Re: Explorer restaring IE6 --> virus?? bug??
- From: intrepid_dw@xxxxxxxxxxx
- Date: 9 Feb 2007 11:21:18 -0800
I will most certainly grab Autoruns, and hope that reveals something
I'm not seeing. I know the BHO's and all the Run\RunOnce\RunOnceEx
entries are empty, so anything else that can find something buried
even deeper would be great.
On Feb 9, 12:58 pm, nass <n...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Download the AutoRun and see the real running processes in the background:http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Aut...
Download this ShellExView and see the
running application in the background:http://windowsxp.mvps.org/slowrightclick.htm
Do you have MS Messenger running?, I will try to block or see the Open pots
and block them on the Firewall (not the fireworks this time <grin>) and see
if the behaviour will still persist .
P.S did you get the security updates from MS site?.
Thanks for trying to help.
Everything was cleaned out - cookies, cache, the whole schmear, etc.
Recall, too, that this was a clean install (within the last week) of
WinXP Pro, so there really wasn't much in history or TIF/cache/etc -
but what was there was cleaned out. I looked in the registry for
specific Explorer and Internet Explorer BHO's, and there was only one
for Adobe, and I was able to verify that it was legitimate. I had
already completely uninstalled the Google Toolbar.
No process is capturing a significant slice of CPU time, and all of
the processes listed in Task Manager mapped back to legitimate Windows
processes (verified with the help of Process Explorer and HiJack
This). The only blip of CPU that would appear was related to the
Explorer process, but once a new IE session would start, the Idle
process would go back to its normal 99%. I was able to confirm that
the instances are being fired by Explorer as described below.
I suspected that a virus had installed itself as a service, but was
able to eliminate that as a practical matter during a restart into
Safe mode. In the midst of all the "fireworks" of new IE instances
coming up, I went to the IEXPLORE.EXE process and took away all
execute privileges from Everyone, then enabled object auditing. That
then started hitting the event log with "Failure" notices for startup
attempts of IE being spawned from Explorer under the user account
under which I was logged in. That, combined with the fact that just
about every other service I could stop was, in fact, stopped, (and
those that weren't were SYSTEM processes which, in turn, were verified
to map back to legitimate versions of legitimate executables) led me
to conclude with a pretty high degree of confidence that the problem
was not some trojan service.
That's what now leads me to suspect something has insinuated itself
into the Explorer process, but I'm not exactly sure what.I've not been
able to find anything such as files or registry entries associated
with Explorer (HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
and the same branch under HKCU) that aren't legitimate.
The curious part about this is the variability of the new IE
instances. At its worst, new instances would pop up just as an
existing instance would be closed. At other times, if you were trying
to use an open instance, it would "refresh" itself back to the home
page as if the "Home" button had been pressed or programmatically
invoked. Other times, it would sit quietly, and a new instance of IE
would pop up only every several minutes. I've even looked to see if a
scheduled process is being secretly invoked, but none are present.
Part of me began to wonder if there was a keyboard hardware
malfunction (eg shorting/bouncing browser hotkey) that just happened
to manifest itself as IE instances popping up at varying intervals/
I appreciate the help. More ideas still welcome...
On Feb 9, 8:01 am, nass <n...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I've been perusing a bizarre little laptop with a clean install of Win
XP Pro with SP2. Only apparent additional installs are the Google
Toobar for IE and MS Office 2K3.
Problem is that, after a few minutes of uptime, Explorer will start
firing instances of Internet Explorer at seemingly random intervals;
sometimes as often as once every one or two seconds, then slow down,
then fire several more, etc, then go dormant for several minutes. I've
run the checks in safe mode and stopped all stoppable services, all to
no avail. All I've been able to conclude is that something is making
Explorer start IE over and over again, and I can't seem to find a
My first thought was an outbound zombie-type virus, but there are no
outbound network connections showing up via netstat, and there is no
homepage hijack. AdAware comes away clean and HiJack shows nothing
suspicious; all entries in the Run\RunOnce registry entries are traced
back to legitimate executables. I performed a safe-mode scan with
Symantec's online scanner and Microsoft's online scanner, and neither
found anything. I'm on the order of stumped.
Any ideas?? Any chance I'm coming up with some really obscure, perhaps
new, virus or malware?? I'm grasping at straws at this point...so I'd
appreciate any suggestions or theories.
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Taps:
General | Security | Privacy | Content | Connections | Programs |
Under General Tab clear your History, Internet Files and Cookies.
Click On Programs Tab and click on manage Add-Ons and Disable non-verified
Add-Ons ( you can/must Renable them later one-by-one and see the culprit and
Disable it or Remove it).
Then click on Advanced tab and scroll down to under the Browsing Option:
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box (it
will disable Google toolbar do for now please).
Then click OK to close the IE properties.
While the Firework going On did try to see which processes is taking the
Usage of the CPU by pressing ALT + DEL + CTRL.
Let us know.
nass- Hide quoted text -
- Show quoted text -- Hide quoted text -
- Show quoted text -
- Re: Explorer restaring IE6 --> virus?? bug??
- From: nass
- Re: Explorer restaring IE6 --> virus?? bug??