svchost.exe launching iexplore.exe (x64)

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I've been having this issue lately, Microsoft Internet Explorer seems to be launching on its own and connecting to Amazon's EC2 cloud. I've forcefully blocked all instances of IE from launching for the time and just observe the logs as IE continually tries to launch but fails. 

The calling process seems to be: 

C:\Windows\system32\svchost.exe -k 
DcomLaunch
But I can't seem to trace it any further. Any ideas/procedures recommended to follow in this scenario? I've run numerous anti-virus scanners and rootkit detectors/removers with no significant results.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
c4p0ne Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 29 January 2009 Status: Offline Points: 7	Post Options Post Reply Quote c4p0ne Report Post Thanks(0) Quote Reply Topic: svchost.exe launching iexplore.exe (x64) Posted: 15 February 2013 at 4:40pm
	I've been having this issue lately, Microsoft Internet Explorer seems to be launching on its own and connecting to Amazon's EC2 cloud. I've forcefully blocked all instances of IE from launching for the time and just observe the logs as IE continually tries to launch but fails. The calling process seems to be: C:\Windows\system32\svchost.exe -k DcomLaunch But I can't seem to trace it any further. Any ideas/procedures recommended to follow in this scenario? I've run numerous anti-virus scanners and rootkit detectors/removers with no significant results.

MagicAndre1981 Members Profile Send Private Message Find Members Posts Add to Buddy List Moderator Group Joined: 08 January 2007 Location: Germany Status: Offline Points: 1455	Post Options Post Reply Quote MagicAndre1981 Report Post Thanks(0) Quote Reply Posted: 16 February 2013 at 6:13am
	Have you tried to use ProcessMonitor to see what is going on?

c4p0ne Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 29 January 2009 Status: Offline Points: 7	Post Options Post Reply Quote c4p0ne Report Post Thanks(0) Quote Reply Posted: 16 February 2013 at 10:34am
	Yes I have tried procmon but the output is just too much for me to extrapolate anything from... I've since rebooted the system and IE has not yet attempted to load on its own. I know that this isn't the end, though. Sooner or later it will start happening again, which is why I'm keeping a close eye on system activity until that time. I suspect it might be some in-memory crap that is triggered by some event (such as me starting an "infected" executable for instance). It is at that point that I will start to see this behavior again. Observing it in procexp seems to indicate that IE is firing up and then calling another instance of itself (so that there are two IE's running, parent/child). THEN, the newly spawned child calls yet 3 more instances of IE (3 children). At that point, some mysterious event happens and all of the instances of IE just shut down. Then the process repeats every, say, 2 minutes. Again, it hasn't happened since yesterday (reboot) but as soon as it kicks up again I'll make a recording in procmon and post it here, perhaps you guys can make heads or tails of it. Maybe I can put this in one of my own "the mystery of" articles. thanks again.

c4p0ne Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 29 January 2009 Status: Offline Points: 7	Post Options Post Reply Quote c4p0ne Report Post Thanks(0) Quote Reply Posted: 22 February 2013 at 12:46pm
	I've discovered that when launching the cloud storage application known as "bitcasa" (www.bitcasa.com) that this behavior is present, and it seems that at no other time other than with bitcasa running do I see this behavior (at this time anyway). Although I still have no idea why. I will communicate with them about it. Thanks fellas.