ieexplorer.exe on startup and what is srvhost.exe?

Discussion in 'malware problems & news' started by pravbk, Aug 14, 2007.

Thread Status:
Not open for further replies.
  1. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    anyone have an idea about this?
    i have iexplore.exe on my startup. and when i check the registry in
    hkey...currentversion/run there is a process called srvhost which starts iexplorer.exe on startup.
    there has been nothing happened on my system except i just downloaded trial version of firstdefense-isr and installed from the company's site.
    and avira detected nothing on scanning. i dont know from where it is starting but in process explorer it showed system32 folder.
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi pravbk :)

    iexplore.exe = Internet explorer

    It can be started from this folder:
    C:\Program Files\Internet Explorer
    or
    by C:\WINDOWS\system32\svchost -k DcomLaunch
    (ex. when you're connecting to MS Update from the Control Panel)

    explorer.exe - the Windows explorer: the GUI interface to access files and folder in Windows

    --------------------------------------------------------------------------

    In your system you have:

    iexplore.exe OR iexplorer.exe started from "hkey...currentversion/run" by "srvhost" !!!

    iexplorer.exe IS a malware ! srvhost IS a malware ! Just check with Google...

    Go there and apply the procedure:
    http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview

    :)
     
  4. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    thank you for response and ur suggestion. but i will submit it to virus total and see which one will detect and i will submit the sample to the one which doesnt detect.
    after that i will start the cleanup procedure.
    thanks.
     
  5. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    wow here we go,
    virus total result....
    AhnLab-V3 -
    AntiVir 7.4.1.62 -
    Authentium -
    Avast 4.7.1029.0 -
    AVG 7.5.0.476 -
    BitDefender 7.2 Trojan.Downloader.Agent.BRS
    CAT-QuickHeal 9.00 -
    ClamAV 0.91 -
    DrWeb 4.33 -
    eSafe 7.0.15.0 -
    eTrust-Ve 31.1 -
    Ewido 4.0 Downloader.Agent.brs
    FileAdvisor 1 -
    Fortinet 2.91.0.0 W32/Agent.BRS!tr
    F-Prot 4.3.2.48 -
    F-Secure 6.70 -
    Ikarus T3.1.1.12 BehavesLikeWin32.ProcessHijack
    Kaspersky4.0.2.24 -
    McAfee 5097 -
    Microsoft -
    NOD32v2 2460 -
    Norman 5.80.02 -
    Panda 9.0.0.4 -
    Prevx1 V2 -
    Rising 19.36.12.00 -
    Sophos 4.20.0 -
    Sunbelt 2.2.907.0 -
    Symantec 10 -
    TheHacker 6.1.8 -
    VBA32 3.12.2.2 -
    VirusBuster 4. -
    Webwasher-Gateway -

    "-"means nothing detected. sorry i cant upload image.
    interesting results
    i will submit it to the av vendors.
     
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi pravbk :)

    Why don't start the cleanup now instead of submit a sample ?

    iexploreR.exe and sRvhost = malwares. Be sure of this.

    Go ahead.

    :)
     
  7. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    yes i know but i want others to be secure cause i dont have that much important stuff like account info etc..or any important works but others may have.Morever i like to play a bit with malwares.
    and anyone have correct email account of eset cause last time they didnt responded to my submission.
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    How exactly do you 'play' with malware?

    Since you said that you don't know anything abot this malware, I'd strongly suggest that you skip the 'playing' part and head straight for the cleaning process...

    Cheers.
     
  10. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    dont worry about that i figured it out. and i will submit it to the av vendors and then i will start cleanup.
    if anything happens i have a image backup c drive made yesterday night.
    and i blocked with comodo v3. right now.
     
  11. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    ok i just cleaned it up in just a seconds.
     
  12. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    And here it is, kasperskys are always first to respond, thier reply is

    Hello.
    Backdoor.Win32.Rbot.crz
    New malicious software was found in the attached file.
    It's detection will be included in the next update. Thank you for your
    help.
     
  13. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    What if it was present when you did that imageo_O
     
  14. pravbk

    pravbk Registered Member

    Joined:
    May 28, 2007
    Posts:
    54
    no it was not there when i did that image.today evening i got that when i saw startup programs.
    usually i cleanup registry with jv16 ptools and check whether everything is alright then i start imaging.
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Cheers, pravbk :thumb:

    I'm glad you sorted that out ;)
     
Loading...
Thread Status:
Not open for further replies.