PDA

View Full Version : browser menu extension trying to export to excel



PuterUser
2008-12-10, 19:33
Hello,

First time on your forum so not sure I'm even in the right place. Spybot has been so effective, have not had to inquire until now. Have a laptop with Vista home premium with an intel dual core. Ever since someone was viewing a news website (abs-cbn.com), have been having random re-occuring problems of the following. It also affected the local area connection to where the computer does not automatically connect to the internet when starting up the computer.

At random times, spybot teatimer catches the following. Once, due to what ever it was repeatedly slamming the computer and wouldn't stop, I think I may have clicked "ok" on the system32\igfxpers.exe instead of "deny" on one of the pop ups just to get it to stop. They were about the following topics.

Browser menu extension System32\igfxpers.exe which some anti-virus sites says is associated with Intel graphics cards

Winlogon notifiers avgwintf

winlogon notifiersWebCheck

There would also be a number of pop ups referring to registry keys that were unclear as to what they were.

and also another than referred to a browser extension and wanting permission to "download to excel" which is what really concerned me.

After running Spybot, Ad-awareSE and Norton's and finding nothing, I found and downloaded GMER rootkit and set catchme.exe in the startup menu. At first it listed four 4 number hidden processes, but in the scan, nothing negative would show up, then I would run it again and then all would be listed as nothing present. When I run gmer.exe all I get is the following which comments I find are ok.

Attached device:\Diver\kbdclass\Device\KeyboardClass0\Diver\kbdclass\Device\KeyboardClass1Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

What is concerning, is at random, maybe days apart (it has gone a week or more since the last one) when nothing is being done on the computer (but connected to the internet), teatimer all of a sudden goes into a flurry with multiple requests like the above. And, today, per comments on the GMER site, I tried to run both the catchme.exe as well as gmer.exe when what ever it was, was triggering the teatimer, and neither would run. GMER commented that some of the rootkits try to disable GMER and to rename the files and then run them. I did so and they both ran under different file names, but again, nothing other than the kbdclass notes above showed up under "rootkit". There are 2 external keyboards connected to this laptop.

Do you know of anything that would behave this way, and worse, try to initiate a browser helper to "download to excel"??? Usually there is nothing being done or websites open when these teatimer events suddenly start to happen.

Thanks!
PuterUser