Try re-installing IE 6. Then if you want down grade it using Add/Remove Programs. Select Start, Settings, Control Panel, Add/Remove Programs, Internet Explorer, Remove, and the Restore option.
-
IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
[Resolved] Error message (iexpLore.exe or iexpIore.exe?)
Hello
Ive had a number of problems resulting from trouble I posted in this thread http://forums.techguy.org/showthread.php?threadid=57871&highlight=exe+files+gone+missing - most of which Ive solved using Techguy search. But this one defies me.
On boot up I get this message:
Cannot find the file iexplore.exe (or one of its components). Make sure the path and filename are correct and that all required libraries are available. When I click OK, I am given a further message:
Cannot load or run iexplore.exe specified in the WIN.INI file. Make sure the file exists on your computer or remove the reference to it in the WIN.INI file.
I checked and found iexplore.exe in PROGRAM FILES\INTERNET. Also I checked the WIN.INI in MSCONFIG and found the following in the desktop folder:
Nullport=none
device=Olichrome Olivetti (my printer)
noload=ptsnoop.exe iexplore.exe
norun=ptsnoop.exe iexplore.exe
None of the boxes are checked.
Additional to this iexplore.exe, I was about to uninstall IE6 just before I had my virus problems (see the above thread link). When I sorted out my virus, I went to uninstall it and was informed that the uninstallation could not continue because a specified file (setup.exe) was not found. I went searching and found that the IE6 setup file was missing. I went to Windows Update to try and uninstall or re-install IE6, but kept getting the same message that a specified file was missing. During my search of their Knowledge Database, I found this http://support.microsoft.com/support/kb/articles/Q222/5/64.ASP, but am unsure whether it is advisable for me to alter the registry to enable me to uninstall IE6 manually. (Note: After resolving my virus problem, but retaining other problems, I re-installed Windows98 from WINDOWS\OPTIONS\CABS\SETUP - I dont have the Windows98 installation disk, only a product recovery disk) Apart from which, I ran System File Checker and restored all changed files, finding on restart that Explorer had returned to IE5. But IE6 is still resident in ADD\REMOVE PROGRAMS and resisting my efforts to remove it. When I click on IE6 I get this RUNDLL error:
Error in setupwbv.dll
Missing entry:IE6:Maintenance
I also still get the iexplore.exe messages. So I now ran the EXEfix08 program but everything seems OK - except for one thing. In the EDIT-WI Run-Load log, the file in question reads iexpIore (an I instead if an L?). Has something gone drastically wrong? Is my problem related to this, or is something more going on? If the L should indeed be an I, what do I do? I am at a complete loss on how to proceed from here.
Kind Regards
jrob
Ive had a number of problems resulting from trouble I posted in this thread http://forums.techguy.org/showthread.php?threadid=57871&highlight=exe+files+gone+missing - most of which Ive solved using Techguy search. But this one defies me.
On boot up I get this message:
Cannot find the file iexplore.exe (or one of its components). Make sure the path and filename are correct and that all required libraries are available. When I click OK, I am given a further message:
Cannot load or run iexplore.exe specified in the WIN.INI file. Make sure the file exists on your computer or remove the reference to it in the WIN.INI file.
I checked and found iexplore.exe in PROGRAM FILES\INTERNET. Also I checked the WIN.INI in MSCONFIG and found the following in the desktop folder:
Nullport=none
device=Olichrome Olivetti (my printer)
noload=ptsnoop.exe iexplore.exe
norun=ptsnoop.exe iexplore.exe
None of the boxes are checked.
Additional to this iexplore.exe, I was about to uninstall IE6 just before I had my virus problems (see the above thread link). When I sorted out my virus, I went to uninstall it and was informed that the uninstallation could not continue because a specified file (setup.exe) was not found. I went searching and found that the IE6 setup file was missing. I went to Windows Update to try and uninstall or re-install IE6, but kept getting the same message that a specified file was missing. During my search of their Knowledge Database, I found this http://support.microsoft.com/support/kb/articles/Q222/5/64.ASP, but am unsure whether it is advisable for me to alter the registry to enable me to uninstall IE6 manually. (Note: After resolving my virus problem, but retaining other problems, I re-installed Windows98 from WINDOWS\OPTIONS\CABS\SETUP - I dont have the Windows98 installation disk, only a product recovery disk) Apart from which, I ran System File Checker and restored all changed files, finding on restart that Explorer had returned to IE5. But IE6 is still resident in ADD\REMOVE PROGRAMS and resisting my efforts to remove it. When I click on IE6 I get this RUNDLL error:
Error in setupwbv.dll
Missing entry:IE6:Maintenance
I also still get the iexplore.exe messages. So I now ran the EXEfix08 program but everything seems OK - except for one thing. In the EDIT-WI Run-Load log, the file in question reads iexpIore (an I instead if an L?). Has something gone drastically wrong? Is my problem related to this, or is something more going on? If the L should indeed be an I, what do I do? I am at a complete loss on how to proceed from here.
Kind Regards
jrob
- Status
- Not open for further replies.
1 - 9 of 9 Posts
Hello Dan O
I couldn't re-install before but I can now. Hmm...
However, I still can't remove it from ADD\REMOVE (I restored setupwbv.dll from SFC, or at least it told me I had). I still keep getting the RUNDLL error. I'm also still getting the "iexplore.exe" error on bootup.
Kind Regards
jrob
I couldn't re-install before but I can now. Hmm...
However, I still can't remove it from ADD\REMOVE (I restored setupwbv.dll from SFC, or at least it told me I had). I still keep getting the RUNDLL error. I'm also still getting the "iexplore.exe" error on bootup.
Kind Regards
jrob
Do you have IBM's ViaVoice 98 program installed? If so the Vtcommon.dll file is damaged.
RESOLUTION
To resolve this issue, rename the Vtcommon.dll file, and then reinstall ViaVoice 98 or contact IBM for an update. To rename the Vtcommon.dll file, follow these steps:
Click Start, point to Find, and then click Files or Folders.
In the Named box, type vtcommon.dll, in the Look in box, click C drive, and then click Find Now.
Right-click the Vtcommon.dll file, click Rename, type vtcommon.xxx, and then press ENTER.
If this is not it, what is the complete error message?
RESOLUTION
To resolve this issue, rename the Vtcommon.dll file, and then reinstall ViaVoice 98 or contact IBM for an update. To rename the Vtcommon.dll file, follow these steps:
Click Start, point to Find, and then click Files or Folders.
In the Named box, type vtcommon.dll, in the Look in box, click C drive, and then click Find Now.
Right-click the Vtcommon.dll file, click Rename, type vtcommon.xxx, and then press ENTER.
If this is not it, what is the complete error message?
In no case should there be any attempt to run IExplore.exe from win.ini
And which spelling is it? If it is spelled iexpIore.exe, that would be a reference to a trojan file, cleverly mispelled for purposes of deception.
Are you still getting this "file missing" message?
Run win.ini from start and delete any noload or norun lines all together. And leave the load= and run= lines either blank or just with ptsnoop.exe which is a modem related file not really required.
You might want to give us a look at a startuplog by running and posting the results of the Startuplog.com file from the link below. It will create a startuplog.txt file which you can copy/paste here (not stubbpaths.txt)
http://home.earthlink.net/~rmbox/Reticulated/Toys.html
And which spelling is it? If it is spelled iexpIore.exe, that would be a reference to a trojan file, cleverly mispelled for purposes of deception.
Are you still getting this "file missing" message?
Run win.ini from start and delete any noload or norun lines all together. And leave the load= and run= lines either blank or just with ptsnoop.exe which is a modem related file not really required.
You might want to give us a look at a startuplog by running and posting the results of the Startuplog.com file from the link below. It will create a startuplog.txt file which you can copy/paste here (not stubbpaths.txt)
http://home.earthlink.net/~rmbox/Reticulated/Toys.html
Hello
Dan O: I dont have ViaVoice, I have PICs SuperVoice.
RollinRog,: I double checked and it was spelled with the I (iexpIore.exe). Below is the posting for the StartUp log you suggested I post. I have edited out some of the line spaces to make it a more compact read for you. I noticed that in the Log, the Default web browser is still iexpIore, but when I checked it in msconfig, it is showing the correct iexplore.exe.
I deleted the references in norun= and noload= but left ptsnoop.exe alone. However, during my efforts to rectify after my virus, I came upon this site which lists a lot of programs run during StartUp .
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm {edited. it should work now!} I am methodically running through it as time goes on.
Here is the Start up Log:-
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Vet Alert"="C:\\WINDOWS\\System\\VetMsg9x.exe"
"VetTray"="C:\\PROGRA~1\\INOCUL~1\\VETTRAY.EXE"
"Default web browser"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
==========================================================================
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
==========================================================================
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
;Rem TShoot: norun=
norun=iexpIore.exe
run=
;Rem TShoot: noload=ptsnoop.exe
noload=ptsnoop.exe
load=
==========================================================================
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
REM [Header]
@ECHO OFF
REM [CD-ROM Drive]
REM [Miscellaneous]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]
SET PATH=%PATH%;C:\PROGRA~1\VIRUSB~1\BIN
rem mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
rem keyb uk,,c:\windows\COMMAND\keyboard.sys
rem mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
rem keyb uk,,c:\windows\COMMAND\keyboard.sys
mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,c:\windows\COMMAND\keyboard.sys
==========================================================================
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\Autobackup.LNK
==========================================================================
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-====================-
StubPaths - Registry (Partial Listing)
-====================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldRealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"OldRealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe ASC"
-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-
@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
- Supplemental Environment Information -
TMP=c:\windows\TEMP
TEMP=C:\windows\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\VIRUSB~1\BIN
windir=C:\WINDOWS
File - c:\windows\deletefi.ini
==========================================================================
- End -
Kind Regards
jrob
Dan O: I dont have ViaVoice, I have PICs SuperVoice.
RollinRog,: I double checked and it was spelled with the I (iexpIore.exe). Below is the posting for the StartUp log you suggested I post. I have edited out some of the line spaces to make it a more compact read for you. I noticed that in the Log, the Default web browser is still iexpIore, but when I checked it in msconfig, it is showing the correct iexplore.exe.
I deleted the references in norun= and noload= but left ptsnoop.exe alone. However, during my efforts to rectify after my virus, I came upon this site which lists a lot of programs run during StartUp .
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm {edited. it should work now!} I am methodically running through it as time goes on.
Here is the Start up Log:-
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Vet Alert"="C:\\WINDOWS\\System\\VetMsg9x.exe"
"VetTray"="C:\\PROGRA~1\\INOCUL~1\\VETTRAY.EXE"
"Default web browser"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
==========================================================================
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
==========================================================================
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
;Rem TShoot: norun=
norun=iexpIore.exe
run=
;Rem TShoot: noload=ptsnoop.exe
noload=ptsnoop.exe
load=
==========================================================================
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
REM [Header]
@ECHO OFF
REM [CD-ROM Drive]
REM [Miscellaneous]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]
SET PATH=%PATH%;C:\PROGRA~1\VIRUSB~1\BIN
rem mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
rem keyb uk,,c:\windows\COMMAND\keyboard.sys
rem mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
rem keyb uk,,c:\windows\COMMAND\keyboard.sys
mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,c:\windows\COMMAND\keyboard.sys
==========================================================================
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\Autobackup.LNK
==========================================================================
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-====================-
StubPaths - Registry (Partial Listing)
-====================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldRealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"OldRealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe ASC"
-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-
@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
- Supplemental Environment Information -
TMP=c:\windows\TEMP
TEMP=C:\windows\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\VIRUSB~1\BIN
windir=C:\WINDOWS
File - c:\windows\deletefi.ini
==========================================================================
- End -
Kind Regards
jrob
Wow, that's the first time I've seen that baby. There are some hits for it in Google groups, but not many:
http://groups.google.com/groups?q=iexpIore.exe&hl=en&btnG=Google+Search&meta=
Anyway we are going to have to do some registry diving to clean it.
++++++++++++++++++++++++++++++++++++++++++++++
>> from start, run regedit
>> Click Edit>Find
>> enter iexpIore.exe in the Find field (we want to end up at:
HKLM\Software\Microsoft\Active Setup\Installed Components
...with: "StubPath"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe ASC" in the right hand pane. Right click on that and delete it
>> Either hit f3 to continue or navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run]
>> highlight the RUN key and right click and delete:
"Default web browser"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe"
>> now close the registry editor and all open programs
>> from start, run win.ini
>> you can remove entirely: ;Rem TShoot: norun=
norun=iexpIore.exe
(this will prevent it from accidently becoming re- enabled)
>> shut down completely and wait about 15-30 seconds.
>> when you reboot windows make sure this file is really missing:
C:\WINDOWS\\SYSTEM\iexpIore.exe
Re-run your startuplog.com file and verify that none of those entries remain.
One more thing, since this appears to be a password stealer, you should change all critical passwords.
http://groups.google.com/groups?q=iexpIore.exe&hl=en&btnG=Google+Search&meta=
Anyway we are going to have to do some registry diving to clean it.
++++++++++++++++++++++++++++++++++++++++++++++
>> from start, run regedit
>> Click Edit>Find
>> enter iexpIore.exe in the Find field (we want to end up at:
HKLM\Software\Microsoft\Active Setup\Installed Components
...with: "StubPath"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe ASC" in the right hand pane. Right click on that and delete it
>> Either hit f3 to continue or navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
rentVersion\Run]
>> highlight the RUN key and right click and delete:
"Default web browser"="C:\\WINDOWS\\SYSTEM\\iexpIore.exe"
>> now close the registry editor and all open programs
>> from start, run win.ini
>> you can remove entirely: ;Rem TShoot: norun=
norun=iexpIore.exe
(this will prevent it from accidently becoming re- enabled)
>> shut down completely and wait about 15-30 seconds.
>> when you reboot windows make sure this file is really missing:
C:\WINDOWS\\SYSTEM\iexpIore.exe
Re-run your startuplog.com file and verify that none of those entries remain.
One more thing, since this appears to be a password stealer, you should change all critical passwords.
Hello Rollin'Rog
All references to iexpIore.exe are purged. Excellent work, Rog. It might be bread and butter to you, but it's a great learning curve for such as me to see our problems worked through and solved on this site.
I had a lot of problems after I got rid of my CIH virus, but a combination of searches in Techguy, and a couple of questions posted, I have finally got my computer running something like its old self. (I have only minor problems left - I'm certain there are threads knocking around to help me. Best to leave you and your fellow artistes to solve more serious problems.) But, then again......I might come back to bug you!
Thanks for helping me, Rog. You're a star.
Kind Regards
jrob
All references to iexpIore.exe are purged. Excellent work, Rog. It might be bread and butter to you, but it's a great learning curve for such as me to see our problems worked through and solved on this site.
I had a lot of problems after I got rid of my CIH virus, but a combination of searches in Techguy, and a couple of questions posted, I have finally got my computer running something like its old self. (I have only minor problems left - I'm certain there are threads knocking around to help me. Best to leave you and your fellow artistes to solve more serious problems.) But, then again......I might come back to bug you!
Thanks for helping me, Rog. You're a star.
Kind Regards
jrob
You're welcome Jrob, I'm glad we got that taken care of for you. Does seem like it was a rare bird to catch. Since it was virus related, just for archival purposes now, I'm going to mark the thread resolved and move it the security forum.
I know you have a remaining issue, but it might be better to create a separate topic for it if you need to.
I know you have a remaining issue, but it might be better to create a separate topic for it if you need to.
1 - 9 of 9 Posts
- Status
- Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
