lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Multiple instances of iexplore running in bakground

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


 Default 

Multiple instances of iexplore running in bakground




Reply
 
Thread Tools
  #1  
Old 12th Jul 2008, 23:33
New Member Group
  
Hello everyone. Not to long ago I noticed there are two instances of iexplore.exe running even though I'm actually not running Internet Explorer. I've tried finishing the processes with no success.
I used both Ad-Aware and Spybot S&D and found anything.
Here's my HJT log for reference.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:16:53 AM, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program files\Archivos comunes\Network Associates\TalkBack\TBMon.exe
C:\Program files\Archivos comunes\InstallShield\UpdateService\issch.exe
C:\Program files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program files\Network Associates\Common Framework\FrameworkService.exe
C:\Program files\Network Associates\VirusScan\Mcshield.exe
C:\Program files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program files\Archivos comunes\Protexis\License Service\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program files\Internet Explorer\IEXPLORE.EXE
C:\Program files\Internet Explorer\IEXPLORE.EXE
C:\Program files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 192.168.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.1.2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program files\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program files\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program files\Archivos comunes\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program files\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PrintDisp] C:\WINDOWS\system32\PrintDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\\WNAVARRETE\EPSON Stylus C92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB ZL.EXE /FU "C:\DOCUME~1\IBM\CONFIG~1\Temp\E_S42.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HeckBuild] C:\DOCUME~1\IBM\DATOSD~1\JUMPTH~1\PARTMEETOKAY.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195420523625
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program files\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servicio de registro de McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Program files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program files\Archivos comunes\Protexis\License Service\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program files\Viewpoint\Common\ViewpointService.exe
  #2  
Old 13th Jul 2008, 01:35
Moderator Group
  
Welcome to CJ.

There are a few suspicious files we need to look at but I'm not sure this is malware or not. Plus a few more things to we can do now.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
  • Viewpoint Experience Technology
If you have trouble removing Viewpoint, I suggest that you use ViewpointKiller

Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop.
Run ViewpointKiller, and select File > Do All Killings
Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.
A logfile will be created in the folder you unzipped ViewpointKiller to, please paste the contents here.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Remove the old version(s)
  • Go to add/remove programs and uninstall all old versions.
  • Be sure not to remove the new version that was just installed.
  • Download JavaRaand unzip the file to your Desktop.
  • Open JavaRA.exe and choose Remove Older Versions
  • Once complete exit JavaRA and delete the program.
  • Run CCleaner.
----------

Can you tell me what these are?

C:\WINDOWS\system32\PrintDisp.exe

C:\DOCUME~1\IBM\DATOSD~1\JUMPTH~1\PARTMEETOKAY.exe

If you don't know what they are then do the following.

Scan Suspicious File(s)

Visit Virustotal
(If more than one file needs scanned they must be done separately and logs posted for each one)
  • Copy the file path in the below Code box:
Code:
C:\DOCUME~1\IBM\DATOSD~1\JUMPTH~1\PARTMEETOKAY.exe
  • At the upload site, click once inside the window next to Browse.
  • Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
  • Next click Send File
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
  • This will perform a scan across multiple different virus scanning engines.
  • Important: Wait for all of the scanning engines to complete.
  • Copy and then Paste the link to the results in the next reply.
Do the same for this file (if you don't know what it is)

Code:
C:\WINDOWS\system32\PrintDisp.exe
----------

Next post add:
Links to VirusTotal file(s)
__________________
Reply

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.