Free Malware Removal Forum

[Queequeg]

Greetings. I currently have mostly one (sometimes two) iexplore.exe processes running in the background. They are spawned by scvhost. I can kill the iexplore processes, but within a couple seconds a new one is spawned. At the moment I suspend them using Process Explorer from sysinternals.
The iexplore.exe seems to be loading some ads in the background. I can't see a window but I can hear clicks, and they are stealing focus. Using spy++ I can see the window title, e.g.
"http://ad.questmedianet.com/adserv/?aff_id=3915 - Microsoft Internet Explorer" or
"http://www.arcadelevels.com - Arcadelevels - Microsoft Internet Explorer"

I already tried Malwarebytes' Anti-Malware (Quick Scan) and Spybot S&D, but it only removed some tracking cookies.

There are no suspicious processes running, so I suspect it's a service, which uses scvhost to invoke iexplore. You can find a screen with all the started services below. (Is there an easy way to get this in text form?) Anyways, here's the HJT log, but I doubt it's gonna help. I wrote GoToSleep and GoToSleepSvc(gtssvc) myself, they're harmless, just in case you were wondering.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:39:19 PM, on 7/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\taskmgr.exe
...\GoToSleep\GoToSleep\bin\GoToSleep.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
...\GoToSleep\GoToSleepSvc\bin\Debug\GoToSleepSvc.exe
\Desktop\procexp.exe
C:\Program Files\Internet\Opera\Opera.exe
C:\Program Files\editors\Vim\vim72\gvim.exe
\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Thunderbird] "C:\Program Files\Internet\Mozilla Thunderbird\thunderbird" -turbo
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Startup: GoToSleep.exe.lnk = ...\GoToSleep\GoToSleep\bin\GoToSleep.exe
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: gtssvc - Unknown owner - ...\GoToSleep\GoToSleepSvc\bin\Debug\GoToSleepSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
e
--
End of file - 2460 bytes

[Queequeg]

Disregard please. The iexplore processes are gone now. I think it helped that I created an admin account and downgraded my account to a limited one.
So, close please.

[Gary R]

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.