Friday, October 21, 2011

IEXPLORE.EXE virus Manual Removal


This is actually an old infection and this can be easily killed so I ignored sharing this one before.  However, some units here in our office has been again infected by this virus that is why I have to manually kill those again as our antivirus seems to not recognize this one.

What is IEXPLORE.EXE?

This is actually the executable filename of Microsoft Internet Explorer.  But since some virus propagator decides to be a little naughty, they named the process the same name.  If I am creating a virus, I might name a virus with a certain Microsoft processes as well so it can fool a lot of people thinking it is legal.

Since this virus has the same processes’ name with that of Internet Explorer, how will we know if what you are seeing in the Task Manager is the virus or the real Internet Explorer?  Simple, if there is no open Internet Explorer, then it is a virus.  If there is an open Internet Explorer, close it. After closing Internet Explorer and there still is an instance of IEXPLORE.EXE, then that is a virus.

What does this virus do?



Like with most of the viruses, it eats a lot of resources which will slow down your unit.  Once free resources is very low, you will have problem accessing anything.  Some signs of a very low free resources is inability to display properly UI of anything in your computer (missing section of title bar, forms became transparent in some section),  inability to connect to shared folders in the network, etc.

Understanding further this virus:

a.  It creates an autorun.inf file in root directory with these instructions:

[AutoRun]
open=backupuser.exe
shellexecute=backupuser.exe
shell\Auto\command=backupuser.exe



Note:  To view everything, go to Folder Options and select “Show hidden files and folders” and untick  “hide protected operating system files“, and also untick “Hide extensions for known types“.

In the root of the drive, you will see a hidden exe with an icon of a standard folder named backupuser.exe.  If you will not untick “hide extensions” as mentioned above, you will be fooled into thinking that that exe is a folder and of course double-clicking it will result to further infections.

b.  It lodges itself among the services (click Start button, Run, type MSConfig, Enter, and go to Services Tab) bearing the name Windows_XP (clever huh?).



c.  The actual service can be seen via services (click Start, Run, type Services.msc, Enter) and if you double-click it, it will point you to the other file portions inside \Program Files\Common Files\Microsoft Shared\MSInfo:



d.  In the current processes (right-click taskbar, Task Manager, Processes Tab), it hides under the name IEXPLORE.EXE (as mentioned above).

e.  In registry, it creates the necessary entry for services to be loaded:



Is manually killing this virus hard? 

No!  That is why I never thought of including this in the previous manual virus removal tutorials.  You can actually remove this without any 3rd party tool.  Here we go:

Steps on manually removing IEXPLORE.EXE virus:

a.  Open Task Manager, go to Processes tab  and look for IEXPLORE.EXE then right-click, End Process Tree.

b.  Make adjustments to Folder Options as explained above.  Go to root drive and delete autorun.inf and backupuser.exe.  Navigate to the folder shown in the image and delete the files I have circled below:



Note: another virus uses this location to hide.  If you see a Recycled.scr entry as well, delete it.

c.  Remove the entry in Registry (as shown before) via Regedit.

And that is it!  Happy hunting!

35 comments:

  1. Thank you all of your posts, if i finish trying, i will come back here and say "Thank you" again.

    ReplyDelete
  2. Always glad to be of help. :)

    ReplyDelete
  3. Hello! I currently have this virus.. and I am trying to follow your steps but how do I get to my root drive to delete those files? Sorry I'm bit of a computer noob! Thanks in advance!

    ReplyDelete
    Replies
    1. Basically speaking, a root drive is the first drive of your OS or which is normally known to us as C:\. So just open explorer and navigate to c:\ and you will find there those files (as long as you view everything, meaning, go to Folder Options and select "Show hidden files and folders" and untick "hide protected operating system files" as well as "Hide extensions for known types".

      If despite doing all those things and the system and hidden files still do not show, post here again because Super Hidden may have been activated on your end. And there is another procedure to fix that.

      Delete
    2. Yo, I have windows "7", and I couldn't find any fake file known as Windows XP, mainly probably because of Windows 7. Can you like find a different solution for Windows 7? Also on Task Manager, I couldn;t find IEXPLORE.EXE, even though I know it's on my PC, can you help??

      Delete
  4. Hi. I also have this IEXPLORE.EXE virus, and another one 0wcxB878.exe. I think Super Hidden is activated because I cannot find either virus in the root drive. I have made the changes to Folder Options and cannot find.

    ReplyDelete
  5. Sorry for late reply about superhidden. Here is the manual way:

    1. Click start button and on run or search, type regedit, then enter.

    2. Inside registry, navigate to this:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden

    3. Double click Supper Hidden value and change it from 0 to 1.

    4. Close registry.
    5. Restart your computer.

    ReplyDelete
  6. think virus got advance :)
    but is nither there is any file named backupuser.exe nor there is any proces name windows_xp even in superhiden option
    Beside i've notice dat it creates an autorun.inf file when usb conected creating recycler folder with copy of..
    commonly known as recycler virus i guess :)
    anyway love ur post n need furthur help!!!!

    ReplyDelete
    Replies
    1. Yes, there are other malwares that reside in Recyler folders. So in my end, I actually remove those folders now (as well as System Volume Information which is necessary for System Restore). Read this: http://sandstorm36.blogspot.com.au/2011/11/steps-to-remove-recycler-folder.html

      Delete
  7. Above you said to close Internet Explorer. I don't get that. How can I do anything with I.E. closed? And where is the Task Manager?

    E.R.

    ReplyDelete
    Replies
    1. I mean the browser internet explorer if it is open. But in some of my manual removal ways I do close Shell Explorer but let's not get into that.

      Task Manager can be opened in several ways:
      1. Right click on the system tray (where the time is), choose Task Manager
      2. Press Ctrl+Alt+Del. Depending on your OS, Task Manager button can be seen there
      3. Press Ctrl+Shift+Esc
      4. In Windows8, you can use Winkey+X, then when the shortcut menu appears, choose Task Manager

      Delete
  8. Antivirus are a must for any network or internet connected computer, to detect, remove and prevent all sort of malicious software !

    Change Laptop Keyboard

    ReplyDelete
  9. I can't find the backupuser folder.

    ReplyDelete
  10. what is the winkey+x

    ReplyDelete
  11. how to remove IEXPLORE.EXE in window 8.
    i disable in taskmanager but i can not delete.why?

    ReplyDelete
  12. Hi..i can't clean the virus, maybe cause i using windows 10. Can you give me the way to clean the virus for windows 10. Appreciate what you do

    ReplyDelete
    Replies
    1. For me to trace this on other OS, i have to reinfect my unit so I can find out what has changed.

      Unfortunately, this virus plus others I share on manual removals no longer exists on our end. Before I did this post, I cleaned all our infections

      Delete
  13. That helped me so much! Last time time faced such a good post was a post on http://www.removalbits.com/, but this post maybe even better, because there is so many useful information described with a few words!

    ReplyDelete
  14. iExplorer
    I am very impressed with your post because this post is very beneficial for me.

    ReplyDelete
  15. i am very impressed with your post because this post is very beneficial for me and provide a new knowledge to me
    iExplorer Crack

    ReplyDelete
  16. I guess I am the only one who comes here to share my very own experience guess what? I am using my laptop for almost the post 2 years.
    iexplorer Crack

    ReplyDelete
  17. My response on my own website. Appreciation is a wonderful thing...thanks for sharing kepp it up. iExplorer Crack
    Gihosoft TubeGet Pro Crack
    MorphVOX Pro Crack
    Avast Premium Security Crack
    <a

    ReplyDelete
  18. Thank you so much for this excellent blog article. Your writing style and the way you have
    presented your content is awesome. Now I am pretty clear on this topic.



    iExplorer Crack

    FxSound Enhancer Crack

    Airmail Crack

    AVS Video Editor Crack



    ReplyDelete
  19. “Thank you so much for sharing all this wonderful info with the how-to's!!!! It is so appreciated!!!” “You always have good humor in your posts/blogs. So much fun and easy to read!


    BWMeter Crack

    Anytrans Crack

    Little Snitch Crack

    iExplorer Crack

    ReplyDelete
  20. We offers the Tax service expert Columbus, master administrations for people and independent ventures. The organization's bookkeeper works with entrepreneurs in ventures like childcare, medical care, neighborliness, retail,giving bookkeeping and controllership administrations, just as QuickBooks arrangement.
    Tax service expert Dublin
    Income tax preparation Ohio
    Tax Debt Relief Services Dublin

    ReplyDelete
  21. These 100mg and 60mg tablets are used to treat Erectile Dysfunction in men, which is an inability to achieve or keep up hard erect genital parts properly for exotic activity due to the deficient circulatory system of the genital parts.
    Contact : +91 92163-25377

    ReplyDelete