1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malware problem that appears to be using DcomLaunch

Discussion in 'Windows XP' started by Dave F., Jul 15, 2010.

  1. Dave F.

    Dave F. Flightless Bird

    Hi

    I'm running XP SP3.
    I use Firefox as default.

    I've a bug that launches two or three copies of IE into the services
    (they don't immediately appear on screen).

    After a few minutes it preforms one or more of the following:

    Displays adverts in an IE window
    Plays an audio advert (not sure how it does that)
    Mutes the sound completely.

    I've run the latest versions of ad-aware & avast anti virus but with no
    luck.

    Using Sysinternals Process Explorer I can see the following:
    (> represents a child service)

    System>smss.exe>csrs.exe>winlogon.exe>services.exe


    A child of this is svchost.exe that has the command line of:
    C:/WINDOWS\system32\svchost -k DcomLaunch

    A child of this is iexplore.exe that has the command line of:
    "C:/Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding

    A child of this is another one or two copies of iexplore.exe with the
    command line of:

    "C:/Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3752
    CREDAT:145411 or 145412

    Using Sysinternals Autoruns I disabled DcomLaunch & rebooted.
    It prevented the problem, but it appears DcomLaunch is essential for
    Windows to run.

    I've run out of ideas for a solution, so it's over to you. Any ideas?

    Hope I've been clear.

    Cheers
    Dave F.
     
  2. Randem

    Randem Flightless Bird

    You will need to run some other Malware & Spyware utilities to complete the
    job. Try MalwareBytes and SuperAntiSpyware to accomplish this.

    Also read http://www.randem.com/virusproblems.html


    --
    The Top Script Generator for Jordan Russell's Inno Setup -
    http://www.randem.com/innoscript.html
    Free Utilities and Code - http://www.randem.com/freesoftutil.html
    "Dave F." <df@zx.cu.uk> wrote in message
    news:uumsDnGJLHA.4320@TK2MSFTNGP04.phx.gbl...
    > Hi
    >
    > I'm running XP SP3.
    > I use Firefox as default.
    >
    > I've a bug that launches two or three copies of IE into the services (they
    > don't immediately appear on screen).
    >
    > After a few minutes it preforms one or more of the following:
    >
    > Displays adverts in an IE window
    > Plays an audio advert (not sure how it does that)
    > Mutes the sound completely.
    >
    > I've run the latest versions of ad-aware & avast anti virus but with no
    > luck.
    >
    > Using Sysinternals Process Explorer I can see the following:
    > (> represents a child service)
    >
    > System>smss.exe>csrs.exe>winlogon.exe>services.exe
    >
    >
    > A child of this is svchost.exe that has the command line of:
    > C:/WINDOWS\system32\svchost -k DcomLaunch
    >
    > A child of this is iexplore.exe that has the command line of:
    > "C:/Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding
    >
    > A child of this is another one or two copies of iexplore.exe with the
    > command line of:
    >
    > "C:/Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3752
    > CREDAT:145411 or 145412
    >
    > Using Sysinternals Autoruns I disabled DcomLaunch & rebooted.
    > It prevented the problem, but it appears DcomLaunch is essential for
    > Windows to run.
    >
    > I've run out of ideas for a solution, so it's over to you. Any ideas?
    >
    > Hope I've been clear.
    >
    > Cheers
    > Dave F.
     
  3. sgopus

    sgopus Flightless Bird

    Try the latest version of malwarebytes, I'm sure it's malware that causing
    the problem.

    "Dave F." wrote:

    > Hi
    >
    > I'm running XP SP3.
    > I use Firefox as default.
    >
    > I've a bug that launches two or three copies of IE into the services
    > (they don't immediately appear on screen).
    >
    > After a few minutes it preforms one or more of the following:
    >
    > Displays adverts in an IE window
    > Plays an audio advert (not sure how it does that)
    > Mutes the sound completely.
    >
    > I've run the latest versions of ad-aware & avast anti virus but with no
    > luck.
    >
    > Using Sysinternals Process Explorer I can see the following:
    > (> represents a child service)
    >
    > System>smss.exe>csrs.exe>winlogon.exe>services.exe
    >
    >
    > A child of this is svchost.exe that has the command line of:
    > C:/WINDOWS\system32\svchost -k DcomLaunch
    >
    > A child of this is iexplore.exe that has the command line of:
    > "C:/Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding
    >
    > A child of this is another one or two copies of iexplore.exe with the
    > command line of:
    >
    > "C:/Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3752
    > CREDAT:145411 or 145412
    >
    > Using Sysinternals Autoruns I disabled DcomLaunch & rebooted.
    > It prevented the problem, but it appears DcomLaunch is essential for
    > Windows to run.
    >
    > I've run out of ideas for a solution, so it's over to you. Any ideas?
    >
    > Hope I've been clear.
    >
    > Cheers
    > Dave F.
    > .
    >
     
  4. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    There is a very good chance that you are seeing the effects of a hijackware
    infection!

    NB: If you had no anti-virus application installed or the subscription had
    expired *when the machine first got infected* and/or your subscription has
    since expired and/or the machine's not been kept fully-patched at Windows
    Update, don't waste your time with any of the below: Format & reinstall
    Windows. A Repair Install will NOT help!

    Microsoft PCSafety provides home users (only) with no-charge support in
    dealing with malware infections such as viruses, spyware (including unwanted
    software), and adware.
    https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

    Also available via the Consumer Security Support home page:
    https://consumersecuritysupport.microsoft.com/

    Otherwise...

    1. See if you can download/run the MSRT manually:
    http://www.microsoft.com/security/malwareremove/default.mspx

    NB: Run the FULL scan, not the QUICK scan! You may need to download the
    MSRT on a non-infected machine, then transfer MRT.EXE to the infected
    machine and rename it to SCAN.EXE before running it.

    2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
    in Safe Mode with Networking, if need be:
    http://onecare.live.com/site/en-us/center/howsafe.htm

    2b. Vista or Win7=> Run this scan instead:
    http://onecare.live.com/site/en-us/center/whatsnew.htm

    3. Now post the requested logs in an appropriate forum for assistance by an
    expert in such matters. DO NOT SKIP THIS STEP!!

    I can recommend the expert assistance offered in these forums:
    http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
    http://www.spywarewarrior.com/viewforum.php?f=5,
    http://www.dslreports.com/forum/cleanup,
    http://www.bluetack.co.uk/forums/index.php, and
    http://aumha.net/viewforum.php?f=30

    If these procedures look too complex - and there is no shame in admitting
    this isn't your cup of tea - take the machine to a local, reputable and
    independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
    --
    ~Robear Dyer (PA Bear)
    MS MVP-IE, Mail, Security, Windows Client - since 2002


    Dave F. wrote:
    > Hi
    >
    > I'm running XP SP3.
    > I use Firefox as default.
    >
    > I've a bug that launches two or three copies of IE into the services
    > (they don't immediately appear on screen).
    >
    > After a few minutes it preforms one or more of the following:
    >
    > Displays adverts in an IE window
    > Plays an audio advert (not sure how it does that)
    > Mutes the sound completely.
    >
    > I've run the latest versions of ad-aware & avast anti virus but with no
    > luck.
    >
    > Using Sysinternals Process Explorer I can see the following:
    > (> represents a child service)
    >
    > System>smss.exe>csrs.exe>winlogon.exe>services.exe
    >
    >
    > A child of this is svchost.exe that has the command line of:
    > C:/WINDOWS\system32\svchost -k DcomLaunch
    >
    > A child of this is iexplore.exe that has the command line of:
    > "C:/Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding
    >
    > A child of this is another one or two copies of iexplore.exe with the
    > command line of:
    >
    > "C:/Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3752
    > CREDAT:145411 or 145412
    >
    > Using Sysinternals Autoruns I disabled DcomLaunch & rebooted.
    > It prevented the problem, but it appears DcomLaunch is essential for
    > Windows to run.
    >
    > I've run out of ideas for a solution, so it's over to you. Any ideas?
    >
    > Hope I've been clear.
    >
    > Cheers
    > Dave F.
     
  5. soillmiller

    soillmiller Flightless Bird

    It seems as if your system is definately under some spyware influence .

    All the processes mentioned by u are genuine....except the "csrs.exe"....
    I hope that it is not a spelling mistake....pls check.

    If it is actually csrs.exe then get rid of it.
    There must be some spyware on ur system that is showing these adverts on ur system.
    You should also use some other antispyware that can clean ur system
    I will suggest u to use Advanced System Protector as it is always loaded with the latest definitions of infections and is efficient enough to get rid of such adwares.
    as far as I am concerned it is the best antispyware I have used so far
    .so try this.
    dis is available at cnet.
    Hope ur problem wud b solved soon.

    All D best!!!
     

Share This Page