Author Topic: Multiple internet explorers open is task manager and none on desktop...  (Read 4297 times)

0 Members and 1 Guest are viewing this topic.

February 13, 2015, 03:43:21 pm

i.m.galicia

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
I run the scan tool multiple times and it always shows the same things. It closes down the IE in task manager but as soon as I reboot they open again. It even pops up as I shut down my computer different IE pages that are non existent on my desk top.


RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Steve [Administrator]
Mode : Delete -- Date : 02/13/2015  08:42:47

Processes : 12
[Proc.Injected] svchost.exe(2752) -- C:\Windows\system32\svchost.exe
  • -> [NoKill]
[Proc.Svchost] svchost.exe(2752) -- C:\Windows\system32\svchost.exe[7] -> Killed [TermProc]
[Proc.Svchost] svchost.exe(3508) -- C:\Windows\SysWow64\svchost.exe[7] -> Killed [TermThr]
[Proc.Injected] dllhost.exe(3936) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3956) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3964) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3972) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3980) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3988) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3996) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(4004) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(4012) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]

Registry : 1
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13-comm.msn.com  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)

Tasks : 0

Files : 0

Hosts File : 1
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST500DM0 ST500DM002-1BD14 SCSI Disk Device +++++
--- User ---
[MBR] d13b2dbf00c1f14ebe87172b0fa5dfae
[BSP] b61111669b9fb7c397c245f49761b642 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 19016 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 39026688 | Size: 457880 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([18] The program issued a command but the command length is incorrect. )


============================================
RKreport_DEL_02132015_075549.log - RKreport_DEL_02132015_081523.log - RKreport_DEL_02132015_081803.log - RKreport_DEL_02132015_082155.log
RKreport_DEL_02132015_082959.log - RKreport_SCN_02132015_075341.log - RKreport_SCN_02132015_081431.log - RKreport_SCN_02132015_081714.log
RKreport_SCN_02132015_082029.log - RKreport_SCN_02132015_082825.log - RKreport_SCN_02132015_084218.log
« Last Edit: February 13, 2015, 04:32:15 pm by i.m.galicia »

Reply #1February 13, 2015, 04:39:44 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2526
  • Reputation:
    85
    • View Profile
Re: Multiple internet explorers open is task manager and none on desktop...
« Reply #1 on: February 13, 2015, 04:39:44 pm »
Hi Steve,

Welcome to Adlice.com Forum.

The [Proc.Injected] detection could be triggered by two things : 
  • A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
  • Your antivirus injecting your processes to protect you (in theory).
To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :

1. Process Dump
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named dllhost.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
  • Share the link in your next reply.
We will analyse what is really injected, and whitelist if needed.

Regards.

Reply #2February 13, 2015, 07:40:26 pm

i.m.galicia

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: Multiple internet explorers open is task manager and none on desktop...
« Reply #2 on: February 13, 2015, 07:40:26 pm »
https://docs.google.com/file/d/0B1MHmge-AGN9NmduQ0tfUS1WWWM/edit

Is this correct? I've never done this before. Thank you in advance. Actually looking further into it. There are 10 processes with that same name in the program.

Heres a link to the other process that contained the 10 process of DLLhost.EXE
https://docs.google.com/file/d/0B1MHmge-AGN9a080T2IwUjZCWGc/edit
« Last Edit: February 13, 2015, 07:59:23 pm by i.m.galicia »

Reply #3February 16, 2015, 02:33:50 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2526
  • Reputation:
    85
    • View Profile
Re: Multiple internet explorers open is task manager and none on desktop...
« Reply #3 on: February 16, 2015, 02:33:50 pm »
Hi Steve,

You need to set the right permissions to allow me to download the file.
Please refer to this page to do so.

Regards.