Excessive explorer process

JaredBusch

Anyone have a clue on this?

Right after I got this open to monitor, thing, all the processes started shutting down.

Webroot has been active forever on this machine. I also ran a check with Windows defender.

I was looking because I got a report of conficker somehow leaving this network. Weird traffic on port 8080 out of this machine was all I could find form the router.

0_1487809740318_upload-9a181deb-a8c7-4eb4-86ee-7aba7454b568

JaredBusch

And it came back. One of the IP addresses is 199.187.193.133 and going to that in a browser results in this

0_1487810444222_upload-ba85ff23-5a03-49ab-9452-5519b69b6b8a

said link points to: http://smartadserver.com/

JaredBusch

another ip is 93.184.216.16

popping that in browser makes this mess
0_1487810660401_upload-e9f82f48-194a-4d8a-9475-1d735c152e08

and trying it https results in the expected cert error showing a wildcard for sascdn.com

0_1487810642920_upload-16d79ebb-4c69-490e-86ba-84bb505e19af

JaredBusch

The only consistent thing I could find were hits out on port 8080. SO I blocked it at the router.

been seeing this now

Feb 22 21:17:19 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=151.181.186.225 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6164 DF PROTO=TCP SPT=51771 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:17:21 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=28.59.249.207 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=16839 DF PROTO=TCP SPT=51774 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:17:25 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=125.109.3.234 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7280 DF PROTO=TCP SPT=51782 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:17:44 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=160.47.87.151 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30331 DF PROTO=TCP SPT=51828 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:17:45 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=197.137.31.64 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=12816 DF PROTO=TCP SPT=51831 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:17:48 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=124.34.197.111 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=14155 DF PROTO=TCP SPT=51837 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:17:54 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=105.63.177.145 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=3660 DF PROTO=TCP SPT=51848 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:17:57 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=181.154.98.132 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=23399 DF PROTO=TCP SPT=51857 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:00 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=13.153.158.116 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21312 DF PROTO=TCP SPT=51862 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:01 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=210.76.23.175 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=29763 DF PROTO=TCP SPT=51864 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:03 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=116.55.46.147 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=17854 DF PROTO=TCP SPT=51869 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:16 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=158.32.147.37 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=15846 DF PROTO=TCP SPT=51899 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:17 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=31.72.193.197 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=18052 DF PROTO=TCP SPT=51901 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:22 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=173.96.39.161 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=13367 DF PROTO=TCP SPT=51910 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:33 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=65.138.237.197 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5932 DF PROTO=TCP SPT=51936 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:36 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=20.112.83.196 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=365 DF PROTO=TCP SPT=51944 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:38 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=190.149.150.203 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28190 DF PROTO=TCP SPT=51948 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:44 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=106.75.198.183 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=12038 DF PROTO=TCP SPT=51960 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:49 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=216.232.43.200 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6429 DF PROTO=TCP SPT=51970 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:18:53 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=174.90.225.176 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=32562 DF PROTO=TCP SPT=51980 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:19:04 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=14.213.163.82 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6361 DF PROTO=TCP SPT=52013 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:19:10 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=70.81.17.100 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=28261 DF PROTO=TCP SPT=52029 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 22 21:19:12 jjd kernel: [LAN_IN-4-D]IN=eth1 OUT=eth0 MAC=04:18:d6:83:59:16:90:b1:1c:8d:40:c5:08:00 SRC=10.201.1.109 DST=205.170.49.229 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=20761 DF PROTO=TCP SPT=52032 DPT=8080 WINDOW=8192 RES=0x00 SYN URGP=0

Obsolesce

Looks like some kind of cloud storage like OneDrive, DropBox, Google Drive, etc. Check for those on the system.

Obsolesce

Took a second look and seen owncloud.exe running. Maybe it's that. Look at disk activity to see what owncloud.exe is doing.

JaredBusch

@Tim_G said in Excessive explorer process:

Took a second look and seen owncloud.exe running. Maybe it's that. Look at disk activity to see what owncloud.exe is doing.

No, this is completely abnormal.. I ran the trial of malwarebytes and it found something

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/22/17
Scan Time: 9:57 PM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1328
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 552632
Time Elapsed: 8 min, 14 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Trojan.Fileless.MTGen, HKU\S-1-5-21-430385534-1291320160-1820699957-1150\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^ABQCQUZT, Quarantined, [452], [262350],1.0.1328

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.Fileless.MTGen, C:\USERS\RON\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\877D.LNK, Quarantined, [452], [-1],0.0.0
Trojan.Fileless.MTGen, C:\USERS\RON\START MENU\PROGRAMS\STARTUP\877D.LNK, Quarantined, [452], [-1],0.0.0

Physical Sector: 0
(No malicious items detected)


(end)

Obsolesce

@JaredBusch You think those "877D.lnk" shortcuts open some kind of connection that is using all those: akamai, amazonaws, and cloudfront connections?

That reminds me of when I look at network activity when Outlook or something Microsoft is having trouble connecting online, and I open that up to see what's going on... I see a ton of Akamai connections.

I would think Akamai and Amazon at the very least prevent malware from using their services. Must be something else.

But I wouldn't yet rule out a possibility of both... perhaps there is a legit reason for those cloud content delivery services such as OneDrive or something... plus, something going on with those links in the startup folder.

Don't you have something like ESET running to help protect systems?

Obsolesce

Just seen you have Webroot running, ignore that part.

Obsolesce

Nvm, answered my own question here.