TechSpot

Iexplore.exe multiple processes (keeps spawning)

By jsadighi
Jul 12, 2010
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    I didn't check these logs. FYI, if you use IE v8, multiple iexplore.exe processes are normal.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    One of the reasons why we tell users not to run Combofix unless their helper instructs them to is that they do not follow the guidance set up. The following is script that will run in Combofix. It does not mean that you don't need to run the other programs.

    Please be sure to follow the following instructions to disable your security before running:
    b]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.[/b]

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\Internet Logs\xDB2A.tmp
    c:\windows\Internet Logs\xDB2B.tmp
    c:\windows\Internet Logs\xDB29.tmp
    c:\windows\Internet Logs\xDB28.tmp
    c:\windows\Internet Logs\xDB27.tmp
    c:\program files\Viewpoint\Common\ViewpointService.exe
    
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    
    Firefox::
    Firefox-: Profile - c:\documents and settings\JD Sadighi\Application Data\Mozilla\Firefox\Profiles\k7ctfi3h.default\
    RegLock:
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_USERS\S-1-5-21-507921405-1682526488-839522115-1004\Software\G*e*n*i*e*"!\FM Genie Scout 10]
    [HKEY_USERS\S-1-5-21-507921405-1682526488-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell 
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\EBB2C2E551D91D14350DC3E3F0408953]
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\0ECC3A43B9416605BEB3AE7E61B07718]
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\B405A2EBBFCE91A4C13BDEA4B89DC260]
    [HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\D3D1B0FFCBEAEE83F78310A5B5826958]
    
    Folder::
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    Driver::
    Viewpoint Service
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ========================================
    I note that you are using 3 file sharing programs: LimeWire, Gnutella and BitComet and that a 4th, BitTorrent[/b] has just been uninstalled.[/B] And I notice that ou have globally open ports for BitComent. That means that any account on the system can use BitComet at lower security settings.You can expect to get frequent, multiple malware infection from these programs. I recommend that you uninstall all 3 of them for these reasons:
    • Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    If you decide not to uninstall them, please do not use any of them while I am helping you.

    Include all logs in your next reply.
     
  3. jsadighi

    jsadighi TS Rookie Topic Starter

    I followed the instructions in the first post. I have AVG as my anti-virus, but that scan garnered no results.

    I downloaded and ran TFC, Malwarebytes' Anti Malware, GMER, and DDS.

    Malwarebytes' Anti Malware found one Malware on my system which I obviously removed promptly.

    For some reason my computer had to restart during the GMER scan because of a fatal error. However, when the computer rebooted back into windows the iexplorer.exe processes were no longer spawning.

    I think Malwarebytes' Anti Malware found the culprit and removed it. Anyway, I've attached the logs from the Anti Malware and DDS scans.

    Shall I proceed to use your instructions with ComboFix outlined in your second post? Moreover, the P2P filesharing and Torrent programs you spoke of were uninstalled long ago.

    View attachment mbam-log-2010-07-12 (11-34-36).txt

    View attachment DDS.txt

    View attachment Attach.txt
     
  4. jsadighi

    jsadighi TS Rookie Topic Starter

    My mistake. The iexplorer.exe processes are spawning again!
     
  5. jsadighi

    jsadighi TS Rookie Topic Starter

    One other thing, I have a sinking suspicion that an svchost.exe process is the root of the problem. In my task manager, I have a total of 9 svchost.exe processes running at once. I know that multiple svchost.exe processes is normal, however is it normal to have that many?

    I ran a windows search which returned the following results:

    C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
    C:\WINDOWS\system32\svchost
    C:\WINDOWS\erdent\cache\svchost
    C:\WINDOWS\ServicePackFiles\i386\svchost
    C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost
    C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I run 7-9 svchost.ese processes everyday. My computer is clean. Understand that malware can hide in this process but multiple copies can be just fine also. Many of the Services in the Administrative Tools run a svchost.exe.

    [QUOTEMoreover, the P2P filesharing and Torrent programs you spoke of were uninstalled long ago.][/QUOTE]
    If I see the programs, it means that entries have been left in your system. I noted these 3: LimeWire, Gnutella and BitComet currently running and BitTorrent just uninstalled.

    IF you let me know which you want to have completely uninstalled, I can add the entries to script I'm writing.

    Here is the definition of spawning (computer): To launch another program from the current program. The child program is spawned from the parent program. Please explain what you mean when you use this term.

    Yes, run Combofix.
     
  7. jsadighi

    jsadighi TS Rookie Topic Starter

    Shall I go ahead with the ComboFix script in your second post?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Looks like we posted at the same time! My reply was meant for information only. And I also asked:
    Run the script you already have. Leave the log that generates. Tell me which P2P programs you want uninstalled and I'll include them in another script.

    After running the script in Combofix, do the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.