Announcement

Collapse
No announcement yet.

Malicious process keeps restarting... help with tracking it down

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Malicious process keeps restarting... help with tracking it down

    Hello all,

    I've had a malware infestation on my XP Pro SP2 machine yesterday, which i've managed to clear almost completely. There is just one thing still bugging me, and it won't go away.

    There is an instance of IEXPLORE.EXE, which keeps popping up every 15-20 minutes if I kill it.
    By using Sysinternals' ProcessExplorer, I can see the command line of the process image. It looks something like this:

    Code:
     "C:\Program Files\Internet Explorer\Iexplore.exe" http://www.freehostportal.com/ac.php?aid=61&sid=v2test7
    The URL varies between each instance of the process, however. It has one of the following 3 hostnames - www.techsearchsite.com , www.edotfind.com , or www.freehostportal.com - and then an "ac.php" file with random parameters.
    For now, I've edited my "hosts" file, so these 3 host names lead back to localhost, but this is just to prevent any damage. I want to find out what causes this process to restart every time.

    I've searched the registry - no luck! Cannot find anything with these host names there, or "ac.php", or any sub-string of that command line. I've also searched my entire Windows folder for any files that contain this text - nothing there either. I cannot find anything suspicious in Services, or in the Event Viewer; I've even checked Scheduled Tasks... nothing that meets the eye.

    So... how do I find out what starts this process, so I can get rid of it for good?

    Any other tips?

    Thanks....

  • #2
    Re: Malicious process keeps restarting... help with tracking it down

    Run an Antivirus and Spybot search and destroy
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Malicious process keeps restarting... help with tracking it down

      You can get one-on-one help from an MVP for removing the infestation by posting here:

      http://forum.emsisoft.com/Default.aspx?g=topics&f=38

      The guy is a member of the Alliance of Security Analysis Professionals and really knows his stuff.

      Some malware cannot be removed by regular AV/AS applicatons.

      You need to be patient with the forum. Sometimes it can take a while to load.
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Malicious process keeps restarting... help with tracking it down

        Who says it's malware and not adware/spyware for example?
        Start with the basics.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Malicious process keeps restarting... help with tracking it down

          Blood - thank you for the link - I shall try that forum as well.

          Dumber - my antivirus (AVG) did manage to solve the problem almost completely, except for this recurring process that I mentioned... Spybot S&D could not find anything else; I just tried it again, same results.

          So perhaps the origins of this process can be tracked down manually, somehow, according to the info in my first post?

          Comment


          • #6
            Re: Malicious process keeps restarting... help with tracking it down

            Try hijackthis.exe and post a log here.
            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Malicious process keeps restarting... help with tracking it down

              My stepdad called a computer help agency, and had the problem solved. I hope you're reading this, Intersilver.
              What you're dealing with is a Rootkit.

              Find a RootKit Revealer, or prehaps a Process Explorer. Scan using the Revealer, it'll notice the rootkit. Delete it. It'll probably be named something like, "tdssl.dll" inside of your system32 folder. Another would be tdssserv.sys

              I hope this helps.

              Comment

              Working...
              X