Multiple Iexplore.exe Processes Running In Task Manager
Posted 16 July 2008 - 01:05 PM
BC AdBot (Login to Remove)
Posted 16 July 2008 - 02:09 PM
Posted 16 July 2008 - 04:05 PM
Posted 16 July 2008 - 07:05 PM
BUT, this could also be a problem with a legitimate application trying to "phone home", but it's become corrupted and is affecting your system.
You can tell which it is with this free utility: http://nirsoft.net/utils/cports.html
Just run it and make note of which IP addresses that IE is trying to get to (the Remote Address column)
Then use an online Reverse DNS Lookup (one is here: http://remote.12dt.com/ ) to figure out who owns the IP address.
Post back with the information here and we'll have a look ourselves.
If it's an infection, I'd suggest a couple of these free online scans to start with:
(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)
http://www.kaspersky.com/virusscanner Scan Only - no removal
<links compiled on 02/14/2008>
Posted 17 July 2008 - 12:50 AM
Posted 17 July 2008 - 10:09 AM
Were the iexplore.exe processes running when you made this report?
Unfortunately, this places you in a position of vulnerability. In order to run the tests, you've gotta connect to the web - but if you connect to the web, there's a chance that you'll be compromised further. I'd suggest rebooting while you're connected to the web - if the iexplore.exe processes respawn - then run the Current Ports test and then kill all the iexplore.exe processes/disconnect from the web.
Posted 17 July 2008 - 11:28 AM
you can see there are two instances of iexplore.exe in the list and they both point to google. since the IE window i had open was not pointed to google, i don't think the instance in currports can be attributed to the IE window i had open. I think it must be one of the hidden iexplore.exe tasks in the task manager. Here is a screenshot of the task manager (bottom-right) at the time I ran the currports test: **Link removed to protect email addresses**
There are a couple things worth mentioning regarding the screenshot. There are 7 iexplore tasks running (the highlighted one is the IE window I opened). The username for the IE window is my username. However, the username for the 6 hidden iexplore.exe tasks is SYSTEM. Also of note, while there are 7 iexplore.exe tasks in the task manager, there are only 2 in the currports output - and as i mentioned earlier, they both point to google. Could this be google updater or google toolbar or something? When I run the computer in safemode, i do not have the hidden iexplore.exe problem, even if i run IE. So that makes me think that it is a process or service that is regularly trying to access the internet - specifically google.
Edited by usasma, 17 July 2008 - 11:59 AM.
Link removed to protect email addresses
Posted 17 July 2008 - 11:56 AM
Could you check the iexplore.exe processes with this free tool: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx
Right click on each one, select "Properties", and then select the Threads tab. See if there's anything in there that could be causing this, or could point to some sort of relationship between the processes.
It's possible that other programs could be using iexplore.exe - but without the evidence from Process Explorer we can't be sure.
Edited by usasma, 17 July 2008 - 11:59 AM.
Posted 17 July 2008 - 02:11 PM
here is the text output for one of the hidden iexplore.exe processes:
compare to screenshot of text output for IE window:
here is a screenshot of the threads tab for the same hidden iexplore.exe process:
compare to screenshot of threads tab for IE window:
from all that i can tell, the output and threads tab are the same for all of the hidden iexplore.exe processes (albeit different from the standard IE window). By the way, I had my computer checked earlier to see if it was infected, and they determined that i had a clean log, so it wasn't a malware issue:
Posted 17 July 2008 - 02:54 PM
Comparing the first 2 logs that you sent, the most glaring discrepancy is a BHO in the first log (the hidden IE process) and there's not one in the visible IE process) - so we've got a clue here!
On my system, rpcexec.exe isn't running in any of my processes on my Vista system (although the service is started). I'd suggest that you verify that this rpcexec.exe is running from your C:\Windows\System32 sub-directory. If it's from anywhere else, it's likely to be malware. To do this, right click on the rpcexec.exe file, select Properties, then select the Image tab.
Just a though, but in Process Explorer, can you right click on one of the hidden iexplore.exe processes, select Properties, then select the Image tab, then select "Bring to front". Does it bring up an IE window with any information in it?
I'd also suggest that you run this free tool (to list your startups) and post the results back in your next post: http://download.bleepingcomputer.com/Merijn/startuplist.zip
Posted 17 July 2008 - 08:41 PM
CMD.exe is listed in the C:\Windows\TEMP\ under path and command line, but under C:\ in current directory
the visible iexplore.exe process:
path: C:\Program Files\Internet Explorer\iexplore.exe
command line: "C:\Program Files\Internet Explorer\iexplore.exe"
current directory: C:\Users\(username)\Desktop\
the hidden iexplore.exe process:
path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
command line: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\tmp13238.htm
current directory: C:\
when i click bring to front on the hidden iexplore.exe process, it says "no visible windows found for this process"
here is the text output of my startup list:
on a sidenote, i tried ending the tasks CMD.exe and rpcexec.exe and then the hidden iexplore tasks no longer continued to appear. i dont know if they are the root cause, but it does look like there is some connection with at least one of them.
Posted 18 July 2008 - 05:15 AM
cmd.exe should not be running from the Temp folder
I don't think that iexplore.exe should be running a temp file out of the Windows directory either
And that rpcexec.exe, although it appears legit, shouldn't be running either.
I'll take a look at the startup list later - I'm late for work right now.
EDIT: The reason for requesting help from the malware experts is that no legitimate program should run cmd.exe from a Temp folder when there's a perfectly good copy in the C:\Windows\System32 folder. This is, IMO, the behavior of malware. If possible, try submitting the cmd.exe in the Temp folder to http://virusscan.jotti.org to see what it has to say about that file.
Edited by usasma, 18 July 2008 - 06:40 AM.
Posted 18 July 2008 - 08:11 AM
Download FileFind.zip and unzip to your desktop.
- Double-click FindFile.exe
- In the box labeled "Enter the directory to search" enter the Drive: C:\
- In the box labeled "Enter the File to Search" wininit.exe to search for the file(s).
- Click "Find" to begin the search.
- When the search is done, it will list the total number of files found.
- Double-click on "Export"
- This will create and save a text file named export.txt in the root of your C:\ directory.
- Locate export.txt and copy/paste its contents in your next post.
Posted 18 July 2008 - 10:30 AM
Service load: File: CMD.exe Status: INFECTED/MALWARE MD5: a6aab7b18d1bc6c77fbac4170576aa76 Packers detected: UPX Scanner results Scan taken on 18 Jul 2008 15:15:36 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found Heur.W32 Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found Trojan-Downloader.Agent.138 (paranoid heuristics) (probable variant)
rpcexec.exe came up clean in the virus scan.
here are the 3 instances of wininit.exe:
C:\Windows\System32\wininit.exe - 96768 Bytes
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe - 95744 Bytes
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe - 96768 Bytes
i ran all 3 in the virus scan and all 3 instances of wininit.exe came up clean.
Edited by dadrivr, 18 July 2008 - 10:41 AM.