I have a question about identification of spyware. Specifically, I see a pattern of behavior on my PC that seems odd, and I want to know if anyone is aware of a malware item that acts this way. More specifically:

I observe a "hidden" instance of iexplore. I can see it in Task Manager, but it doesn't display a window. However, it appears to have a "window title", sometimes "AutoSuggest Drop-Down" and sometimes "SysFader". I can kill it with Task Manager, but it comes back within a few minutes. Fow a while, it seems innocuous, but then it starts interacting with Kaspersky antivirus on-access scanning, such that between the two of them 100% CPU is consumed. If I kill the iexplore process, intantly the CPU drops to normal levels.

Does this ring a bell? Where else should I post this, if this isn't the right place?

Hi Mr. Bill,
Where is it running from? It should be ../Program Files/Internet Explorer/iexplore. If it isn't then it is likely malware and I suggest that you work through the Malware Removal and Prevention

procedure. This procedure has been designed to enable you to partially or even fully

rid your computer of viruses, trojans, adware, and spyware. Be sure to carefully

follow the directions in order to achieve the best results. If you have any questions

about any of the steps, then please post a new topic in the appropriate forum.

There are links to them along the way. If you still need help when you finish,

please read these directions for posting a topic in the HijackThis forum

and a trained 1st responder or security expert will assist you.

It appears to be running from the proper place. I attempted to disable iexplore by renaming it, but Windows is just too smart for me - it replaced it with a new copy. Even though it is probably a real iexplore, I suspect it's being remote controlled somehow. I didn't want to start the malware removal process unless it really was, though - and hoped someone would recognize the fingerprint.

What is your OS configuration? What software?
Also could you look in your system event and application event logs and see if there are any red X events?

If you close the browser, is it still there? Have you tried it with Firefox or Opera?

It sounds normal to me, except for Kaspersky fighting with IE. It could be a BHO or activex associated with IE, which could still be malware.

— Wynn

I found this information for you.

sysfader.exe is a process belonging to the NVidia Graphics device range and is bundled alongside these products. This is a non-critical system process although it should not be terminated unless suspected of causing problems.

Do you have something called "Auto Suggest" on your computer? If so, then the drop-down is part of that program.

Hope this is helpful.

MrBill,
I have consulted with my references and "iexplore" should not be hidden. Please start on the MRP as suggested above and post back if you have any questions.

Let us know how things go.

SysFader is disabled on my PC, and I don't have anything called "AutoSuggest" (that I know of). I think these are bogus titles designed to mislead. I will be going through the cleaning process over the next couple of days.

Really disappointing - I run multiple layers of protection, including four different spyware scanners, hardware and software firewalls, etc. Getting an infection like this is an embarassment.

Ohh! Scary.

Just to clarify - You said you changed the default. Is Internet Explorer closed when you see this process?

— Wynn

Right. No visible Internet Explorer window.

Nothing to be embarrassed about MrBill. Those scumbags that write the programming for these malware are very talented. There is no such thing as a 100% secure computer.

Let us know how the MRP goes and if you have any quesitons.

There are several threats that use iexplore.exe or iexplorer.exe as filename.

The MRP and the hijackthis log will certainly tell the tale..