M
Mav90
Hi guys! Just let you know that it might help some people who had the
"multiple iexplore" problems.
I got the same problem and after some hours of analysis, I found out
it is a malware.
problem:
an unknown process were launching multiple iexplore instances (in
background) trying to connect always the same websites (csebooks.com,
laughingsquid.net, nasa.gov, megagaming.com, etc...)
i could see this because i am using another explorer such as maxthon
and block every connection with iexplore.exe).
after some times, dozen of iexplore were running. so to cut off the
process, i deleted in the task manager every iexplore instance. but
once, you run iexplore again, the problem comes back.
solution:
You can actually detect it using a-squared.
The trojan is named something as: "Trojan-Downloader.Win32.Small.acp"
or "Trojan-Dropper.Win32.Small.nz".
They are run through some .dll files (with a weird name) usually
localized in c:\windows
Mine were named "czqhqr.dll" and "slkrof.dll" (9 kb) but some other
reports differents names.
When you look into the file, you see that the program somehow
generates some process calling iexplore.exe.
Delete these .dll files and check for your registry for:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
They are launched by some lines which refers to these DLL files. I
used to autoruns from Sysinternals.com to see it.
Also I have found some stranges .exe files that I have removed from
C:\windows and present in my registry in:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
check for filenames such as ???srv.exe : mine were xelsrv.exe and
lcvsrv.exe
I removed them.
they might also other malware, i found a file named tmp9992.exe.
If you want any details, contact me : http://dly.free.fr
"multiple iexplore" problems.
I got the same problem and after some hours of analysis, I found out
it is a malware.
problem:
an unknown process were launching multiple iexplore instances (in
background) trying to connect always the same websites (csebooks.com,
laughingsquid.net, nasa.gov, megagaming.com, etc...)
i could see this because i am using another explorer such as maxthon
and block every connection with iexplore.exe).
after some times, dozen of iexplore were running. so to cut off the
process, i deleted in the task manager every iexplore instance. but
once, you run iexplore again, the problem comes back.
solution:
You can actually detect it using a-squared.
The trojan is named something as: "Trojan-Downloader.Win32.Small.acp"
or "Trojan-Dropper.Win32.Small.nz".
They are run through some .dll files (with a weird name) usually
localized in c:\windows
Mine were named "czqhqr.dll" and "slkrof.dll" (9 kb) but some other
reports differents names.
When you look into the file, you see that the program somehow
generates some process calling iexplore.exe.
Delete these .dll files and check for your registry for:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
They are launched by some lines which refers to these DLL files. I
used to autoruns from Sysinternals.com to see it.
Also I have found some stranges .exe files that I have removed from
C:\windows and present in my registry in:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
check for filenames such as ???srv.exe : mine were xelsrv.exe and
lcvsrv.exe
I removed them.
they might also other malware, i found a file named tmp9992.exe.
If you want any details, contact me : http://dly.free.fr