Weird session sharing in IE

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

Several days ago i noticed a couple of the PC's I work with share session id
in internet explorer, no matter how you open the ie process (even
double-clicking its icon).

I traced this problem down to the point in which i realized such PC's don't
have any iexplore.exe process running . The "normal" PC's have one
iexplore.exe thread for each internet explorer browser open.

Instead of the normal behaviour, when you open a new internet explorer
browser in these "weird" PC's, you can see how the memory used by
explorer.exe is significantly increased (around 10M for each browser).

Does anyone know why this is happening? And if so, how do I fix it?

Thanks, at least for reading it.
 
On Thu, 2 Aug 2007 06:02:03 -0700, Daniel Arriero
Several days ago i noticed a couple of the PC's I work with share session id
in internet explorer, no matter how you open the ie process (even
double-clicking its icon).
Click to expand...
I traced this problem down to the point in which i realized such PC's don't
have any iexplore.exe process running . The "normal" PC's have one
iexplore.exe thread for each internet explorer browser open.
Click to expand...
Instead of the normal behaviour, when you open a new internet explorer
browser in these "weird" PC's, you can see how the memory used by
explorer.exe is significantly increased (around 10M for each browser).
Click to expand...

I try to avoid meeting malware on a level playing field, as you may be
doing here. I know some malware start IE as a hidden (windowless,but
also could be rootkit-cloaked) process and inject their code into it,
allowing the malware to drill through firewalls (as IE is "permitted).

It smells like that is what may be happening here; the first IE
process not appearing as expected, the 10M bulge on the IE process you
can see, and possibly the same session ID (presumably, the process
number) across PCs because the hidden IE session is started from the
same point in the infected OS's startup process?


--------------- ----- ---- --- -- - - -
Click to expand...
To one who only has a hammer,
everything looks like a nail
 
I will try and download the Microsoft malware detection tool and I'll post
here the results.

Your answer has given me hope. Thank you.
 
cquirke (MVP Windows shell/user) said:
On Thu, 2 Aug 2007 06:02:03 -0700, Daniel Arriero




I try to avoid meeting malware on a level playing field, as you may be
doing here. I know some malware start IE as a hidden (windowless,but
also could be rootkit-cloaked) process and inject their code into it,
allowing the malware to drill through firewalls (as IE is "permitted).

It smells like that is what may be happening here; the first IE
process not appearing as expected, the 10M bulge on the IE process you
can see, and possibly the same session ID (presumably, the process
number) across PCs because the hidden IE session is started from the
same point in the infected OS's startup process?



To one who only has a hammer,
everything looks like a nail
Click to expand...


Well, i downloaded this Microsoft malware detection tool and after a
complete scan it found no infected files.

Thank you anyway for the advice, cquirke.
 
I know some malware start IE as a hidden (windowless,but
also could be rootkit-cloaked) process and inject their code into it,
It smells like that is what may be happening here; the first IE
process not appearing as expected, the 10M bulge on the IE process you
can see, and possibly the same session ID (presumably, the process
number) across PCs because the hidden IE session is started from the
same point in the infected OS's startup process?
Click to expand...
[/QUOTE]
Well, i downloaded this Microsoft malware detection tool and after a
complete scan it found no infected files.
Thank you anyway for the advice, cquirke.
Click to expand...

Heh - maybe I can give you some more...

I hope you aren't assuming that because a single scanner found
nothing, that malware is excluded?

Also, how did you run the tool; from the infected OS?

That's never reliable, but in this case, we do have specific reasons
to anticipate self-defense by the malware you are trying to find. If
what we theorise is happening, we already know we're after a malware
that hides running tasks, and is launching these on startup (and is
thus active from startup onwards).

So what I would do is formally scan one of these PCs using my Bart
project CDR, which runs a sequence of scanners from its own boot.
Multiple scanners improves the chances of detection, and by not
booting or running any infected code, the malware can't hide.

A slide show of the process is here...

http://cquirke.spaces.live.com/photos/cns!C7DAB1E724AB8C23!197/

....though you might skip the RAM and HD testing steps.

In your case, you don't have "my Bart project", so it's not as easy.
You can download Bart PE Builder, and you can add scanners such as:
- Trend SysClean
- Kaspersky CLI scanner
- Sophos CLI scanner
- McAfee Stinger (FWIW)
- Avast Cleaner (FWIW)

The MSRT won't run from a Bart CDR, but it will run from a WinPE 2.0
boot disk, if you have such a thing. Building WinPE isn't as easy as
Bart, plus WAIK is a far larger download, but it's a good mOS.

A quick way to get a bunch of scanners into Bart would be to find and
download David Lipman's Multi-AV tool. This is designed to be
installed on a sick PC and run from Safe Mode, but it can be adapted
for formal use as follows...
- find an uninfected PC
- download and install Bart PE Builder
- find and copy an XP SP2 or Server 2003 \i386 to the PC
- set Bart PE Builder to point to that
- build a test Bart CDR and verify that it works
- download and install Multi-AV
- run Multi-AV and update all four scanners
- create an arbitrary directory, e.g. C:\INCLUDE
- set Bart PE Builder's Custom directory to C:\INCLUDE
- copy C:\AV-CLS (the Multi-AV subtree) to C:\INCLUDE
- build a new Bart CDR

Now to use this on the sick PC...
- boot the sick PC from your new Bart CDR
- note that X: = Bart CDR drive letter
- note that B: = RAMDisk, and Temp is in RAM disk
- copy X:\AV-CLS subtree to C:\AV-CLS
- run Multi-AV from StartMenu.bat

You may find StartMenu.bat is a pain, if it insists on trying to
update the scanners before use, etc. If so, try running the scanners
directly, as follows...

Sophos - via SOFclean.bat

Kaspersky - via KAVclean.bat

McAfee ScanPM - via DOSclean.bat

Trend SysteClean doesn't have a matching batch filem so CD into
C:\AV-CLS\Trend and run SysClean.com directly.


I don't think your Q's answered as yet, so I HTH...


-------------------- ----- ---- --- -- - - - -
Click to expand...
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
 
cquirke (MVP Windows shell/user) said:
Heh - maybe I can give you some more...

I hope you aren't assuming that because a single scanner found
nothing, that malware is excluded?

Also, how did you run the tool; from the infected OS?

That's never reliable, but in this case, we do have specific reasons
to anticipate self-defense by the malware you are trying to find. If
what we theorise is happening, we already know we're after a malware
that hides running tasks, and is launching these on startup (and is
thus active from startup onwards).

So what I would do is formally scan one of these PCs using my Bart
project CDR, which runs a sequence of scanners from its own boot.
Multiple scanners improves the chances of detection, and by not
booting or running any infected code, the malware can't hide.

A slide show of the process is here...

http://cquirke.spaces.live.com/photos/cns!C7DAB1E724AB8C23!197/

....though you might skip the RAM and HD testing steps.

In your case, you don't have "my Bart project", so it's not as easy.
You can download Bart PE Builder, and you can add scanners such as:
- Trend SysClean
- Kaspersky CLI scanner
- Sophos CLI scanner
- McAfee Stinger (FWIW)
- Avast Cleaner (FWIW)

The MSRT won't run from a Bart CDR, but it will run from a WinPE 2.0
boot disk, if you have such a thing. Building WinPE isn't as easy as
Bart, plus WAIK is a far larger download, but it's a good mOS.

A quick way to get a bunch of scanners into Bart would be to find and
download David Lipman's Multi-AV tool. This is designed to be
installed on a sick PC and run from Safe Mode, but it can be adapted
for formal use as follows...
- find an uninfected PC
- download and install Bart PE Builder
- find and copy an XP SP2 or Server 2003 \i386 to the PC
- set Bart PE Builder to point to that
- build a test Bart CDR and verify that it works
- download and install Multi-AV
- run Multi-AV and update all four scanners
- create an arbitrary directory, e.g. C:\INCLUDE
- set Bart PE Builder's Custom directory to C:\INCLUDE
- copy C:\AV-CLS (the Multi-AV subtree) to C:\INCLUDE
- build a new Bart CDR

Now to use this on the sick PC...
- boot the sick PC from your new Bart CDR
- note that X: = Bart CDR drive letter
- note that B: = RAMDisk, and Temp is in RAM disk
- copy X:\AV-CLS subtree to C:\AV-CLS
- run Multi-AV from StartMenu.bat

You may find StartMenu.bat is a pain, if it insists on trying to
update the scanners before use, etc. If so, try running the scanners
directly, as follows...

Sophos - via SOFclean.bat

Kaspersky - via KAVclean.bat

McAfee ScanPM - via DOSclean.bat

Trend SysteClean doesn't have a matching batch filem so CD into
C:\AV-CLS\Trend and run SysClean.com directly.


I don't think your Q's answered as yet, so I HTH...



Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
Click to expand...


Firstly I'd like to thank you for all your effort in helping me.

Sencondly: yes, you are right, i run the tool right from windows in the sick
PC; my fault.

As I am at my workplace, I'll see if I can get all the stuff needed to
follow your super advice (CD burner & blank CD's), which may take me some
time. I will post the results ASAP.

Thank you very much, again, cquirke. I hope I can mark your answer as the
final one soon.
 
cquirke (MVP Windows shell/user) said:
Heh - maybe I can give you some more...

I hope you aren't assuming that because a single scanner found
nothing, that malware is excluded?

Also, how did you run the tool; from the infected OS?

That's never reliable, but in this case, we do have specific reasons
to anticipate self-defense by the malware you are trying to find. If
what we theorise is happening, we already know we're after a malware
that hides running tasks, and is launching these on startup (and is
thus active from startup onwards).

So what I would do is formally scan one of these PCs using my Bart
project CDR, which runs a sequence of scanners from its own boot.
Multiple scanners improves the chances of detection, and by not
booting or running any infected code, the malware can't hide.

A slide show of the process is here...

http://cquirke.spaces.live.com/photos/cns!C7DAB1E724AB8C23!197/

....though you might skip the RAM and HD testing steps.

In your case, you don't have "my Bart project", so it's not as easy.
You can download Bart PE Builder, and you can add scanners such as:
- Trend SysClean
- Kaspersky CLI scanner
- Sophos CLI scanner
- McAfee Stinger (FWIW)
- Avast Cleaner (FWIW)

The MSRT won't run from a Bart CDR, but it will run from a WinPE 2.0
boot disk, if you have such a thing. Building WinPE isn't as easy as
Bart, plus WAIK is a far larger download, but it's a good mOS.

A quick way to get a bunch of scanners into Bart would be to find and
download David Lipman's Multi-AV tool. This is designed to be
installed on a sick PC and run from Safe Mode, but it can be adapted
for formal use as follows...
- find an uninfected PC
- download and install Bart PE Builder
- find and copy an XP SP2 or Server 2003 \i386 to the PC
- set Bart PE Builder to point to that
- build a test Bart CDR and verify that it works
- download and install Multi-AV
- run Multi-AV and update all four scanners
- create an arbitrary directory, e.g. C:\INCLUDE
- set Bart PE Builder's Custom directory to C:\INCLUDE
- copy C:\AV-CLS (the Multi-AV subtree) to C:\INCLUDE
- build a new Bart CDR

Now to use this on the sick PC...
- boot the sick PC from your new Bart CDR
- note that X: = Bart CDR drive letter
- note that B: = RAMDisk, and Temp is in RAM disk
- copy X:\AV-CLS subtree to C:\AV-CLS
- run Multi-AV from StartMenu.bat

You may find StartMenu.bat is a pain, if it insists on trying to
update the scanners before use, etc. If so, try running the scanners
directly, as follows...

Sophos - via SOFclean.bat

Kaspersky - via KAVclean.bat

McAfee ScanPM - via DOSclean.bat

Trend SysteClean doesn't have a matching batch filem so CD into
C:\AV-CLS\Trend and run SysClean.com directly.


I don't think your Q's answered as yet, so I HTH...



Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
Click to expand...

Err.... I have just discovered something, let's see if it gives you the
final clue to determine 100% sure that we are dealing with malware.

In those "sick" PC, if i open two consecutives web browsers and ask for
their Session ID, they return exactly the same. That's the expected behaviour
at this point.

I have tried changing the initial page and.... surprise!.... the Session ID
changes.

I mean, if I open a browser, change the initial page in the internet
properties and open a second browser, they return two different Session IDs.

Does it give you any clue?

Thanks.
 
Back
Top