svchost.exe spawns iexplore.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by Sordid, May 7, 2010.

  1. Sordid

    Sordid Private E-2

    Hi
    I've recently noticed an instance of svchost.exe in my Process Explorer spawning an iexplore.exe running in the background with no window visible. The command line for it includes "scodef" and "credat" parameters with numbers, though these tend to vary. The executable is located in Program Files/Internet Explorer, not sure if that's even legit (don't use IE at all, know nothing about it). The process just sits there and rarely takes up any processing power at all. It usually closes after a while. Sometimes a new process is spawned immediately with different numbers in the parameters, sometimes it goes away completely, then reappears again sometime later. When it's there, I can also hear those little clicking noises IE's yellow security bar thingy makes when it pops up. It's as if something's browsing the net with my IE, which I find extremely suspricious. I'm using Opera to do my browsing, so as far as I can tell, it has no business running at all. Even more so given that the process had an "unknown account" listed in its permissions.

    I would be extremely grateful for any assistance you guys might provide, since I'm clearly out of my depth here. I've gone through the procedure and I'm attaching the various logs.
    I do have to confess, though, that I did try to remove the suspected malware before stumbling upon your forum and the guide, and may have made a bit of a mess of it. This consisted of running various anti-malware tools including ComboFix. The only result of which is that the phantom "unknown account" is now gone, but the process still occasionally pops up. Unfortunately, so is the log from that. I did run ComboFix again as part of the recommended procedure, but I imagine it did its thing on the first run, the log of which is gone.

    I hope that's not too much of a problem. I would really appreciate any help you might offer.
     

    Attached Files:

    Sordid, May 7, 2010
    #1
  2. Sordid

    Sordid Private E-2

    Right, the rest of the logs.
     

    Attached Files:

    Sordid, May 7, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. You may wish to clean out this folder:
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active

    I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    I suggest that you post in the software forum for further assistance.

    Since you are not having any malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, May 9, 2010
    #3
  4. Sordid

    Sordid Private E-2

    Well, I'm certainly glad it's not malware. I haven't had the problem for a while now, but since it pops up intermittently, I'm not sure if something I did fixed it or if it's just taking its time before it comes up again. If it does, I'll ask in the software forum as you suggested. Thank you very much for your assistance. :)
    And yes, I've cleared my desktop. I had frankly forgotten about half the stuff I had there.
     
    Sordid, May 9, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. Safe surfing! :)
     
    TimW, May 9, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds