Mindfield
07-18-2005, 04:53 AM
So a friend referred one of her friends to me to help fix up his system, which wouldn't boot. I check it over and sure enough, Windows won't completely load. After checking everything over with Winternals I finally settle on a recovery install of XP. Everything goes well, I get into Windows and proceed to go about digging his sytem out of the absolute mountain of unnecessary autorun apps (including plenty of adware and spyware apps) and cleaning the viruses and spyware from his system by software and by hand.
So far I'm almost completely done except for one elusive piece o' crud adware plugin that I can't locate -- yet it's certainly there.
Here's what it does:
- It lies dormant as long as you do not load Internet Explorer.
- Upon loading IE, it will spawn a second hidden copy of IEXPLORE.EXE (possibly a separate hidden and/or system entity with the same name located elsewhere)
- It will then proceed to place about six or seven icons on the desktop, each of which is a link to an online casino, a web hosting company, a domain registrar, and so on. The links can be clicked on and double-clicked on, but they do not respond to a right-click, and cannot be deleted. They aren't icons as such -- this appears to be a Windows Explorer hook that displays clickable, icon-like objects on the desktop that are not actually icons. (They have no shortcut arrow overlay, are not program files, and have no entry in C:\windows\documents and settings\<user>\desktop)
- If the spawned IEXPLORE.EXE task is terminated, the icons will disappear and it will respawn within a few minutes.
- If the spawned IEXPLORE.EXE task is left alone, it will spawn again, placing another set of the same icons on the desktop. This will continue until the desktop is covered with these icons -- and will continue even further, except there's no more screen real estate to display them on. Terminating the task after two or more respawns will only remove the most recent set of icons from the desktop; the rest will remain active and cannot be removed.
Any idea what this is and how to eliminate it?
So far I'm almost completely done except for one elusive piece o' crud adware plugin that I can't locate -- yet it's certainly there.
Here's what it does:
- It lies dormant as long as you do not load Internet Explorer.
- Upon loading IE, it will spawn a second hidden copy of IEXPLORE.EXE (possibly a separate hidden and/or system entity with the same name located elsewhere)
- It will then proceed to place about six or seven icons on the desktop, each of which is a link to an online casino, a web hosting company, a domain registrar, and so on. The links can be clicked on and double-clicked on, but they do not respond to a right-click, and cannot be deleted. They aren't icons as such -- this appears to be a Windows Explorer hook that displays clickable, icon-like objects on the desktop that are not actually icons. (They have no shortcut arrow overlay, are not program files, and have no entry in C:\windows\documents and settings\<user>\desktop)
- If the spawned IEXPLORE.EXE task is terminated, the icons will disappear and it will respawn within a few minutes.
- If the spawned IEXPLORE.EXE task is left alone, it will spawn again, placing another set of the same icons on the desktop. This will continue until the desktop is covered with these icons -- and will continue even further, except there's no more screen real estate to display them on. Terminating the task after two or more respawns will only remove the most recent set of icons from the desktop; the rest will remain active and cannot be removed.
Any idea what this is and how to eliminate it?