This is actually an old infection and
this can be easily killed so I ignored sharing this one before.
However, some units here in our office has been again infected by this
virus that is why I have to manually kill those again as our antivirus
seems to not recognize this one.
What is IEXPLORE.EXE?
This is actually the executable filename of Microsoft Internet Explorer. But since some virus propagator decides to be a little naughty, they named the process the same name. If I am creating a virus, I might name a virus with a certain Microsoft processes as well so it can fool a lot of people thinking it is legal.
Since this virus has the same processes’ name with that of Internet Explorer, how will we know if what you are seeing in the Task Manager is the virus or the real Internet Explorer? Simple, if there is no open Internet Explorer, then it is a virus. If there is an open Internet Explorer, close it. After closing Internet Explorer and there still is an instance of IEXPLORE.EXE, then that is a virus.
What does this virus do?
Like with most of the viruses, it eats a lot of resources which will slow down your unit. Once free resources is very low, you will have problem accessing anything. Some signs of a very low free resources is inability to display properly UI of anything in your computer (missing section of title bar, forms became transparent in some section), inability to connect to shared folders in the network, etc.
Understanding further this virus:
a. It creates an autorun.inf file in root directory with these instructions:
Note: To view everything, go to Folder Options and select “Show hidden files and folders” and untick “hide protected operating system files“, and also untick “Hide extensions for known types“.
In the root of the drive, you will see a hidden exe with an icon of a standard folder named backupuser.exe. If you will not untick “hide extensions” as mentioned above, you will be fooled into thinking that that exe is a folder and of course double-clicking it will result to further infections.
b. It lodges itself among the services (click Start button, Run, type MSConfig, Enter, and go to Services Tab) bearing the name Windows_XP (clever huh?).
c. The actual service can be seen via services (click Start, Run, type Services.msc, Enter) and if you double-click it, it will point you to the other file portions inside \Program Files\Common Files\Microsoft Shared\MSInfo:
d. In the current processes (right-click taskbar, Task Manager, Processes Tab), it hides under the name IEXPLORE.EXE (as mentioned above).
e. In registry, it creates the necessary entry for services to be loaded:
No! That is why I never thought of including this in the previous manual virus removal tutorials. You can actually remove this without any 3rd party tool. Here we go:
Steps on manually removing IEXPLORE.EXE virus:
a. Open Task Manager, go to Processes tab and look for IEXPLORE.EXE then right-click, End Process Tree.
b. Make adjustments to Folder Options as explained above. Go to root drive and delete autorun.inf and backupuser.exe. Navigate to the folder shown in the image and delete the files I have circled below:
Note: another virus uses this location to hide. If you see a Recycled.scr entry as well, delete it.
c. Remove the entry in Registry (as shown before) via Regedit.
And that is it! Happy hunting!
What is IEXPLORE.EXE?
This is actually the executable filename of Microsoft Internet Explorer. But since some virus propagator decides to be a little naughty, they named the process the same name. If I am creating a virus, I might name a virus with a certain Microsoft processes as well so it can fool a lot of people thinking it is legal.
Since this virus has the same processes’ name with that of Internet Explorer, how will we know if what you are seeing in the Task Manager is the virus or the real Internet Explorer? Simple, if there is no open Internet Explorer, then it is a virus. If there is an open Internet Explorer, close it. After closing Internet Explorer and there still is an instance of IEXPLORE.EXE, then that is a virus.
What does this virus do?
Like with most of the viruses, it eats a lot of resources which will slow down your unit. Once free resources is very low, you will have problem accessing anything. Some signs of a very low free resources is inability to display properly UI of anything in your computer (missing section of title bar, forms became transparent in some section), inability to connect to shared folders in the network, etc.
Understanding further this virus:
a. It creates an autorun.inf file in root directory with these instructions:
[AutoRun]
open=backupuser.exe
shellexecute=backupuser.exe
shell\Auto\command=backupuser.exe
open=backupuser.exe
shellexecute=backupuser.exe
shell\Auto\command=backupuser.exe
Note: To view everything, go to Folder Options and select “Show hidden files and folders” and untick “hide protected operating system files“, and also untick “Hide extensions for known types“.
In the root of the drive, you will see a hidden exe with an icon of a standard folder named backupuser.exe. If you will not untick “hide extensions” as mentioned above, you will be fooled into thinking that that exe is a folder and of course double-clicking it will result to further infections.
b. It lodges itself among the services (click Start button, Run, type MSConfig, Enter, and go to Services Tab) bearing the name Windows_XP (clever huh?).
c. The actual service can be seen via services (click Start, Run, type Services.msc, Enter) and if you double-click it, it will point you to the other file portions inside \Program Files\Common Files\Microsoft Shared\MSInfo:
d. In the current processes (right-click taskbar, Task Manager, Processes Tab), it hides under the name IEXPLORE.EXE (as mentioned above).
e. In registry, it creates the necessary entry for services to be loaded:
Is manually killing this virus hard?
No! That is why I never thought of including this in the previous manual virus removal tutorials. You can actually remove this without any 3rd party tool. Here we go:
Steps on manually removing IEXPLORE.EXE virus:
a. Open Task Manager, go to Processes tab and look for IEXPLORE.EXE then right-click, End Process Tree.
b. Make adjustments to Folder Options as explained above. Go to root drive and delete autorun.inf and backupuser.exe. Navigate to the folder shown in the image and delete the files I have circled below:
Note: another virus uses this location to hide. If you see a Recycled.scr entry as well, delete it.
c. Remove the entry in Registry (as shown before) via Regedit.
And that is it! Happy hunting!
it worked for me
ReplyDeleteThank you all of your posts, if i finish trying, i will come back here and say "Thank you" again.
ReplyDeleteAlways glad to be of help. :)
ReplyDeleteHello! I currently have this virus.. and I am trying to follow your steps but how do I get to my root drive to delete those files? Sorry I'm bit of a computer noob! Thanks in advance!
ReplyDeleteBasically speaking, a root drive is the first drive of your OS or which is normally known to us as C:\. So just open explorer and navigate to c:\ and you will find there those files (as long as you view everything, meaning, go to Folder Options and select "Show hidden files and folders" and untick "hide protected operating system files" as well as "Hide extensions for known types".
DeleteIf despite doing all those things and the system and hidden files still do not show, post here again because Super Hidden may have been activated on your end. And there is another procedure to fix that.
Yo, I have windows "7", and I couldn't find any fake file known as Windows XP, mainly probably because of Windows 7. Can you like find a different solution for Windows 7? Also on Task Manager, I couldn;t find IEXPLORE.EXE, even though I know it's on my PC, can you help??
DeleteHi. I also have this IEXPLORE.EXE virus, and another one 0wcxB878.exe. I think Super Hidden is activated because I cannot find either virus in the root drive. I have made the changes to Folder Options and cannot find.
ReplyDeleteSame here. Please help
DeleteSorry for late reply about superhidden. Here is the manual way:
ReplyDelete1. Click start button and on run or search, type regedit, then enter.
2. Inside registry, navigate to this:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden
3. Double click Supper Hidden value and change it from 0 to 1.
4. Close registry.
5. Restart your computer.
think virus got advance :)
ReplyDeletebut is nither there is any file named backupuser.exe nor there is any proces name windows_xp even in superhiden option
Beside i've notice dat it creates an autorun.inf file when usb conected creating recycler folder with copy of..
commonly known as recycler virus i guess :)
anyway love ur post n need furthur help!!!!
Yes, there are other malwares that reside in Recyler folders. So in my end, I actually remove those folders now (as well as System Volume Information which is necessary for System Restore). Read this: http://sandstorm36.blogspot.com.au/2011/11/steps-to-remove-recycler-folder.html
Deletethank you very very much..
DeleteDoes this work on win7 aswell?
ReplyDeleteAbove you said to close Internet Explorer. I don't get that. How can I do anything with I.E. closed? And where is the Task Manager?
ReplyDeleteE.R.
I mean the browser internet explorer if it is open. But in some of my manual removal ways I do close Shell Explorer but let's not get into that.
DeleteTask Manager can be opened in several ways:
1. Right click on the system tray (where the time is), choose Task Manager
2. Press Ctrl+Alt+Del. Depending on your OS, Task Manager button can be seen there
3. Press Ctrl+Shift+Esc
4. In Windows8, you can use Winkey+X, then when the shortcut menu appears, choose Task Manager
Antivirus are a must for any network or internet connected computer, to detect, remove and prevent all sort of malicious software !
ReplyDeleteChange Laptop Keyboard
I can't find the backupuser folder.
ReplyDeletewhat is the winkey+x
ReplyDeletehow to remove IEXPLORE.EXE in window 8.
ReplyDeletei disable in taskmanager but i can not delete.why?
Hi..i can't clean the virus, maybe cause i using windows 10. Can you give me the way to clean the virus for windows 10. Appreciate what you do
ReplyDeleteFor me to trace this on other OS, i have to reinfect my unit so I can find out what has changed.
DeleteUnfortunately, this virus plus others I share on manual removals no longer exists on our end. Before I did this post, I cleaned all our infections
That helped me so much! Last time time faced such a good post was a post on http://www.removalbits.com/, but this post maybe even better, because there is so many useful information described with a few words!
ReplyDeleteThank you for your nice words.
DeleteHow To Remove a Malware Manually
ReplyDeleteiExplorer
ReplyDeleteI am very impressed with your post because this post is very beneficial for me.
i am very impressed with your post because this post is very beneficial for me and provide a new knowledge to me
ReplyDeleteiExplorer Crack
I guess I am the only one who comes here to share my very own experience guess what? I am using my laptop for almost the post 2 years.
ReplyDeleteiexplorer Crack
My response on my own website. Appreciation is a wonderful thing...thanks for sharing kepp it up. iExplorer Crack
ReplyDeleteGihosoft TubeGet Pro Crack
MorphVOX Pro Crack
Avast Premium Security Crack
<a
Thank you so much for this excellent blog article. Your writing style and the way you have
ReplyDeletepresented your content is awesome. Now I am pretty clear on this topic.
iExplorer Crack
FxSound Enhancer Crack
Airmail Crack
AVS Video Editor Crack
ReplyDeleteI thought this was a pretty interesting read when it comes to this topic. Thank you
iexplorer-crack-registration-code
cyberghost-activation-code-keygen
startmenu-license-code-download
overwatch-license-key-download
parallels-desktop-crack-with-key
“Thank you so much for sharing all this wonderful info with the how-to's!!!! It is so appreciated!!!” “You always have good humor in your posts/blogs. So much fun and easy to read!
ReplyDeleteBWMeter Crack
Anytrans Crack
Little Snitch Crack
iExplorer Crack
We offers the Tax service expert Columbus, master administrations for people and independent ventures. The organization's bookkeeper works with entrepreneurs in ventures like childcare, medical care, neighborliness, retail,giving bookkeeping and controllership administrations, just as QuickBooks arrangement.
ReplyDeleteTax service expert Dublin
Income tax preparation Ohio
Tax Debt Relief Services Dublin
ReplyDeleteSuch a Nice post. Thanks for Awesome tips Keep it upiExplorer Crack
iExplorer Registration Code
iExplorer Crack Download
These 100mg and 60mg tablets are used to treat Erectile Dysfunction in men, which is an inability to achieve or keep up hard erect genital parts properly for exotic activity due to the deficient circulatory system of the genital parts.
ReplyDeleteContact : +91 92163-25377
Thank You and I have a tremendous proposal: Is It Good To Buy Old House And Renovate house renovation outside
ReplyDelete