Help Desk Call Center Need Urgent Help Identifying Cause of Process Launch

[MarcelHelper]

I am the manager at a call center and we do a good deal of help desk support. We have been using AHK for many years to build small scripts to save us time, sometimes we have callers download them to fix things.

In the past few months we have been dealing with an overwhelming amount of malware that cause Internet Explorer to launch silently. The malware has what seems like an unlimited number of variants so we cant really build a proper protocol.

The average technician spends 25 minutes tracking down the process that caused IE to launch. Some AV will catch it, some won't, but those scans take time too.

The only thing they have in common is the fact that after we kill the IE process, within 3-5 minutes the software will try to launch another IE process. So we kill some processes we think might be bad, we wait, sometimes the tech makes a mistake, the tech then starts the process of manually looking in the startup, registry etc. Sometimes a wrong process is killed and then the customer calls back an hour later angry, it is a real problem.

What I would prefer to do is to have the caller install a script that will run on their machine, the tech closes all the IE processes and then waits for the malware to try launching it again, once it does, the script should report what process (malware) caused IE to launch.

We tried using Process Explorer, however, it does not show what caused IE to launch. We tried using Process Hacker and Process Memory, no success.

I am hopeful one of you will have an idea for me.

[RickC]

Instead of Process Explorer, I suggest you use Process Monitor (ProcMon) instead on a test machine.

Process Monitor will let you filter on iexplore.exe so you can examine the events immediately preceeding the firing of each new IE process. Just be warned... ProcMon generates a huge amount of info very quickly so you'll need to learn how to filter.

Process monitor: https://docs.microsoft.com/en-us/sysint ... ds/procmon

Tutorial videos:

Defrag Tools: #3 - Process Monitor video which takes you on a tour of ProcMon's features. https://channel9.msdn.com/Shows/Defrag- ... ss-Monitor

Defrag Tools: #4 - Process Monitor - Examples - shows ProcMon being used to investigate/troubleshoot and is also very useful to see how to narrow down your searches for possible culprits. https://channel9.msdn.com/Shows/Defrag- ... ss-Monitor

Hope this helps...

[MarcelHelper]

Tried Process Monitor, we use it extensively, in fact, we have about 15 preset filters for it. If for example the program causing iexplore to launch would start right before it sends the commands, it would be an easy thing to identify using proc mon. We are having no luck using it in a way where it saves any time.

If anyone wants to give it a go here is quick code that launches iexplore. Compile it to its own exe and see if you can figure it out, advice is great and appreciated.

I posted in another forum too but so far nobody was able to solve it, many helpful people chimed in there too.

Code: Select all

#NoEnv
#SingleInstance Force
SetWorkingDir %A_ScriptDir%

Gui Add, Button, x71 y13 w107 h23 gRunIE, Launch IE
Gui Show, w260 h57, IE Process Test
Return

RunIE:
wb := ComObjCreate("InternetExplorer.Application")
wb.Visible := True
wb.Navigate("https://www.autohotkey.com")
return


GuiEscape:
GuiClose:
    ExitApp

[RickC]

So, 1) I wasted my time replying because you didn't provide sufficient information about what you had already tried and 2) you're cross-posting... but you haven't let us know the other forum nor the results, so - once again - we have no idea what's already been suggested.

Best of luck...

[MarcelHelper]

So, 1) I wasted my time replying because you didn't provide sufficient information about what you had already tried and 2) you're cross-posting... but you haven't let us know the other forum nor the results, so - once again - we have no idea what's already been suggested.

Best of luck...

You did not waste your time replying because it turns out that Proc Monitor is so far the best solution. A user TrashDigger on reddit said for me to filter the path HKCU\Software\Classes\InternetExplorer.Application and in fact that showed what process is calling to start IE.

I appreciate your time and everyone's time, I really do, and wish I shared a lot more information. I hope to be able to have a small script built in AHK or anything else that can monitor just for that path and return the process while the caller is on the phone. Last resort is we install process monitor on their machine and set the filter and wait 5 minutes or so and see what happens.

Thank you

Here is the post on reddit, I hope sharing this does not violate TOS the Forum TOS and Rules did not address it

https://old.reddit.com/r/AutoHotkey/com ... _down_the/

[RickC]

At least we now know - from the other thread - that you're talking about Windows 10.

Your first post shows "The average technician spends 25 minutes tracking down the process that caused IE to launch. Some AV will catch it, some won't, but those scans take time too." (My emphasis) Surely this means that the AV that *does* detect it can show you the location of the image that launched IE... and that you can subsequently monitor that location for changes? Have a look at just me's WatchFolder. (https://autohotkey.com/boards/viewtopic ... atchFolder)

Have you used AutoRuns (or AutoRunsc to run hidden without bothering end users) to look for images with no description/publisher (and filtered to exclude Microsoft-signed images). (https://docs.microsoft.com/en-us/sysint ... s/autoruns)

Also, presumably IE is launched to enable internet communication over allowed protocols, e.g. HTTP/HTTPS, to one or more command/control/collect endpoints (if more than one then usually within an identifiable IP address range). Have you tried using Nir Sofer's CurrPorts (with logging enabled) to match new endpoints with the time IE is launched hidden? (https://www.nirsoft.net/utils/cports.html)

[RickC]

Here's an article by Microsoft Fellow Mark Russinovich about tracking down the cause of a random and unwanted malware process (similar to your scenario), in this case the use of ftp.exe:

https://blogs.technet.microsoft.com/mar ... nnections/

It may help show the steps used to track the malware method and endpoint(s).

Hope this helps...