ieexplorer.exe on startup and what is srvhost.exe?

anyone have an idea about this?
i have iexplore.exe on my startup. and when i check the registry in
hkey...currentversion/run there is a process called srvhost which starts iexplorer.exe on startup.
there has been nothing happened on my system except i just downloaded trial version of firstdefense-isr and installed from the company's site.
and avira detected nothing on scanning. i dont know from where it is starting but in process explorer it showed system32 folder.

 

This appears to be a trojan. See this page for more details:
http://www.secureworks.com/research/threats/phatbot/
Manual remove instructions appear on the page.

 

Hi pravbk

iexplore.exe = Internet explorer

It can be started from this folder:
C:\Program Files\Internet Explorer
or
by C:\WINDOWS\system32\svchost -k DcomLaunch
(ex. when you're connecting to MS Update from the Control Panel)

explorer.exe - the Windows explorer: the GUI interface to access files and folder in Windows

--------------------------------------------------------------------------

In your system you have:

iexplore.exe OR iexplorer.exe started from "hkey...currentversion/run" by "srvhost" !!!

iexplorer.exe IS a malware ! srvhost IS a malware ! Just check with Google...

Go there and apply the procedure:
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview

 

thank you for response and ur suggestion. but i will submit it to virus total and see which one will detect and i will submit the sample to the one which doesnt detect.
after that i will start the cleanup procedure.
thanks.

 

wow here we go,
virus total result....
AhnLab-V3 -
AntiVir 7.4.1.62 -
Authentium -
Avast 4.7.1029.0 -
AVG 7.5.0.476 -
BitDefender 7.2 Trojan.Downloader.Agent.BRS
CAT-QuickHeal 9.00 -
ClamAV 0.91 -
DrWeb 4.33 -
eSafe 7.0.15.0 -
eTrust-Ve 31.1 -
Ewido 4.0 Downloader.Agent.brs
FileAdvisor 1 -
Fortinet 2.91.0.0 W32/Agent.BRS!tr
F-Prot 4.3.2.48 -
F-Secure 6.70 -
Ikarus T3.1.1.12 BehavesLikeWin32.ProcessHijack
Kaspersky4.0.2.24 -
McAfee 5097 -
Microsoft -
NOD32v2 2460 -
Norman 5.80.02 -
Panda 9.0.0.4 -
Prevx1 V2 -
Rising 19.36.12.00 -
Sophos 4.20.0 -
Sunbelt 2.2.907.0 -
Symantec 10 -
TheHacker 6.1.8 -
VBA32 3.12.2.2 -
VirusBuster 4. -
Webwasher-Gateway -

"-"means nothing detected. sorry i cant upload image.
interesting results
i will submit it to the av vendors.

 

Hi pravbk

Why don't start the cleanup now instead of submit a sample ?

iexploreR.exe and sRvhost = malwares. Be sure of this.

Go ahead.

 

yes i know but i want others to be secure cause i dont have that much important stuff like account info etc..or any important works but others may have.Morever i like to play a bit with malwares.
and anyone have correct email account of eset cause last time they didnt responded to my submission.

 

http://www.eset.com/threat-center/up/submit.htm

 

Hello.

How exactly do you 'play' with malware?

Since you said that you don't know anything abot this malware, I'd strongly suggest that you skip the 'playing' part and head straight for the cleaning process...

Cheers.

 

dont worry about that i figured it out. and i will submit it to the av vendors and then i will start cleanup.
if anything happens i have a image backup c drive made yesterday night.
and i blocked with comodo v3. right now.

 

ok i just cleaned it up in just a seconds.

 

And here it is, kasperskys are always first to respond, thier reply is

Hello.
Backdoor.Win32.Rbot.crz
New malicious software was found in the attached file.
It's detection will be included in the next update. Thank you for your
help.

 

What if it was present when you did that image

 

no it was not there when i did that image.today evening i got that when i saw startup programs.
usually i cleanup registry with jv16 ptools and check whether everything is alright then i start imaging.

 

Cheers, pravbk

I'm glad you sorted that out