Results 1 to 10 of 10

Thread: svchost.exe spawns iexplore.exe

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Default svchost.exe spawns iexplore.exe

    Hi All, First thanks for the assistance on this issue. I'm all out of options, and the last and final step would be to reformat the drive.

    I have a problem where the system would call svchost.exe and it would kickoff a iexplore.exe. This would start happening the minute I log into windows XP Home. The iexplore.exe would just grind at 99%, and cause me not to be able to use the system. It would keep starting iexplore.exe processes. I had to disable iexplore.exe by renaming the entire folder.

    I had some other trojans that I recently removed, but apparently not clean enough. I removed windhcp.ocx, Lineage.

    When I go to msconfig I would see an entry on there that is 'checked' in startup. The startup item and command are both 'junk characters'. The location is
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:Load

    When I go to that location using regedit, the values look blank. But when I display binary data, there's actually something in there. I can overwrite that value. If I reboot in safe mode, my value sticks in there. But if I reboot in normal mode, something is re-populating that registry entry. I can see it in msconfig everytime. I put an entry to load c:\hjt\hijackthis.exe in there, but if i load in normal mode, it will call my entry, then overwrite it with the trojan.

    My guess is that something is starting in normal mode that is not started in safe mode. But i can't figure out what that 'something' is.

    On top of all that, I removed my Norton Antivirus but can't install it again, so I can't re-scan. (althouth the first scan came up empty)
    Here's the programs that I've used to scan and none reported anything:

    Spybot
    Norton Antivirus
    CA eTrust Antivirus Online
    F-Secure Online scanner.
    AVG Anti-Spyware
    Ad-Aware SE

    all of them using the latest definitions.

    I think i'm 99% of the way there, but that last 1% is what's killing the system.

    Here's my hijacklog:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:14:52 PM, on 12/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer2\iexplore.exe
    C:\WINDOWS\regedit.exe
    C:\HJT\scanner.exe

    F3 - REG:win.ini: load=c:\hjt\hijackthis.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aol.com/ap/Resources...s.10.4.0.3.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://magicsoftware.webex.com/clie...ex/ieatgpc.cab
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


    *************************
    Here's the startup list:

    StartupList report, 12/28/2006, 12:16:50 PM
    StartupList version: 1.52.2
    Started from : C:\HJT\scanner.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer2\iexplore.exe
    C:\DOCUME~1\Jim\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
    C:\DOCUME~1\Jim\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
    C:\WINDOWS\regedit.exe
    C:\HJT\scanner.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    nwiz = nwiz.exe /install
    NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=c:\hjt\hijackthis.exe
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    1-Click Maintenance.job
    E2F079C3ABBBF193.job
    FRU Task #Hewlett-Packard#hp psc 2170 series#1083718745.job
    ISP signup reminder 1.job
    Symantec NetDetect.job
    {3CF9F8D9-420F-4C21-96C8-B13BBA9E7A11}_DELL_4550_Jim.job
    {E1E55917-E2F4-49B5-A0DD-5D2B74416E71}_DELL_4550_Jim.job
    {F5114CCB-18A9-42C9-A470-B84F791188FE}_DELL_4550_Jim.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [AOL Pictures Uploader Class]
    InProcServer32 = C:\Program Files\AOL Pictures\10_4_0_3a\aolpUploader.dll
    CODEBASE = http://pictures.aol.com/ap/Resources...s.10.4.0.3.cab

    [WScanCtl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
    CODEBASE = http://www3.ca.com/securityadvisor/v...fo/webscan.cab

    [F-Secure Online Scanner 3.0]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
    CODEBASE = http://support.f-secure.com/ols/fscax.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
    CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

    [GpcContainer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
    CODEBASE = https://magicsoftware.webex.com/clie...ex/ieatgpc.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\WINDOWS\system32\VundoFix.exe||C:\DOCUME~1\Jim\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\Jim\LOCALS~1\Temp\aol5A.tmp


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 6,615 bytes
    Report generated in 0.031 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    *****************************************
    Thanks so much for the assistance!

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi uimagine, Welcome.

    Remove Hijackthis from that load value
    Your not connecting to the internet while in safe mode with networking are you ?

    Do you have any items on Hijackthis ignorlist ? if so remove them, we need to see all of it.

    Did windhcp.ocx stay deleted ?
    do you have this service ?
    http://vil.nai.com/vil/content/v_141038.htm
    WinDHCPsvc

    Since you have removed Norton antivirus i suggest you install a differant av and cleanup after Norton
    Install update and do a full scan with (only one) of the free av's mentioned here
    http://forums.spybot.info/showthread.php?t=279
    after that
    Symantec Removal: http://basconotw.mvps.org/SymRem.htm

    Post a new hijackthis log taken not while in safe mode and with no items in its ignore list (if there were any)
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  3. #3
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Default

    Hi Lonny,
    I was actually able to find the problem and fixed it. But in response to your comments:

    I actually removed windhcp.ocx successfully previously. I DID have a winDHCP service which I removed.

    I used all the virus scanners and was not able to find my problem.
    Trend Micro, F-Secure, I even used AVG after your reply, and still no luck.

    Eventually, I looked up all the locations that windows would possibly start applications, and found a registry entry at the following location:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    It had the value:
    "twin"="C:\windows\system32\twunk32.exe"

    I deleted the registry value, and also deleted the twunk32.exe file.
    Rebooted, and problem solved.

    Just wanted to share with everybody on this board because this virus was NOT located with any of the anti-virus software, nor any of the adware/malware programs. My hijackthis log that was posted did not have anything in the ignorelist and it STILL did not find the culprit. The problem is that it puts entries in the startup list and then just uses svchost.exe programs and iexplorer.exe so it is almost impossible to detect.

    I was able to clean things up without reformatting, and I hope this helps somebody solve their issues in the future.

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Do you still have the file ? perhaps in the recycle bin

    One of our experts is curious what these Task Scheduler jobs are
    {3CF9F8D9-420F-4C21-96C8-B13BBA9E7A11}_DELL_4550_Jim.job
    {E1E55917-E2F4-49B5-A0DD-5D2B74416E71}_DELL_4550_Jim.job
    {F5114CCB-18A9-42C9-A470-B84F791188FE}_DELL_4550_Jim.job

    Check please.
    are you on xp pro or home ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  5. #5
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Default

    sorry but I no longer have the file. I deleted it from my recycle bin.

    those 3 jobs you mentioned are probably PCAnywhere related. After I removed Norton Anti-Virus, the only other Symantec product I have is PCAnywhere.

    I'm actually on XP Home.

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi
    Next time try sending it to your av vendor first.
    Are they visible in Scheduled Tasks ? if so see what they point to
    you could delete the norton job if it's is still there.

    What av did you decide on ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  7. #7
    Junior Member
    Join Date
    Dec 2006
    Posts
    4

    Default

    Lonny, Good idea on sending it to the AV vendor. I was just so frustrated, that I was just happy to rid of it. next time i'll copy it off somewhere.

    The 3 jobs you mentioned do not appear anywhere in scheduled tasks. I actually uninstalled PCAnywhere and it is no longer there.

    I ended up with AVGFree just because it is less intrusive. I may end up with Norton 2006 again, but have been quite disappointed that no virus scanner was able to pick up anything. Trend Micro was the only one that reported the winDHCP AFTER i had a clean norton run.

    I'm sure that they all have good and bad points, so I'll stick to AVG for now.
    thanks for your attention!

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    So no current problems ?

    Think Prevention: Put in place a good hosts file
    http://www.mvps.org/winhelp2002/hosts.htm
    How To Download and Extract the HOSTS file:
    http://www.mvps.org/winhelp2002/hosts2.htm
    Repeat that proccess about once or twice a month

    To help avoid reinfection see "So how did I get infected in the first place?"
    http://forums.spybot.info/showthread.php?t=279
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    I neglected to ask you if you have renamed the Internet Explorer folder back ?
    If you havent yet do rename it back to normal

    Go start run copy/paste in
    "C:\WINDOWS\Offline Web Pages"
    press enter, tell us what you see there ?
    Any offline web page present you did not set uo ?
    Another start run command
    attrib -h "c:\windows\tasks\*.job"
    start run type in
    c:\windows\tasks
    press enter, what do you see there ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Do you have these two files in c:\ or the root of other drives
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •