Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible trojan or rootkit - iexplore.exe running in background, opens after End Process


  • This topic is locked This topic is locked
10 replies to this topic

#1 scthomps

scthomps

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 27 March 2009 - 03:18 PM

Hello, I'm a first-time poster with a possible trojan or rootkit. This is in regard to a Dell Vostro laptop running Windows XP Home SP2. I have two accounts on this computer - one with Admin privileges, one with almost no privileges.

My problem is that iexplore.exe is running (seen in TaskManager/Processes), though no window is open. When I end the process, it starts right up again.

This process will pop up Internet Explorer errors (the kind that report to Microsoft) every few minutes or so when I'm logged in as the limited privileges account. I've also seen blue-screen errors like "irq less than equal" with this account. (Sorry for the lack of detail, it's been a few days since I've seen one, and I figured it was Dell's fault, not malware, so I didn't log it).

Upon startup of the machine, ZoneAlarm will stop a request from iexplore.exe to an IP addres, e.g. 153.245.227.90:HTTPS. It seems to be a different IP each time I start up.

When I scan my C: drive (my only drive) with Norton Antivirus (updated March 27, 2009), it gets into C:/Documents and Settings.../<several folders that have to do with IE> and stops, even though it hasn't gone through most of my files. It usually finishes in about 3 minutes or 7000 - way too fast, and not even close to all my files.

Here's what I've done so far. I've scanned with Malwarebytes' Anti-Malware, SuperAntiSpyware, Spybot Search & Destroy, and fixed or removed everything they've asked. SuperAntiSpyware will tell me that certain files are corrupted so I should run chkdisk. I've run CCleaner, but only the "Cleaner" tab, not Registry. Before I knew it was for trained professionals, I ran ComboFix (sorry). Yet iexplore.exe lives. Gmer and HijackThis are installed and ready to go if someone can help me.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:42 AM

Posted 27 March 2009 - 03:30 PM

Please post the results of your MBAM scan (and the malware it removed) for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 scthomps

scthomps
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 27 March 2009 - 03:42 PM

Thanks for the reply. Here is the log data.

Malwarebytes' Anti-Malware 1.35
Database version: 1906
Windows 5.1.2600 Service Pack 2

3/27/2009 1:37:23 PM
mbam-log-2009-03-27 (13-37-23).txt

Scan type: Quick Scan
Objects scanned: 70772
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:42 AM

Posted 27 March 2009 - 08:56 PM

If you do a Google search for multiple instances of iexplore.exe running in Task Manager, you will find numerous complaints with various causes and possible solutions. This problem could be malware or non-malware related. There are worms like W32/Lovgate-AD that will cause the same problem you are experiencing. In addition to other files it drops iexplore.exe in C:\Windows\system32. One of the ways that malware tries to hide is to give itself the same name as a critical system file like iexplore.exe. However, it then places itself in a different location on your computer. The legitimate iexplore.exe is located in the C:\Program Files\Internet Explorer folder. Make sure of the spelling. If it is iexplor.exe of iexplorer.exe, then it's malware. Also check to make sure iexplore.exe is not loading at startup or that too can be malware.

Tools to investigate running processes and gather additional information to identify them and resolve problems:If you cannot complete your anti-virus scan, try scanning in "Safe Mode".

Error Message: DRIVER_IRQL_NOT_LESS_OR_EQUAL
Error Message: IRQL_NOT_LESS_OR_EQUAL

Some rootkits can trigger BSODs, shutdowns and various stop error/shutdown messages so it would also be wise to perform a scan for this type of malware. If you are experiencing a lot of crashes and not finding anything in Event Viewer or from troubleshooting the error messages, then perform an anti-rootkit scan to at least investigate that as a possible cause.Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 scthomps

scthomps
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 28 March 2009 - 08:52 PM

I've used Anvir and svchost viewer to better identify this behavior. Whenever I close iexplore.exe, Anvir shows this message:

iexplore.exe <PID> started by explorer.exe <computer name>\<account name>

By trial and error, I found that iexplore.exe will also open ctfmon.exe. I noticed a service running, Automated Updates, so I killed that since I don't have Automated Updates on. The next time I kill both ctfmon.exe then iexplore.exe, another service is started. This service will have a name like "Services: Windows Management Instrumentation" or "Services: Network Provisioning Service". In Anvir I get the message

svcthost.exe <PID> started by services.exe NT AUTHORITY\SYSTEM

by the file

C:\WINDOWS\system32\svchost.exe -k netsvcs

According to svchost viewer, underneath this new svchost process are the services

EventSystem
SENS
winmgmt

I did notice a registry entry for ctfmon.exe, according to Anvir. It says Registry: User\Run\ctfmon.exe. I don't know if that's relevant.

Whenever IE is started by this process, it tries to connect to a different IP address via SSL, according to my ZoneAlarm log.

Other things of note: Norton Antivirus stops running when it tries to access an index.dat file. According to the Windows Event Viewer, this is because it can't access the file. (There are a bunch of files Norton can't access.) This happens even in Safe Mode. When I run SuperAntiSpyware, it says that C: is corrupt, and that I should run chkdsk. I do this, and it ends with an error, though nothing is noted in the Event Viewer.

Does any of this sound familiar? What can I do next? And again, thanks for your help.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:42 AM

Posted 29 March 2009 - 07:04 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.

svchost.exe SYSTEM (there can be more than one listed)
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE (there can be more than one listed)

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

How to determine what services are running under a Svchost.exe process

Ctfmon.exe is a file that installs with Windows when you configure the language options. Ctfmon is installed with Office applications which activates the "Alternative User Input Text Input Processor" and the "Language Bar". It is also installed with IE7's Language Tool Bar which forces the use of this file to start at boot whether you want it or not. This process monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. If you do not use these features, then Ctfmon.exe does not need to be running. However, if disabled in MSConfig or with a startup manager, Ctfmon.exe will re-appear on the next bootup. In order to prevent it from running, follow the steps provided in "What is ctfmon.exe And Why Is It Running?". Also see "How to turn off the speech recognition in Office".

When I run SuperAntiSpyware, it says that C: is corrupt

Check about that at the Support Forums.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 scthomps

scthomps
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 29 March 2009 - 03:57 PM

Does svchost.exe cause explorer.exe to tell iexplore.exe to start, or when explorer.exe opens iexplore.exe does that cause svchost.exe to start. What I need to figure out is what's telling explorer.exe to open iexplore.exe. I looked at the processes running under the service that starts, and they seem to all be legit, from what I can tell after searching on the topic.

RE: running checkdisk - I ran chkdisk /r /f and on startup it entered an infinite loop while trying to write to a sector. That can't be good.

Still, whether the problem is the service or not, when I kill that hidden IE process, it starts back up and tries to connect to an IP address each time it's killed. Here is how ZoneAlarm logs it, which I will cut down into a list of IP's and paste below. I'm scanning with AVG and I've tried the anti-rootkits previously posted, but all I ever find are spyware cookies. I don't know what to do at this point.

ACCESS,2009/03/29,07:48:20 -6:00 GMT,Internet Explorer was blocked from connecting to the Internet (209.160.70.74:HTTPS).,N/A,N/A
209.191.92.114:HTTPS
74.125.67.100:HTTPS
154.2.30.182:HTTPS
209.160.64.106:HTTPS
47.250.26.73:HTTPS
224.174.251.67:HTTPS
217.135.242.121:HTTPS
110.128.238.11:HTTPS
207.102.1.182:HTTPS
222.154.31.9:HTTPS)
221.208.28.86:HTTPS
88.50.164.90:HTTPS
209.160.70.74:HTTPS
218.160.145.166:HTTPS
88.143.25.211:HTTPS
93.14.127.243:HTTPS
209.160.64.106:HTTPS
246.215.149.92:HTTPS
209.191.92.114:HTTPS
126.194.233.200:HTTPS

#8 scthomps

scthomps
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 29 March 2009 - 05:19 PM

I have some more information that might be interesting. When clearning out my temp file to run the anti-rootkit scans, I tried killing that IE process again. It restarted and put a file in my temp folder called "niasuevlin.dat". A google search provided no results. I opened this with notepad and found these entries.

C:\WINDOWS\system32\niasuevlin.dll (file date of 12/28/2008)
C:\WINDOWS\system32\SHELL32.dll (file date of 7/3/2008)
C:\WINDOWS\system32\asdoorh.dll (this doesn't exist, but asdoorh.dat does)

(These aren't the only entries. There are entries such as
C:\DOCUME~1\NoPrivs\LOCALS~1\Temp\1DD853A1451FC50DFE215ED6D9E7CD6.dat)

C:\WINDOWS\system32\asdoorh.dat has a file date of 3/23/2009. Inside this file is this entry:

$C:\WINDOWS\system32\asucradllwin.dll

This dll doesn't exist but is a dat file as well. Inside that dat file is this entry.

+C:\DOCUME~1\NoPrivs\LOCALS~1\Temp\win32.dll

That file doesn't appear to exist either, but that seems kind of weird having a file with that name in a Temp directory for my other account.

Back to the beginning though - is it usual for iexplore.exe to open a dat file like that and for that dat file to refer to a bunch of DLL's?

Thanks.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:42 AM

Posted 30 March 2009 - 08:33 AM

This issue will require further investigation. Before that can be done you will need you to create and post a DDS/HijackThis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 scthomps

scthomps
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 30 March 2009 - 05:45 PM

I have posted my log here: http://www.bleepingcomputer.com/forums/t/215387/iexploreexe-opened-by-explorerexe-on-its-own/.

Thanks for your help on this. I saw in that forum that another user recently had a problem similar to mine, and it is a rootkit. Uh oh.

#11 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 30 March 2009 - 05:52 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users