Zaphod2010

I think that did it! Been about an hour no sign of IE starting processes on its own! Attached fixlog in any case. Also you are welcome for the donation, you deserve it, this was a tough one I think, and you saved me a lot of time in reloading (that was going to be the last resort). Also do you know what this malware was? What it does, I am wondering if it is only ad clicks or does it steal data too? Thanks again. Fixlog.txt

Hi, please see attached, also note windows updates happened last night as well. thanks. FRST.txt Addition.txt

Hi sadly it is still there . I opened up the firewall and few minutes later the two IE processes started up again and made lots of connections like before. Thanks

I have to check later this evening, I had blocked IE on the windows firewall in the meantime so it didn't connect outside so I didn't see any activity, but I will open it up again and let you know if those process pop up again. Thanks.

Hi, please see attached for zoek results from above instructions. Thanks zoek-results.log

Hi TwinHeadedEagle, please see attached file for zoek results. thanks. zoek-results.log

Hello Sorry to make a new post but seems the option to edit posts is not enabled, but looking into one of the items found: PUP.Optional.Amonetize This seems to be some sort of malware that generates add clicks, and this is exactly the behaviour I am seeing from those IE processes, it seems to go to many ad related sites, so maybe this is the culprit. Now the file quarantined is only the installer I downloaded as part of some animated wallpaper app, which looked sketchy so I uninstalled it, but maybe that is what is installed somewhere still but not being found. Thanks.

Hello TwinHeadedEagle, thank you for the quick response, I have attached the MB report here, I did a full custom scan before I saw your reply, I had checked the rootkit box as well, so hopefully this is fine. It found the following items and cleaned them, but I had found these previously too and cleaned so not sure why they are back or if they might be the culprit, but the IE processes came up after the previous clean up anyway): Thanks. MB scan.txt

Hello, I seem to have some malware that randomly starts up internet explorer processes (two of them) in the background and then proceeds to connect to multiple IPs/urls with small bits of traffic. I ran wireshark to capture this traffic and analyze it a bit but all I could see were that it mostly consisted of HTTP, and the traffic itself included things like images. I ran RogueKiller which spots the two processes and kills them on the prescan as "[Proc.Injected]" and shows the path to iexplore.exe, but it shows two items as follows, one in uppercase and one in lower: C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.exe As soon as RougeKiller kills these two the traffic to random sites stops, again all this is in the background, nothing ever pops up on screen and I do not use the IE browser. But tools like windows resource monitor or GlassWire show these connections. I have run various products and none of them find any malware (MB included), but the processes still start up the next time I reboot, after some random amount of time it seems. So not sure what this is, so I followed instructions here and ran FRST64 and have attached the two files generated. Thank you FRST.txt Addition.txt