Author Topic: Help with iexplore in processes --possible trojan?--  (Read 14325 times)

Offline TheNightWatchman

  • 24 Frames Per Second
  • Hero Member
  • *****
  • Posts: 721
  • Karma: +198/-1
  • Quaere verum
    • View Profile
Help with iexplore in processes --possible trojan?--
« on: April 27, 2007, 12:45:41 am »
Alright, I have noticed lately IE popping up randomly with ads and figured something was up.
I've scanned Spybot and deleted anything that came up, scanned NOD32 but it was all fine. Looked up HiJackthis and deleted anything I thought looked suspicious (although, I'm not that much of an expert so could have missed something) but never the less, I get 2 iexplore.exe 's in the processes running all the time. In my process manager I tried to delete it there (usually works when task manager doesn't) but it still comes up by itself, piggy backing off an exe I can't find. It's annoying because it's using up quite a bit of memory, and uses about 70% of the CPU for about 10 seconds when I kill its process.

I don't know if you've heard about any of this before, I tried searching around but couldn't find anything that helped.

If no one knows what it is I could post my HiJack this and start from there?

Any help would be appreciated

NWM

texasboy

  • Guest
Re: Help with iexplore in processes --possible trojan?--
« Reply #1 on: April 27, 2007, 06:17:14 am »
 ;D I`m not an expert as you already know. But a few thoughts.
On your IE toolbar  check for manage plug ins, it will give you a list of all plug ins associated with IE. if there are duplicates or suspicious ones you dont recognise.
There are a few older trojans that when they first run they copy themselves to IE.exe.  Troj/Proxy-ER and Troj/Domuz-A
You also might like to check http://www.castlecops.com/s13551-ie_exe.html.
From browsing through different sources it may not be a process manager problem and as you said may be somewhere in Hi-Jack.
Probably not much help. Hope you get it sorted
cheers

Offline chip!

  • Bad Ass
  • Administrator
  • Unstoppable
  • *****
  • Posts: 2301
  • Karma: +629/-6
    • View Profile
Re: Help with iexplore in processes --possible trojan?--
« Reply #2 on: April 27, 2007, 06:33:40 am »
yeah go ahead and post your HiJackThis report...

also:  http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

you can use process explorer to figure out the path of where ever that iexplore.exe is locate, kill it, delete it, etc..
  -  https://convivea.com  -   And...  boom goes the dynamite.

Offline Quantum

  • Ascended One
  • Hero Member
  • *****
  • Posts: 782
  • Karma: +206/-0
  • Daniel Jackson is looking at you!
    • View Profile
Re: Help with iexplore in processes --possible trojan?--
« Reply #3 on: April 27, 2007, 12:18:38 pm »
If it's piggy backing off some other exe or dll, or whatever, you should be able to do a detailed view and search with procexp:

http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

It's like a really advanced version of task manager, very useful, should give you an insight if all else fails in to what needs targeting and killing.
Daniel: "This tastes like chicken."
Carter: "So what's wrong with it?"
Daniel: "It's macaroni and cheese."

Offline TheNightWatchman

  • 24 Frames Per Second
  • Hero Member
  • *****
  • Posts: 721
  • Karma: +198/-1
  • Quaere verum
    • View Profile
Re: Help with iexplore in processes --possible trojan?--
« Reply #4 on: April 28, 2007, 01:51:40 am »
That program was actually what I was using... but it doesn't tell me anything because the piggy back program disappears (unless I missed something?)
Here are some screen shots:

Ok so it starts off like this


Then when I right click and end process it does:


Then switches to:


And then back to:


The other iexplore reloads as this name:


If I run IE (I usually use firefox) it runs under explorer.exe the same as for example Photoshop, but these do not.

Hopefully this sparks some ideas?  ???

EDIT:
Interestingly I can end their process now -- I downloaded the latest version of Process Explorer (I was using v8.4 and the latest is 10.21) and it enables me to kill them at least. Still I need to stop it from reoccurring.

EDIT2:
Ok no they came back :( It just seemed to delay the time for a bit.
« Last Edit: April 28, 2007, 02:05:56 am by TheNightWatchman »

Offline Quantum

  • Ascended One
  • Hero Member
  • *****
  • Posts: 782
  • Karma: +206/-0
  • Daniel Jackson is looking at you!
    • View Profile
Re: Help with iexplore in processes --possible trojan?--
« Reply #5 on: April 29, 2007, 08:29:24 am »
It would be useful if you could find the location of the .exe and delete it. Or see if there are any related DLLs and research in to them or just plain kill them from your computer. I actually remember when self-regenerating spyware came on to the scene, managed to manually get it off my computer after a week long battle and none of the spyware communities had caught up with it yet.

Not much advice I can offer than that, just try and take a snapshot or something when it is there and work out anything it relates to or links to, try the latest best spyware and virus scanners (ad-aware, Spybot, Nod etc..).
Daniel: "This tastes like chicken."
Carter: "So what's wrong with it?"
Daniel: "It's macaroni and cheese."

Offline chip!

  • Bad Ass
  • Administrator
  • Unstoppable
  • *****
  • Posts: 2301
  • Karma: +629/-6
    • View Profile
Re: Help with iexplore in processes --possible trojan?--
« Reply #6 on: April 29, 2007, 12:16:43 pm »
paste out your hijack this log...

im pretty sure it'll be easy to spot what's forcing iexplore.exe to spawn threads..
  -  https://convivea.com  -   And...  boom goes the dynamite.

Offline TheNightWatchman

  • 24 Frames Per Second
  • Hero Member
  • *****
  • Posts: 721
  • Karma: +198/-1
  • Quaere verum
    • View Profile
Re: Help with iexplore in processes --possible trojan?--
« Reply #7 on: April 29, 2007, 11:24:03 pm »
Ok. I've tried scanning with Spybot, etc and nothing.
HiJack gives out:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:21:13 p.m., on 30/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Gizmo Project\mDNSResponder.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
d:\progra~1\intern~1\iexplore.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjb.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
D:\2 Kept Downloads\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Easy-PrintToolBox] D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriveRemote] C:\DOCUME~1\BENCHE~1\APPLIC~1\INFOAC~1\hopeforkbeep.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ben Chesters\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - D:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Search (WSearch) - Unknown owner - C:\WINDOWS\system32\SearchIndexer.exe (file missing)

--
End of file - 9073 bytes

Ok i see there is that "Hopeforkbeep" one which it was going on about last time, I removed that in HiJack before but I didn't delete the file (and it came back). I'll search for it now and see if that helps.

Offline TheNightWatchman

  • 24 Frames Per Second
  • Hero Member
  • *****
  • Posts: 721
  • Karma: +198/-1
  • Quaere verum
    • View Profile
Re: Help with iexplore in processes --possible trojan?--
« Reply #8 on: April 29, 2007, 11:28:35 pm »
lol ok that solved the problem... ended up in Application Data and there was a random folder called "Info Acid" with 4 exes in it. Deleted the folder... ended the processes it all good.

I swear that wasn't in the HiJack the first time  ;)

Unless I post that they're all back I should be good

Thanks a lot

BTW: Hopefully there's not something in the HiJack that's "bad"... i assume the rest other than the hopeforkbeep.exe were fine?