Posted 04 September 2008 - 05:46 AM
I have a virus that has taken many forms as it evolved. It appears to be related to (or is) the iSecurity virus. In its current manifestation, it starts IE with the "Embedding" parameter via svchost.exe (RPC) then if I don't start my network interface, it will kill explorer, restart it and then restart IE. I have found a few holes in the virus what allow me to browse via TaskManager and also I can suspend IE using ProcessExplorer and that can let me use explorer.
I like to find out who is sending the RPCs that start IE and also who is killing explorer. It is being restarted by winlogon according to PE. Does that mean win;ogon is infected? How else does winlogon know to restart explorer? The infected drive is removable and I have a second removable with a clean XP hence I can boot either one and access the other as drive E: