IE malware symptoms?

A few days ago, my machine started getting real slow. I have a 12 month old Dell running XP SP3. The more I was on IE8, the slower it got. I have an AOL account that I access by going on IE. My husband accesses AOL by using the AOL software on our computer. I began to notice, that my husband had no problem. If he went on line when the computer was just turned on, he was fine. If I went on IE, that’s when the heartache began.

I checked Task Master ™. If I looked at TM when the machine was just turned on, IE was not shown as running and the machine was as fast as usual. We could go on AOL using the software resident on our machine and there was/is no problem. As soon as I go on IE, multiple IE lines open that you can see in TM. They start sucking up the power and the machine slows to a crawl. Those lines stay open even if I close IE. I have to go on TM and actually delete the open programs.

In searches, I have seen these symptoms related to really old viruses called Win32 MiniExplore ZIP [Wm]. I run Avast, Prvex, CCleaner, Malawarebytes, and Comodo. Nothing is coming up on the radar. I’ve sent Prvex a log file. I have HJT but I don’t know what to look for. I have checked on Avast’s list of viruses for iexplore and it came up with something with three variations: Win32MiniExploreZIP [Wm], Win32MiniExploreZIP -B[Wm], Win32MiniExploreZIP-C [Wm]. All three are described as being resident in memory (RES) and EXE infectors. Only the first two are described as being in the wild (ITW).

Avast is not curing the problem. Any suggestions???

Hi francine,

Give us a fresh hijackthis logfile attached with additional options in your reply posting.
Get hjt here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

We will then analyze it and see what is wrong there,

polonus

I’m attaching the HJT log.

I am also sending separately a screen shot from a Comodo log. Scroll down to the bottom of that screen shot. You will see that that are two open Internet Explorers UNDER Comodo. Is that normal? I think whatever it is is operating under the radar.

TIA!

Sorry. The screen shot is too large to send.

Then crop it to the relevant part of the image.

Let’s see if this goes…

Nothing looks wrong that is the correct location and file name for Internet Explorer.

Presumably you are seeing this in the comodo firewall logs ?
If so it will show connections for iexplore.exe, 1 for each tab that you may have open as that is effectively a separate connection.

I don’t use IE8 nor Comodo so this isn’t something that I can personally check/confirm.

If I open my old IE it shows as iexplore.exe in the task manager.

None of my tabs close. Once I open a tab in IE, it stays open and sucks the oxygen out of the room. In order to neutralize the program, I have to open Task Master and close each manually. Then it’s fine until I next open IE. Strangely enough, it doesn’t happen when I’m on the CPU resident form of AOL. It’s exasperating!

Watching Wimbledon was the only good part of the whole weekend!

Hi francine,

Your hjt logfile txt has nothing out of the ordinary there as you can see from the attached analysis report.
For some versions of the Windows platform from certain computer vendors the installation of “Blue E8” was so to speak a tiny bit problematic. I for that reason as I see no other grounds would like you to repair that particular browser with the FixIt from this page: http://support.microsoft.com/kb/949220

polonus (malwarew fighter)

Win32:MiniExploreZIP is the same worm as Win32:ExploreZIP.

Manual removal instructions are here.

JTaylor83,

Thanks, I’ll try the fix. I just wonder why Avast doesn’t find it.

JT83,

I couldn’t find EXPLORE.EXE. Every file I found was iexplore.

Any suggestions?

Francine

explore.exe doesn’t exist (or shouldn’t) as a legit file name, iexplorer.exe is internet explorer, explorer.exe is windows explorer.

I’m following these instructions: To remove Win32:ExploreZIP under Windows 9x, please delete the file EXPLORE.EXE in the Windows system directory and remove the following line from the WIN.INI file before restarting: run=C:\WINDOWS\SYSTEM\Explore.exe

So are you saying to delete IEXPLORE.EXE? That isn’t what JTaylor83’s instructions say.

I don’t believe you have that on your system or avast would have detected, you have in a way jumped to the conclusion by searching the avast virus database for iexplore when the malware names aren’t directly related to the actual file name.

Unfortunately there coincidently happens to be a malware name with that text string in the name MiniExploreZip and not specifically iexplore.

I’m saying nothing of the sort about deleting anything, if I was I would spell it out. What I am saying is that there really is nothing wrong, as I more or less said in my first reply after you posted the image.

Nothing looks wrong that is the correct location and file name for Internet Explorer. Presumably you are seeing this in the comodo firewall logs ? If so it will show connections for iexplore.exe, 1 for each tab that you may have open as that is effectively a separate connection.

You didn’t answer that question (with its qualification), which essentially is saying if the is is from the comodo log there is nothing wrong as it is normal to have multiple entries in the firewall logs.
I have never seen that image as a part of the task manager, but then again I don’t know what OS you are using.

I stayed away from the topic initially as of the dreaded AOHell as I feel because that uses proprietary applications, which I have zero knowledge of.

You could try Firefox or Opera after you connect to AOHell and see if that makes any difference and not browse with IE8.

I know how people love to hate AOL and I do not normally use it as my Web browser. The reason I’m using it is because IE8 is, for reasons yet undetermined, once opened is refusing to really close. In addition to that, IE8 sucks up memory.

For example, I am now on AOL through the resident software. I opened IE8. Two iexplore.exe lines came up in Task Manager showing 00 under the CPU column under the Processes tab. I then closed IE8. Both lines in Task Manager are still there except now under the CPU column it shows 50 and the CPU usage is going between 50-52%. If I open IE8 again, two more iexplore.exe lines open in Task Manager with the original two still open and 50% CPU usage. Now I’ve closed IE8 again and I have two lines of iexplore.exe showing 50 and CPU usage has jumped 100%. Using Task Manager, I now end the processes to regain efficient use of my machine.

If not for having figured out that this phenom does on affect AOL, I would really be at a disadvantage. Right now, amazing to say, my resident AOL is the hero and the only way I can conveniently be on line.

I think you will find that the AOHell browser isn’t scanned by the avast web shield as it is a proprietary protocol it uses and not the standard HTTP protocol that the web shield can filter and scan.

I launched IE8, closed it, launched it again, and closed it again. This is a screen shot of Task Master with IE8 thus closed before I manually ended the four listed IE8 processes, which would have eventually kept my computer from running.

And AOL is working just fine. If not for AOL right now, I would be well and truly miserable. It’s IE8 that’s in the tank…

Could you not use another browser like Firefox

I used to use FireFox, but it created a problem with another program. That’s when I switched back to IE.