mercredi 29 décembre 2004, par Dly
Version 1.0 - 29/12/2004
Many people reported in the newsgroups or in different forums a weird behaviour with multiple Iexplore.exe running in the background (which is the Internet Explorer executable). The problem is for some reason (especially when you are connected to the net), more and more Iexplore.exe processes are launching in the background (you don’t see any of them in term of opened windows).
Just type in google or in the newsgroups the words “multiple iexplore” and you can see how many people have or had this problem.
This last post summarize quite well what kind of problem people meet :
"I’m having this exact problem with multiple iexplore.exe — maybe close to 100 running at the same time. I’ve tried all updted virus scans, adaware scan, spy sweeper, cwshredder and the suggestion given here about disabling 3rd party browser extensions. I’ve also looked around the hijackthis site but it’s too advanced for me. The Gateway Tech support people have tried to help but they appear to be clueless on this. Their last suggestion has been to reinstall my win2000 operating system. I dread the thought of having to do that. Any other suggestions ?"
Since there are more and more of these processes running, you CPU resources and memory are lowering, decreasing your computer performance and some people even reported some crashes.
After some hours of analysis, I found out that this problem is due to a malware.
It seems that an unknown process is launching multiple instances of iexplore.exe trying to connect always to the same websites (csebooks.com, laughingsquid.net, nasa.gov, megagaming.com, etc...). Each process is using a different port, increasing by the time in term of port number.
I had an interesting comment saying it might be a trojan dedicated to launch a DDOS (Distributed Denial of Service) attack on multiple websites.
I could see this because by default I am not using Internet Explorer (I use Maxthon a very powerful browser). Internet Explorer is so weak in term of protection and is out of your control. It can be run by any program or script.
Anyway, I had to identify which program or process is launching all these iexplore instances. I found out that the Iexplore.exe process was run at each startup of Windows so it would be definitely somewhere recorded as a file run on startup.
Looking at programs which run at the Startup of windows (both in Startup directory and in the registry at : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run), I didn’t find any which look weird to me.
I found out thanks to the program “Autoruns”, a powerful software from Sysinternals which reveals to be a powerful ally in searching for malwares, Trojans and other viruses, that since it was not an executable (.EXE) that seems to start the process, it could be a .DLL file.
Bingo ! I found in the registry HKLM\Software\Microsoft\Windows\ CurrentVersion\Explorer\ShellExecuteHooks two unknown .DLL files.
It seems now that more and more trojans/viruses use this registry to hook on the startup (which usually was not the case).
After looking at the code of these files (which were similar), I found out that the file refers :
to the VB function “CreateProcessA”
to the file “C :\Program Files\Internet Explorer\iexplore.exe”.
to a DLL file named “sysml.dll”.
That was the code ! This tiny little .DLL file was the source of all these problems.
I found out only that this problem could be removed by a software called A-Squared. (Freeware version should be fine)
The trojan is known as : "Trojan-Downloader.Win32.Small.acp","Trojan-Dropper.Win32.Small.nz" or any other variants. There are probably multiple versions of it spreading across the Internet.
To be sure, you are concerned by this problem, check for the existence of a file named “sysml.dll”.
First step : To stop all the multiplication process of iexplore.exe, go to the task manager (press Ctrl+Alt+Del) and terminate all the iexplore.exe processes. It should stop spreading.
Download a-squared FREE, create an account on their website and then install and run their “a-squared free program”. It should be sufficient to remove the malware. Be sure to close all iexplore.exe process before running the program.
This post leads me to this solution (in Dutch unfortunately) : http://www.trojaner-board.de/archive/index.php/t-10831.html
If the following solution does not work, there are other trojans which have been reported as running multiple instances of iexplore such as :
Backdoor CCT (more info on McAfee here)
After the first step,
1 - Identify .DLL files which are around 9kb size, have a strange name and located in the directory C :\WINDOWS. Mine were named "czqhqr.dll" and "slkrof.dll" (9 kb) but some other reports different names.
If you look at the code inside rapidly in it, you will find reference to Internet Explorer.
To help you identify these files, check with Autoruns the registry HKLM\Software\Microsoft\Windows\ CurrentVersion\Explorer\ShellExecuteHooks, a line refers to each .DLL.
2 - Delete these files.
3 - Delete in the registry (ShellExecuteHooks mentionned above) the lines referring to these .DLL files
By the way, I had a comment saying that now Trojans use this registry to hook up on the computer. Watch regularly for this line.
4 - Delete the file “sysml.dll”. It should be in C :\WINDOWS
5 - I don’t know if it has a direct link with it or not but I found that some stranges .EXE files were present in my HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry. I removed them. Their filenames were having the following pattern : ???srv.exe (*srv.exe) Later on, I found that these files were trojans (that can be removed by AvGuard or A-Squared)
Mine were named ‘xelsrv.exe’ and ‘lcvsrv.exe’. Delete *srv.exe files in C :\WINDOWS
6 - Usually malwares don’t come alone. I have identified other files thanks to A-Squared such as tmp9992.exe.
7 - For full scan, use A-Square Free.
I hope that this page has helped you. If you have any questions, do not hesitate to contact me.