iexplorer.exe popup Virus

June 5, 2009 at 14:36:14
Specs: Microsoft Windows XP Home Edition, 1.596 GHz / 1011 MB
I'm having the same problem as another poster. IE popups keep happening in the background (i can only see them in task manager). I can hear them popping up when my sound is on and every now and again one is an audible ad, so I have to search for it and close it down, when I try to close all of the others in task manager they keep popping up, usually about 12 or so at a time. Please help, I've done the computing net scan but I will be around to post whatever else needs to be posted, thanks for your help

See More: iexplorer.exe popup Virus

Report •

June 5, 2009 at 15:12:38
What site and does it happen in other web browser?


Report •

June 5, 2009 at 15:49:56
It happens while I'm running Firefox, I hardly ever use IE and I'm never using it when these sites are popping up, I also get random error popups (this site has encountered an error and IE has to close) I just hit the button to report it to microsoft and close it out, but I'm never running IE when these popups happen

Report •

June 5, 2009 at 16:01:44
Tried scanning with antivirus? Post scan log if you did if you haven't scan with kaspersky/eset/bitdefender online scanners and post scan results.


Report •

Related Solutions

June 5, 2009 at 16:20:28
ok I just spent hours getting this scan and it found nothing, here is the report, I've also taken a print screen to show you what I'm talking about. I'm not sure if image codes can be used here so I will post the link, thanks

Saturday, June 6, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version:
Program database last update: Saturday, June 06, 2009 03:27:25
Records in database: 2316933
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
Scan statistics
Files scanned 46467
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 03:21:26

No malware has been detected. The scan area is clean.
The selected area was scanned.

Link to print screen:


I am going out of town for the weekend, I will bump this when I get back for help...thanks to all that viewed and if you want to go ahead and post my next step I will do it promptly upon return. Again, I really appreciate the help :)

Report •

June 7, 2009 at 10:53:21
I am also having this issue. Onecare live scan from Microsoft detected and removed System32\iehlpr.dll and Windows\sysguard.exe . Now both Onecare and Defender show the computer as clean, but but the issue persists. I was getting redirects from my search results both in Google and (If I open the link in a new window it opens correctly). No DNS IPs in my TcpIp reg key. I am really baffled. Anyone figure this out yet? Thanks.

Report •

June 7, 2009 at 11:00:13
Dustin DeWynn Create your own post with problem.


Report •

June 7, 2009 at 11:01:24
Jrobi31: Can you make a new HijackThis log and upload it to HijackThis: Here


Report •

June 7, 2009 at 21:25:36
neoark, here is the hijack link:

Report •

June 8, 2009 at 05:42:39
1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called inside. Upload that file to and paste the link here.

Image Tutorial


Report •

June 8, 2009 at 08:48:11
AVZ Log:

Report •

June 8, 2009 at 09:14:42
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SearchRootkit(true, true);

2) After Reboot. Attach a Combofix log, please review and follow these instructions carefully.

Download it here ->

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs ( Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to and paste the link here.


Report •

June 8, 2009 at 14:51:42

Report •

June 8, 2009 at 15:16:10
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SearchRootkit(true, true);

2) Run this script in AVZ:


3) A file called should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\ to a filehost such as Then, Private Message me the Download link to the uploaded file.

4) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs ( Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.


Report •

June 9, 2009 at 04:41:10
Is your original problem fixed? Also in your AVZ folder there should be directory called "Quarantine". Can you please zip up that folder upload it and private message me download link.


Report •

June 9, 2009 at 13:13:13
Yes Neoark, the initial problem is solved. Thank you so much for your help :) I am pm'ing you the last link. Again, I appreciate it!

Report •

June 9, 2009 at 13:37:11
Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on:

Run a full scan with

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial:

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

3) House cleaning. Run full Scan with SuperAntispyware : . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

June 10, 2009 at 22:39:33

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=
# OnlineScanner.ocx=
# api_version=3.0.2
# EOSSerial=e5684cf05140cd49884cdbed82c62c12
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-11 04:29:31
# local_time=2009-06-10 11:29:31 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 21 83 100 3922108593750
# scanned=37202
# found=0
# cleaned=0
# scan_time=3225

Report •

June 10, 2009 at 22:40:35

Malwarebytes' Anti-Malware 1.37
Database version: 2261
Windows 5.1.2600 Service Pack 3

6/11/2009 12:07:36 AM
mbam-log-2009-06-11 (00-07-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 119912
Time elapsed: 30 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\JMari\Desktop\avz4\quarantine\2009-06-08\avz00001.dta (Trojan.BHO) -> Quarantined and deleted successfully.

Report •

June 10, 2009 at 23:18:33

SUPERAntiSpyware Scan Log

Generated 06/11/2009 at 01:12 AM

Application Version : 4.26.1004

Core Rules Database Version : 3934
Trace Rules Database Version: 1877

Scan type : Complete Scan
Total Scan Time : 00:30:43

Memory items scanned : 466
Memory threats detected : 0
Registry items scanned : 5728
Registry threats detected : 0
File items scanned : 11796
File threats detected : 27

Adware.Tracking Cookie
C:\Documents and Settings\JMari\Cookies\jmari@tribalfusion[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@specificmedia[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@serving-sys[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@interclick[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@media.mtvnservices[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@questionmarket[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@2o7[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@collective-media[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@atdmt[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@adserver.adtechus[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@serving.adsrevenue.clicksor[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@advertising[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@cdn4.specificclick[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@imrworldwide[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@specificclick[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@tacoda[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@myroitracking[1].txt
C:\Documents and Settings\JMari\Cookies\[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@kaspersky.122.2o7[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@revsci[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@ads.pointroll[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@bs.serving-sys[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@pro-market[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@a1.interclick[1].txt
C:\Documents and Settings\JMari\Cookies\jmari@specificmedia[2].txt
C:\Documents and Settings\JMari\Cookies\jmari@oasn04.247realmedia[2].txt

Report •

June 11, 2009 at 05:51:59
Your malware free. If your original problem still persist let me know. Run these last to links no need to report back.



PS: i am not monitoring this post any more if still need help feel free to PM.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Ask Question