Friday, October 21, 2011

IEXPLORE.EXE virus Manual Removal

This is actually an old infection and this can be easily killed so I ignored sharing this one before.  However, some units here in our office has been again infected by this virus that is why I have to manually kill those again as our antivirus seems to not recognize this one.


This is actually the executable filename of Microsoft Internet Explorer.  But since some virus propagator decides to be a little naughty, they named the process the same name.  If I am creating a virus, I might name a virus with a certain Microsoft processes as well so it can fool a lot of people thinking it is legal.

Since this virus has the same processes’ name with that of Internet Explorer, how will we know if what you are seeing in the Task Manager is the virus or the real Internet Explorer?  Simple, if there is no open Internet Explorer, then it is a virus.  If there is an open Internet Explorer, close it. After closing Internet Explorer and there still is an instance of IEXPLORE.EXE, then that is a virus.

What does this virus do?

Like with most of the viruses, it eats a lot of resources which will slow down your unit.  Once free resources is very low, you will have problem accessing anything.  Some signs of a very low free resources is inability to display properly UI of anything in your computer (missing section of title bar, forms became transparent in some section),  inability to connect to shared folders in the network, etc.

Understanding further this virus:

a.  It creates an autorun.inf file in root directory with these instructions:


Note:  To view everything, go to Folder Options and select “Show hidden files and folders” and untick  “hide protected operating system files“, and also untick “Hide extensions for known types“.

In the root of the drive, you will see a hidden exe with an icon of a standard folder named backupuser.exe.  If you will not untick “hide extensions” as mentioned above, you will be fooled into thinking that that exe is a folder and of course double-clicking it will result to further infections.

b.  It lodges itself among the services (click Start button, Run, type MSConfig, Enter, and go to Services Tab) bearing the name Windows_XP (clever huh?).

c.  The actual service can be seen via services (click Start, Run, type Services.msc, Enter) and if you double-click it, it will point you to the other file portions inside \Program Files\Common Files\Microsoft Shared\MSInfo:

d.  In the current processes (right-click taskbar, Task Manager, Processes Tab), it hides under the name IEXPLORE.EXE (as mentioned above).

e.  In registry, it creates the necessary entry for services to be loaded:

Is manually killing this virus hard? 

No!  That is why I never thought of including this in the previous manual virus removal tutorials.  You can actually remove this without any 3rd party tool.  Here we go:

Steps on manually removing IEXPLORE.EXE virus:

a.  Open Task Manager, go to Processes tab  and look for IEXPLORE.EXE then right-click, End Process Tree.

b.  Make adjustments to Folder Options as explained above.  Go to root drive and delete autorun.inf and backupuser.exe.  Navigate to the folder shown in the image and delete the files I have circled below:

Note: another virus uses this location to hide.  If you see a Recycled.scr entry as well, delete it.

c.  Remove the entry in Registry (as shown before) via Regedit.

And that is it!  Happy hunting!


  1. it worked for me

  2. Thank you all of your posts, if i finish trying, i will come back here and say "Thank you" again.

  3. Hello! I currently have this virus.. and I am trying to follow your steps but how do I get to my root drive to delete those files? Sorry I'm bit of a computer noob! Thanks in advance!

    1. Basically speaking, a root drive is the first drive of your OS or which is normally known to us as C:\. So just open explorer and navigate to c:\ and you will find there those files (as long as you view everything, meaning, go to Folder Options and select "Show hidden files and folders" and untick "hide protected operating system files" as well as "Hide extensions for known types".

      If despite doing all those things and the system and hidden files still do not show, post here again because Super Hidden may have been activated on your end. And there is another procedure to fix that.

    2. Yo, I have windows "7", and I couldn't find any fake file known as Windows XP, mainly probably because of Windows 7. Can you like find a different solution for Windows 7? Also on Task Manager, I couldn;t find IEXPLORE.EXE, even though I know it's on my PC, can you help??

  4. Hi. I also have this IEXPLORE.EXE virus, and another one 0wcxB878.exe. I think Super Hidden is activated because I cannot find either virus in the root drive. I have made the changes to Folder Options and cannot find.

  5. Sorry for late reply about superhidden. Here is the manual way:

    1. Click start button and on run or search, type regedit, then enter.

    2. Inside registry, navigate to this:


    3. Double click Supper Hidden value and change it from 0 to 1.

    4. Close registry.
    5. Restart your computer.

  6. think virus got advance :)
    but is nither there is any file named backupuser.exe nor there is any proces name windows_xp even in superhiden option
    Beside i've notice dat it creates an autorun.inf file when usb conected creating recycler folder with copy of..
    commonly known as recycler virus i guess :)
    anyway love ur post n need furthur help!!!!

    1. Yes, there are other malwares that reside in Recyler folders. So in my end, I actually remove those folders now (as well as System Volume Information which is necessary for System Restore). Read this:

  7. Above you said to close Internet Explorer. I don't get that. How can I do anything with I.E. closed? And where is the Task Manager?


    1. I mean the browser internet explorer if it is open. But in some of my manual removal ways I do close Shell Explorer but let's not get into that.

      Task Manager can be opened in several ways:
      1. Right click on the system tray (where the time is), choose Task Manager
      2. Press Ctrl+Alt+Del. Depending on your OS, Task Manager button can be seen there
      3. Press Ctrl+Shift+Esc
      4. In Windows8, you can use Winkey+X, then when the shortcut menu appears, choose Task Manager

  8. If your PC is infected with virus and you system have no installed antivirus than you can also remove it manually through some steps.

    Remove Virus Without Antivirus

  9. Antivirus are a must for any network or internet connected computer, to detect, remove and prevent all sort of malicious software !

    Change Laptop Keyboard

  10. I can't find the backupuser folder.

  11. what is the winkey+x

  12. how to remove IEXPLORE.EXE in window 8.
    i disable in taskmanager but i can not delete.why?

  13. Hi..i can't clean the virus, maybe cause i using windows 10. Can you give me the way to clean the virus for windows 10. Appreciate what you do

    1. For me to trace this on other OS, i have to reinfect my unit so I can find out what has changed.

      Unfortunately, this virus plus others I share on manual removals no longer exists on our end. Before I did this post, I cleaned all our infections

  14. That helped me so much! Last time time faced such a good post was a post on, but this post maybe even better, because there is so many useful information described with a few words!