SiteExperts.com Logo Home | Community | Developer's Paradise
User Groups | Site Tools | Site Information | Search
 Main Menu
 Forums
SiteExperts.com Forums
All Discussions

SiteExperts Feedback
The Lounge
Dynamic HTML
Site Design/ Critiques
HTML and CSS
XML Technologies
The Wireless Internet
Internet Explorer
Microsoft .NET
The Server
Technical Support

Sponsored Links

User Groups : Forums : SiteExperts : Internet Explorer :

Previous DiscussionNext Discussion
 IE automatically launches instances in the background

After rebooting my PC, when I first start IE 6.0 it automatically launches 6 instance in the background. They are visible in the task manager but are not visible otherwise on the screen. 4 of these die out in a minute or so and the remaining 2 instances continue to exist. (Of these six, one of them is the IE window that is finally visible.)

On close monitoring i realised that one of the background processes opens a connection to an IP (221.231.XX.XX) and sends request like

GET /thecon/checkin.php?m=0&CLIENTID=1040353&AFF_ID=10001&FIREWALLS=52312 HTTP/1.1

User-Agent: Microsoft Windows XP

Why is this connection getting created. What is the problem.

Thanks

Started By aarora on Aug 15, 2006 at 9:12:45 PM

7 Response(s) | Reply

Earlier Replies | Replies 1 to 7 of 7 | Later Replies
Goto Page: 1
MHenke on Aug 16, 2006 at 2:22:45 AM (# 1)

Apparently the problem is that your PC is doing things that deprives you of your control of it.

Commonly named as hijacking. Check it.


badog on Aug 27, 2006 at 11:37:00 AM (# 2)
This message has been edited.

I'm having the same issue. I've run all the adware removal programs (adaware, spybot, highjackthis, cwshredder, bugoff, Look2Me-Destroyer etc) and have run various anti-virus programs: Sophos, NOD32, I even installed Microsofts defender everything comes back as normal. None of them find anything and yet it still happens.

The iexplore.exe process runs and creates 2 files in the temp directory:

t1156460055.dll and t1156460055.exe (If the files are not removed it will increment the numbers, if I create bogus files with the same names it will generate a different number)

The exe is a zero byte file but the dll has this in it (along with a bunch of code):

221.231.140.49  222.38.148.30   FDASFASF.COM    fdasff.com  fvdasff.com qezvx.com   weopfkp.com http:// /thecon/checkin.php?m=1 /thecon/checkin.php?m=0 &CLIENTID=%d&AFF_ID=%d&FIREWALLS=%d RUN NOOP    http://%s/thecon/update.php?m=1&CLIENTID=%d&AFF_ID=%d&FIREWALLS=%d      http://%s/thecon/update.php?m=0&CLIENTID=%d&AFF_ID=%d&FIREWALLS=%d  INSTALL RUN > >


badog on Aug 30, 2006 at 4:13:36 PM (# 3)

Anyone find anything on this issue?


msimmons on Aug 31, 2006 at 6:42:00 AM (# 4)

You've probally tried this, but take a peek in your start up folder and the start up tab of MSCONFIG.


hewbie on Sep 24, 2006 at 5:42:26 AM (# 5)

hi i have same problem i did some partial analysis here some information
i found about this t*.dll & t*.exe numbers in the file name are ticks
"Returns total number of seconds elapsed since 00:00:00 GMT, January 1, 1970 based on your system time."
ok these files are droppers which make connection to short list of url/ip
some kind of C&C these files are not packed as far i can tell
they some basic plain text i could extract from them

1. has list of common Anti Virus/Firewall
so guessing this will try unload/remove all protection in place
based in the list of programs

2. list of url/ip it connects to notify/download newer version of it self

3. this dropper will attempt to hijack programs on your computer
it finds, haven't checked if their a patten, or random or it tries programs in auto run via registry
when it find program it wants to hijack it will unpack 2rd exe which is UPX compressed
guessing that's what t*.exe are, copies and rename them to
hijacked program but it move original valid program into same location
into folder called "BAK" this is how it loads up every time you reboot,
or when you go to run these hijacked program then it loads original one afterwards


4. it uses {FA531CC1-0497-11d3-A180-3333052276C3E}

when hijacked program is loaded, it secretly load MSIE and inject t*.dll dropper into it
they added timer delay about 24 hours to loop check/report back to one of the listed
C&C site/ip


other files been found except different letters but same ticks *.exe files it download to your computer
give you other nasties

hope this helps :)


ghattas on Nov 22, 2006 at 9:35:23 PM (# 6)

hi i am having the same problem although i got no idea on how to fix it. any1 able to help? thanx.


mrli on Feb 26, 2007 at 6:17:53 AM (# 7)

Hi i have the same problem, from my check it is an instance of Trojan.Lozyt which created (in my case) those files:
1. JMRaidTool.exe [created in %WINDIR%\system32]
2. svcipa.exe [created in %WINDIR%\temp]
3. lsasss.exe (don't confuse with lsass)

The latter is possibly the sasser worm which was somehow used to exploit the LSASS windows vulnerability, in order to plant the actual trojan. Then it registry entry was made in HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run\ lsasss.exe - Lexmark_X79-55
and the JMRaidTool.exe

Fix those and you will be fine.


Earlier Replies | Replies 1 to 7 of 7 | Later Replies
Goto Page: 1

To respond to a discussion, you must first logon.

If you are not registered, please register yourself to become a member of the SiteExperts.community.

User Name
Password
Copyright 1997-2004 InsideDHTML.com, LLC. All rights reserved.