BleepingComputer.com: Multiple Iexplore.exe Processes Running In Task Manager

I noticed recently when browsing through my system's task manager that multiple instances of iexplore.exe are running - even when I have not opened any internet explorer windows. Every 5-10 minutes, a new iexplore.exe instance appears in the task manager. Even if I end the process, more and more will show up - ad infinitum until my laptop overheats and auto shutsdown. I originally posted this in the hijackthis log forum section, but they determined that it was a hardware issue rather than a malware issue (http://www.bleepingcomputer.com/forums/topic153073.html), so they redirected me to this forum section. I hope someone is able to diagnose and fix the problem. Thanks in advance. I really appreciate your time and support.

shut down or delete IE and try firefox,,, see if this works.

i installed firefox, but i still have the problem. for one, i can't uninstall internet explorer. secondly, the ie tasks open up in the task manager just as the desktop loads (before i have run ie). third of all, the ie tasks do NOT open ie windows (if i hadn't checked the task manager, i wouldn't have known that the ie instance was running). lastly, i have tried to rename iexplore.exe so that it cannot be run, but vista will not allow it and I AM the administrator.

If you have multiple IE processes open, and no IE windows open - then you've most likely got an infection that's "phoning home". I'd suggest that you ensure that any sensitive data on the machine is protected. The easiest way to do this is to unplug the computer from the internet, then remove all your personal info.

BUT, this could also be a problem with a legitimate application trying to "phone home", but it's become corrupted and is affecting your system.

You can tell which it is with this free utility: http://nirsoft.net/utils/cports.html
Just run it and make note of which IP addresses that IE is trying to get to (the Remote Address column)
Then use an online Reverse DNS Lookup (one is here: http://remote.12dt.com/ ) to figure out who owns the IP address.
Post back with the information here and we'll have a look ourselves.

If it's an infection, I'd suggest a couple of these free online scans to start with:
(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)

http://housecall.trendmicro.com
http://www.pandasecurity.com/homeusers/solutions/activescan/
http://www.kaspersky.com/virusscanner Scan Only - no removal
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://us.mcafee.com/root/mfs/default.asp
http://onlinescan.avast.com/
http://ca.com/us/securityadvisor/virusinfo/scan.aspx
http://www.eset.com/onlinescan/

<links compiled on 02/14/2008>

here's the output from cport. which ip addresses should i run the reverse DNS lookup on?

https://webspace.utexas.edu/itp57/Share/cport%20report.html

You've got an awful lot of stuff accessing the web - but none of it appears to be related to Internet Explorer (iexplore.exe).
Were the iexplore.exe processes running when you made this report?

Unfortunately, this places you in a position of vulnerability. In order to run the tests, you've gotta connect to the web - but if you connect to the web, there's a chance that you'll be compromised further. I'd suggest rebooting while you're connected to the web - if the iexplore.exe processes respawn - then run the Current Ports test and then kill all the iexplore.exe processes/disconnect from the web.

i re-ran the currports test with firefox and IE open in addition to the hidden iexplore.exe tasks in the task manager. i had IE open to just the "tabs" page, so it should not have been accessing the internet. here is the output:
https://webspace.utexas.edu/itp57/Share/cur...s%20report.html

you can see there are two instances of iexplore.exe in the list and they both point to google. since the IE window i had open was not pointed to google, i don't think the instance in currports can be attributed to the IE window i had open. I think it must be one of the hidden iexplore.exe tasks in the task manager. Here is a screenshot of the task manager (bottom-right) at the time I ran the currports test: **Link removed to protect email addresses**

There are a couple things worth mentioning regarding the screenshot. There are 7 iexplore tasks running (the highlighted one is the IE window I opened). The username for the IE window is my username. However, the username for the 6 hidden iexplore.exe tasks is SYSTEM. Also of note, while there are 7 iexplore.exe tasks in the task manager, there are only 2 in the currports output - and as i mentioned earlier, they both point to google. Could this be google updater or google toolbar or something? When I run the computer in safemode, i do not have the hidden iexplore.exe problem, even if i run IE. So that makes me think that it is a process or service that is regularly trying to access the internet - specifically google.

It could be, but I'm very suspicious of it. BTW - I've deleted the link to the screen shot as it shows some email addresses. I saved a copy of the link if it's needed later on.

Could you check the iexplore.exe processes with this free tool: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx
Right click on each one, select "Properties", and then select the Threads tab. See if there's anything in there that could be causing this, or could point to some sort of relationship between the processes.

It's possible that other programs could be using iexplore.exe - but without the evidence from Process Explorer we can't be sure.

according to process explorer, when the IE window is open, the iexplore.exe process is located in the process tree: explorer.exe/iexplore.exe. As for the hidden iexplore.exe processes, they are located in the process tree: wininit.exe/services.exe/rpcexec.exe/CMD.exe/iexplore.exe.

here is the text output for one of the hidden iexplore.exe processes:
https://webspace.utexas.edu/itp57/Share/iexplore.exe.txt

compare to screenshot of text output for IE window:
https://webspace.utexas.edu/itp57/Share/IE%20window.txt

here is a screenshot of the threads tab for the same hidden iexplore.exe process:
https://webspace.utexas.edu/itp57/Share/processexplorer.jpg

compare to screenshot of threads tab for IE window:
https://webspace.utexas.edu/itp57/Share/IEwindow.jpg

from all that i can tell, the output and threads tab are the same for all of the hidden iexplore.exe processes (albeit different from the standard IE window). By the way, I had my computer checked earlier to see if it was infected, and they determined that i had a clean log, so it wasn't a malware issue:
http://www.bleepingcomputer.com/forums/topic153073.html

I wasn't able to see any problems with "nasties" in any of the stuff that you've submitted. Unfortunately, it doesn't say what's causing the extra iexplore.exe processes either.

Comparing the first 2 logs that you sent, the most glaring discrepancy is a BHO in the first log (the hidden IE process) and there's not one in the visible IE process) - so we've got a clue here!

On my system, rpcexec.exe isn't running in any of my processes on my Vista system (although the service is started). I'd suggest that you verify that this rpcexec.exe is running from your C:\Windows\System32 sub-directory. If it's from anywhere else, it's likely to be malware. To do this, right click on the rpcexec.exe file, select Properties, then select the Image tab.

Just a though, but in Process Explorer, can you right click on one of the hidden iexplore.exe processes, select Properties, then select the Image tab, then select "Bring to front". Does it bring up an IE window with any information in it?

I'd also suggest that you run this free tool (to list your startups) and post the results back in your next post: http://download.bleepingcomputer.com/Merijn/startuplist.zip

rpcexec.exe is running from the C:\Windows\System32\ directory.
CMD.exe is listed in the C:\Windows\TEMP\ under path and command line, but under C:\ in current directory
the visible iexplore.exe process:
path: C:\Program Files\Internet Explorer\iexplore.exe
command line: "C:\Program Files\Internet Explorer\iexplore.exe"
current directory: C:\Users\(username)\Desktop\
the hidden iexplore.exe process:
path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
command line: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\tmp13238.htm
current directory: C:\

when i click bring to front on the hidden iexplore.exe process, it says "no visible windows found for this process"


here is the text output of my startup list:
https://webspace.utexas.edu/itp57/Share/startuplist.txt

on a sidenote, i tried ending the tasks CMD.exe and rpcexec.exe and then the hidden iexplore tasks no longer continued to appear. i dont know if they are the root cause, but it does look like there is some connection with at least one of them.

I'm going to ask one of the malware experts to take a look at this.
cmd.exe should not be running from the Temp folder
I don't think that iexplore.exe should be running a temp file out of the Windows directory either
And that rpcexec.exe, although it appears legit, shouldn't be running either.

I'll take a look at the startup list later - I'm late for work right now.

EDIT: The reason for requesting help from the malware experts is that no legitimate program should run cmd.exe from a Temp folder when there's a perfectly good copy in the C:\Windows\System32 folder. This is, IMO, the behavior of malware. If possible, try submitting the cmd.exe in the Temp folder to http://virusscan.jotti.org to see what it has to say about that file.

Hello, dadrivr

Download FileFind.zip and unzip to your desktop.

• Double-click FindFile.exe
  
• In the box labeled "Enter the directory to search" enter the Drive: C:\
  
• In the box labeled "Enter the File to Search" wininit.exe to search for the file(s).
  
• Click "Find" to begin the search.
  
• When the search is done, it will list the total number of files found.
  
• Double-click on "Export"
  
• This will create and save a text file named export.txt in the root of your C:\ directory.
  
• Locate export.txt and copy/paste its contents in your next post.

Billy3

here are the results of the virus scan of CMD.exe:

Service load:	  
File: 	CMD.exe
Status: 	INFECTED/MALWARE
MD5: 	a6aab7b18d1bc6c77fbac4170576aa76
Packers detected: 	UPX

Scanner results
Scan taken on 18 Jul 2008 15:15:36 (GMT)

A-Squared 	 	Found nothing
AntiVir 	 	 	Found nothing
ArcaVir 	 	 	Found Heur.W32
Avast 	 	 	Found nothing
AVG Antivirus 	 	Found nothing
BitDefender 	 	Found nothing
ClamAV 	 	 	Found nothing
CPsecure 	 	 	Found nothing
Dr.Web 	 	 	Found nothing
F-Prot Antivirus 	 	Found nothing
F-Secure Anti-Virus 	Found nothing
Fortinet 	 	 	Found nothing
Ikarus 	 	 	Found nothing
Kaspersky Anti-Virus 	Found nothing
NOD32 	 	 	Found nothing
Norman Virus Control Found nothing
Panda Antivirus 	 	Found nothing
Sophos Antivirus 	Found nothing
VirusBuster 	 	Found nothing
VBA32 	 	 	Found Trojan-Downloader.Agent.138 (paranoid heuristics) (probable variant)

rpcexec.exe came up clean in the virus scan.

here are the 3 instances of wininit.exe:
C:\Windows\System32\wininit.exe - 96768 Bytes
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe - 95744 Bytes
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe - 96768 Bytes

i ran all 3 in the virus scan and all 3 instances of wininit.exe came up clean.

Check for a PM from me.....