Open Task Manager, go to Processes tab  and look for IEXPLORE.EXE then right-click, End Process Tree.

b.  Make adjustments to Folder Options as explained above.  Go to root drive and delete autorun.inf and backupuser.exe.  Navigate to the folder shown in the image and delete the files I have circled below:



Note: another virus uses this location to hide.  If you see a Recycled.scr entry as well, delete it.

c.  Remove the entry in Registry (as shown before) via Regedit.

And that is it!  Happy hunting!

20 comments:

  1. it worked for me

    ReplyDelete
  2. Thank you all of your posts, if i finish trying, i will come back here and say "Thank you" again.

    ReplyDelete
  3. Hello! I currently have this virus.. and I am trying to follow your steps but how do I get to my root drive to delete those files? Sorry I'm bit of a computer noob! Thanks in advance!

    ReplyDelete
    Replies
    1. Basically speaking, a root drive is the first drive of your OS or which is normally known to us as C:\. So just open explorer and navigate to c:\ and you will find there those files (as long as you view everything, meaning, go to Folder Options and select "Show hidden files and folders" and untick "hide protected operating system files" as well as "Hide extensions for known types".

      If despite doing all those things and the system and hidden files still do not show, post here again because Super Hidden may have been activated on your end. And there is another procedure to fix that.

      Delete
    2. Yo, I have windows "7", and I couldn't find any fake file known as Windows XP, mainly probably because of Windows 7. Can you like find a different solution for Windows 7? Also on Task Manager, I couldn;t find IEXPLORE.EXE, even though I know it's on my PC, can you help??

      Delete
  4. Hi. I also have this IEXPLORE.EXE virus, and another one 0wcxB878.exe. I think Super Hidden is activated because I cannot find either virus in the root drive. I have made the changes to Folder Options and cannot find.

    ReplyDelete
  5. Sorry for late reply about superhidden. Here is the manual way:

    1. Click start button and on run or search, type regedit, then enter.

    2. Inside registry, navigate to this:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden

    3. Double click Supper Hidden value and change it from 0 to 1.

    4. Close registry.
    5. Restart your computer.

    ReplyDelete
  6. think virus got advance :)
    but is nither there is any file named backupuser.exe nor there is any proces name windows_xp even in superhiden option
    Beside i've notice dat it creates an autorun.inf file when usb conected creating recycler folder with copy of..
    commonly known as recycler virus i guess :)
    anyway love ur post n need furthur help!!!!

    ReplyDelete
    Replies
    1. Yes, there are other malwares that reside in Recyler folders. So in my end, I actually remove those folders now (as well as System Volume Information which is necessary for System Restore). Read this: http://sandstorm36.blogspot.com.au/2011/11/steps-to-remove-recycler-folder.html

      Delete
  7. Above you said to close Internet Explorer. I don't get that. How can I do anything with I.E. closed? And where is the Task Manager?

    E.R.

    ReplyDelete
    Replies
    1. I mean the browser internet explorer if it is open. But in some of my manual removal ways I do close Shell Explorer but let's not get into that.

      Task Manager can be opened in several ways:
      1. Right click on the system tray (where the time is), choose Task Manager
      2. Press Ctrl+Alt+Del. Depending on your OS, Task Manager button can be seen there
      3. Press Ctrl+Shift+Esc
      4. In Windows8, you can use Winkey+X, then when the shortcut menu appears, choose Task Manager

      Delete
  8. If your PC is infected with virus and you system have no installed antivirus than you can also remove it manually through some steps.

    Remove Virus Without Antivirus

    ReplyDelete
  9. Antivirus are a must for any network or internet connected computer, to detect, remove and prevent all sort of malicious software !

    Change Laptop Keyboard

    ReplyDelete
  10. I can't find the backupuser folder.

    ReplyDelete
  11. Exploring reddit.com I noticed your site book-marked as: Blogger: Sandstorm's Blog (Home of ssClasses).
    I'm assuming you book marked it yourself and wanted to ask
    if social book-marking gets you a lot off visitors?
    I've been conteemplating doing some bookmarking for
    a few of my websites but wasn't sure if it would generate any positive results.
    Many thanks.

    My blog post ... Kim Kardashian Hollywood Cash Hack

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...