Two instances of IE that won't close

Yesterday I stupidly visited a site with Internet Explorer that wouldn't work in Firefox. This morning I realized I'd been zapped with spyware. I ran the usual scans, which found CoolWWWSearch and Lop. I was pretty sure I'd gotten rid of CoolWWWSearch til I went back into IE and realized it had the CoolWWWSearch bar and the start page had been hijacked. Some of Firefox's settings had been altered too, but were easily changed back.

I disabled the search bar in IE, and it made me type in a number to do, to be sure I wasn't a bot...

I downloaded CWShredder and scanned with it. All it found was a little search component, which it got rid of. However when I looked in EndItAll, I saw two instances of IE, one that had Search off to the right of it.

I ran HijackThis and got rid of anything questionable I found.

I think I have CoolWWWSearch off my system, but I can't get rid of those two instances of IE.

Ah I just realized this probably belongs in the security forum. Feel free to move it. Any help appreciated.

 

shadowhawk--
How are you trying to remove the two versions of IE?
I presume you have rebooted. Have you tried removing from Safe Mode?
I wonder if MoveOnBoot might help
http://www.snapfiles.com/get/moveonboot.html

 

I ran Adaware SE again, this time full scan and it found Lop. It had to reboot to get it off. It must've been Lop doing it.

 

shadowhawk--I understand that things are back to being OK. Great!!
I have seen that often multiple scans with AdAware or SpybotS&D are a good idea.
You may want to delete previous System Restore points, since they might reintroduce the same problems.

 

VERY, VERY good sugestion.

BillyBob

 

I disabled System Restore for my drives. Is it OK to re-enable it now?

edit: After I thought Lop was gone, the icons reappeared on my desktop and there were again two instances of IE. I ran another full scan with Adaware SE and this time it found 96 instances of Lop.

I had it delete all of them and then deleted some questionable files I found in my Program Files folder. I hope this is it.

edit: Turns out I forgot to decline the sponsor for Messenger Plus and that's how I got that spyware. Now I've reinstalled sans the sponsor, so hopefully no more trouble.

 

If you continue to have problems, we may need to move this to security. Coolweb and Lop both have newer versions that are super hard to spot and remove.

Lonny & Mark can do it, probably Dave, and possibly a couple of others. Not me though. I don't follow that stuff closely enough. You almost gotta live on the security forums to keep up with the newer nasties and how to spot them & kill them.

 

I would suggest installing the IESpyads.Reg file for now. That second instance of IE is running an ActiveX control, and chances are this site is in this REG file. This file merges hundreds of sites into the Restricted Zone. and once a site goes into the Restricted, any future and current ActiveX processes connecting to those sites are halted, due to default settings. I set everything to disable in that zone.

 

Where can I find this file? I only got one search result in Google, and it was for this site.

 

Look in Mark62 signature above your post

 

Thanks I got it! Weird thing happened when I right clicked on the ZIP file to scan for viruses. I got this popup from Kerio asking about a modified program, one Logitech QuickCam photo album. I clicked Deny because I hadn't made any changes to it. Then the the box sat there like it was frozen, so I brought up Task Manager to try and shut it down. All of a sudden MS Word and two instances of an MP3 tag editor I use opened by themselves. I shut these down and the box was gone. I right clicked the ZIP again and noticed that the menu item to scan for viruses was gone. So I opened eTrust and looked around in its options, couldn't find one to bring it back, so I closed eTrust. And now the menu item to scan is back again.

Weird...