iexplore.exe causing headaches

azzurro · Cadet Joined: May 10, 2004 Posts: 2 Location: Canada

i'm having problems with iexplore.exe
it's using up 100% of the CPU and not allowing me to close programs.
I'm thinking it might be a virus but was told it might be hardware related.

any suggestions?

rednitas · Cadet Joined: May 20, 2004 Posts: 4 Location: USA

I have a similar problem. While my PC is running, the iexplore.exe task keeps on replicating itself and eventually brings the system to its knees. Norton Antivirus 2004 did not detect any virsuses, but this sure appears to be a virus.

bendnwiggle · Cadet Joined: May 21, 2004 Posts: 4 Location: Canada

I've just spent the entire day trying to fix the same problem.
The key is DO NOT reboot until you've finished all the steps because the problem will just return.
The extensive replication of iexplore.exe seen in task manager is a result of a malicious copy of IEXPLORE.EXE which is legitamate program running Internet Explorer. First off, go into CONTROL PANEL....TOOLS....FOLDER OPTIONS....VIEW. Click on "show hidden files" and De-activate "Hide extensions for known file types" and "Hide portected operating files". Now preform a search (in C Smile

for file name iexplore.exe. (make sure you choose "search hidden files". Results should return 2 applications found. IEXPLORE.EXE found in Internet Explorer program files is the correct one. You should turn up a second copy...most likely in your%systemDir%. Delete this one.
Now if this was the end it would be nice...but its not. When you reboot the problem returns. Why? Because iexplore.exe isn't the cause, its only the end result. THE CAUSE of the trojan is actually a combination of 3 other programs...netda.exe, netdb.exe, and netdc.exe. Open task manager and disable any of these running (netdc.exe was running on mine). Once programs are disabled you can locate them with a search, and just delete them.
Now here's the tricky part.....if you reboot now the problem still returns...why? You have to delete the startup entries added to the registry. Open "regedit" using the run command. You have to delete the reference to netdc.exe in the following path...HKEY_Local_Machine\ Software\Microsoft\Windows\CurrentVersion\Run. Double click on Run and delete the reference to netdc.exe on the right side panel (mine was in "load32").
Once I deleted all the net*.exe executable files and registry references, I rebooted and so far the problem has been eliminated.
Now, as I did you might receive an error message when you reboot.."windows could not locate netdc.exe...blah blah blah". The reason for this is because there was a netdc.exe reference in the startup registry. I went into registry HKEY_Local_Machine\software\microsoft\windows\windowsNT\currentversion\winlogon...double click on "shell" in the right panel and eliminate the netdc.exe reference. It should read "shell=iexplorer.exe" . This step will eliminate the error message on startup. You can also return the line "shell=iexplorer.exe" by editing the system.ini file.
If you've experienced trouble with accessing symantec, McAfee and other Virus software web sites as I have, the problem is easy to fix. The trojan alters your Host Files so that your computer refers to itself when trying to access the chosen web sites. perform a search in all files and folders for "hosts". Open your host file (its the "hosts" without an extension) using notepad. Your own localhost address is 127.0.0.1 Any websites with this address in front cannot be found because your computer will refer back to itself. Simple delete any website entries which begin with your localhost address. Save the file and exit. Bingo, these websites can now be accessed. Voila my stress has gone.

rednitas · Cadet Joined: May 20, 2004 Posts: 4 Location: USA

GREAT JOB, bendnwiggle! TRULY SUPERB! YOU ARE A SUPERSTAR!

I got rid of my problem using your technique.

I had to do it twice. The first time I did it, I screwed up somewhere and deleted some stuff that I should not have. Anyhow, I have a program called "GoBack" installed that allowed me to revert back to the previous state. The second time, I did it perfectly.

Here is my summary of what I ended up doing (the 2nd time around):

1) The first thing I did was reboot.

2) As soon as the machine came up, using the Task Manager, I searched for processes called netda, netdb, or netdc. I found netdc and stopped it.

3) As soon as netdc was stopped, iexplore.exe stopped replicating itself. It had already replicated about 4 or 5 times by the time I stopped netdc. I then terminated all the iexplore.exe processes that were running using the Task Manager. If you click on "Image Name" under processes in the Task Manager, all the processes get sorted alphabetically.

4) I then went to CONTROL PANEL....TOOLS....FOLDER OPTIONS....VIEW, exactly as bendnwiggle had described in the previous post, and clicked on "show hidden files" and deactivated "Hide extensions for known file types" and "Hide protected operating files".

5) I then searched for iexplore.exe under C. I found what is shown in the attachment. I did not delete anything from this list because everything looked legit.

6) I then searched for netda.exe under C. See attachment. I deleted the single instance of netda.exe that was shown.

7) Searched for netdb.exe under C. See attachment. I deleted the 3 instances shown under Documents and Settings.

Cool

Next searched for netdc.exe under C. See attachment. I deleted the instance under C:\WINDOWS\system32.

9) Went to the registry just like instructed in the last post and deleted the entry showing netda.exe. See attachment and previous post (...Run).

10) Found reference to netdc.exe in the registry. See attachment and previous post (...winlogon).

11) Double-clicked and erased the back part of the line up until explorer.exe. Just left the words "explorer.exe" on the line. See attachment and previous post.

12) Exited from registry and went back and reset the file display options under control panel.

13) Everything worked as advertised.

AGAIN, HATS OFF TO bendnwiggle!

rednitas · Cadet Joined: May 20, 2004 Posts: 4 Location: USA

I am adding the words BACKDOOR-CCT to this post so that other users who have this problem can see this site. BACKDOOR-CCT is the name given by McAfee to the Trojan that causes the above problem. I have not found any reference to this problem anywhere else, including at Symantec (makers of Norton Antivirus). When a corporate customer asked Symantec about this issue, here was the response...

"Hello Richard,

Thank you for using our online discussion groups.

> I found a profile for the BackDoor-CCT virus and
>basically found this virus on my workstation. I have manually
>cleaned as much as I can identify to clean, but I want to know why
>your definitions are not finding this viurs?

To determine if this threat has Symantec virus definitions written for
it or if you are working with a new threat, I suggest that you submit
the file(s) to the Security Response group. The below article will
have instructions as to how to do this:

Title: 'How to submit a file to Symantec Security Response using Scan
and Deliver'"

So, basically we have no idea where Symantec stands on this issue.

bendnwiggle · Cadet Joined: May 21, 2004 Posts: 4 Location: Canada

Might be an idea to change all your confidential passwords. Considering that this trojan is a key-logger, never now what information could be compromised.

Hsiung99 · Cadet Joined: May 25, 2004 Posts: 2 Location: USA

The Problem is still there even I have followed all the steps.
Please advise

rednitas · Cadet Joined: May 20, 2004 Posts: 4 Location: USA

Hmmm. That's odd. In my case, I did not have to delete any rogue iexplore.exe files. Maybe, in your case you do. Please specify exactly what you saw and what you did.

Hsiung99 · Cadet Joined: May 25, 2004 Posts: 2 Location: USA

Here is my summary of what I did:
1.) boot up computer using safe mode.
2.) delete netda.exe, netdb.exe, and netdc.exe in c:/windows/system.
3) delete "load32 "c:\windows\system\netda.exe" in registry under HKEY_Local_Machine\ Software\Microsoft\Windows\CurrentVersion\Run
4.) find the hosts file and delete all localhost address is showing 127.0.0.1
5.) find Iexplorer.exe ( I only find one under c:\Programmer\internet explorer), so I don't need to delete it.
6.) Change system.ini file (delete c:\windows\system\netda.exe behind shell=explorer.exe)
7.) Change System.ini and Hosts file to Read Only.
8.) Check HKEY_Local_Machine\software\microsoft\windows\windowsNT\currentversion\winlogon. There are no Shell in the right panel.
9.) Finally, I am using trandmicro office scan to scan whole pc.

After I havd done everything, reboot the pc. Only the system.ini and hosts file not changed, everything else is back to my pc.

Hope this give you a whole picture of my situation. Thanks!!!

adamisthedon · Cadet Joined: May 29, 2004 Posts: 1 Location: UK

All i wanted to say was that thank you so so so so so so so much for sorting out the netdc.exe problem thing for me. I was in such a pickle and didnt no what to do. So all im sayin is THANK YOU

keijiro · Cadet Joined: Jun 20, 2004 Posts: 3 Location: USA

About this Backdoor.Nibu.E trojan which contains load32.exe and netda.exe etc...

I have followed every instructions in many websites including Symantec's one, but after re-boot the registry comes back with the trojan entries, even when the XP restore function is switched off.

What's more, the files netba.exe etc. are all hidden and can only be seen in SAFE mode (they are not found immediately in SAFE mode, but only after deleting the registry entries in SAFE mode and then re-boot in SAFE mode, then these files are revealed) - Has any came across such mechanisms before, it seems to be unheard of.

If my guess is right, this new strain restore itself whenever the machine re-boots and hide them completely (as I said, they can only be revealed in SAFE mode). Furthermore, although these netba etc. are running, there do not show up in the Taskmanager.

Can someone please help??

Thank you!!

Can someone help!!

Thank you!!

DeepThought · Cadet Joined: Jun 22, 2004 Posts: 1 Location: USA

I went through every step below & at Symantec & no luck. Nothing would work. I then noticed three things:

1. Notepad was no longer an option when selecting a program to open a file with.
2. While searching for the .exe I found instead "notepad.exe.bak" in my windows\system32 directory.
3. I had 4 instances of a "notepad.com" in my machine.

Solution: rename "notepad.exe.bak" to "notepad.exe" and delete all instances (do a search) of notepad.com on the PC. Note: explorer is set per below.

Voila! Pass it around....I've seen the problem all over the place but never this solution. Smile


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1413 pages served in previous 5 minutes. Page Rendered: 0.415 seconds.