- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
OK, about now my editor is going to be wondering where on earth this column is. It should have been in his hot, sweaty hands hours ago, but as I was beginning to write about a couple of searching tools my Windows XP SP2 machine started acting up. Again.
You might remember a few months ago the problems I had with deferred procedure calls. These recently returned in a minor and transitory way that may be related to my current annoyance, which is that Microsoft's Internet Explorer 7 is acting weird.
Here's what IE is doing: After the system has been idle for some random time, IE 7 is launched but without a window. It appears to be loading some Flash content (I can hear looped music and Japanese or Chinese speech) and running a script. The reason I know there's a script involved is it eventually drives utilization to 100% then, after some time, I get the script-running-slowly-do-you-want-to-kill-it warning.
According to Process Explorer, IE is being launched by the svchost process (described by Microsoft as "a generic host process name for services that run from dynamic-link libraries"). What I found after messing around for some time is that it is next to impossible to determine how the svchost launch is being triggered and what IE is actually doing.
What IE appears to be doing is opening HTTP connections to servers identified only by their IP addresses. Googling one of these servers, 60.28.250.102 (which resolves to what appears to be a proxy server), produces only two hits and the pages appear to be in Hungarian (which I don't speak).
The other address, 61.152.242.218, resolves to a Chinese Web server, smarttrade.cn, which, on a cursory search, doesn't appear to be used by the bad guys. Google only produces four hits for the IP address, which are all in the public cache contents listings of three university HTTP cache servers.
I tried using Process Monitor to see what was going on. Process Monitor is another free tool from the Microsoft SysInternals stable but that produces so much data that it's like looking for a needle in a haystack.
What I found is I appear to have a number of files laying around in the windows/system32 subdirectory that look like bits from various malware (files such as 0wiintemp.exe and 1wiintemp.exe), but much to my surprise, Lavasoft's AdAware doesn't seem to care about them.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (5)
IE problemsBy Leroy on December 17, 2008, 7:21 pmMine is doing the same thing. If I leave the desktop open for a time, I get audio playing from somewhere. It sounds like an add. But nothing is open. Task Manager...
Reply | Read entire comment
You got trojans or virusesBy Eike on December 17, 2008, 11:15 pmHi; What you describe is some of what I see every day on customer's computers. Delete the files you named, they are stuff you don't want. If they resist deletion...
Reply | Read entire comment
Download anti malware bytes and hijack this.By Anonymous on December 18, 2008, 6:06 amDownload anti malware bytes and hijack this.
Reply | Read entire comment
What anon saidBy Anonymous on December 18, 2008, 2:32 pmYep - two best tools - HiJack This for finding the offending perp, and antimalware btes for removing it. No better combination of tools, but not for the faint of...
Reply | Read entire comment
Malware / Virus / WormBy Anonymous on January 12, 2009, 4:56 pmThat date (Nov. 23) coincides with a major worm infection on our Windows servers. Not sure if it is related to your problem. See ... http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
Reply | Read entire comment
View all comments