New advertising malware?
- Thread starter jhrowehl
- Start date
- Status
There is an excessive amount of toolbars, do you want or use all these?
O2 - BHO: Invincea Web Redirector - {1C52FA7C-51B7-4621-9D5A-11101BA13134} - C:\Program Files (x86)\Invincea\Enterprise\InvRedirHostIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Professional 7\Bin\PlusIEContextMenu.dll
O2 - BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files (x86)\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O3 - Toolbar: DocuCom PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files (x86)\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll
Typically, these entries are infrequently used tasks that can be started manually, if necessary.
Removing/disabling these items from statup will help with system resources.
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NetSetMan] "C:\Program Files (x86)\NetSetMan\netsetman.exe" -h
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"
Typically, the below entries are infrequently used tasks that can be started manually, if necessary.
O4 - HKLM\..\Run: [PDF7 Registry Controller] C:\Program Files (x86)\Nuance\PDF Professional 7\RegistryController.exe
O4 - HKLM\..\Run: [PDFProHook] C:\Program Files (x86)\Nuance\PDF Professional 7\pdfpro7hook.exe
Reboot the computer to set the registry.
This might be the last file associated with Reimage
C:\Windows\Reimage.ini
After you reboot the computer tell me what issues remain.
O2 - BHO: Invincea Web Redirector - {1C52FA7C-51B7-4621-9D5A-11101BA13134} - C:\Program Files (x86)\Invincea\Enterprise\InvRedirHostIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Professional 7\Bin\PlusIEContextMenu.dll
O2 - BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O2 - BHO: ZeonIEEventHelper Class - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files (x86)\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O3 - Toolbar: DocuCom PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files (x86)\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll
Typically, these entries are infrequently used tasks that can be started manually, if necessary.
Removing/disabling these items from statup will help with system resources.
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NetSetMan] "C:\Program Files (x86)\NetSetMan\netsetman.exe" -h
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"
Typically, the below entries are infrequently used tasks that can be started manually, if necessary.
O4 - HKLM\..\Run: [PDF7 Registry Controller] C:\Program Files (x86)\Nuance\PDF Professional 7\RegistryController.exe
O4 - HKLM\..\Run: [PDFProHook] C:\Program Files (x86)\Nuance\PDF Professional 7\pdfpro7hook.exe
Reboot the computer to set the registry.
This might be the last file associated with Reimage
C:\Windows\Reimage.ini
After you reboot the computer tell me what issues remain.
I didn't even know I had those toolbars. They're gone now. I did keep NetSetMan and Slysoft, both are licensed packages that I've used for a long time on severral computers.
But, I still have my rogue Iexplore processes...
Attachments
from the photo
www.rtl.be/belrtl/
Bel RTL Radio?, for your your iPhone?
as an experiment, Disconnect Bluetooth devices
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
I don't know why you have more then one IE process running but, it's not pointing to malware.
www.rtl.be/belrtl/
Bel RTL Radio?, for your your iPhone?
as an experiment, Disconnect Bluetooth devices
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
I don't know why you have more then one IE process running but, it's not pointing to malware.
My phone is Android. My son and grand daughters have Iphones, but they don't use any of my computers. The way these processes run, after they get started (usually within a minute or two of starting a web browser) the web address changes about once every 2 seconds. After a while, they settle on one address and stay there. After I kill the processes, it takes between 15 minutes and 3 hours, and they're back.
The bluetooth is 'out of the box', I never set up bluetooth after getting the laptop. Do I need to disable the connection, or kill the processes in task manager?
The attached files are a sample of how these processes work. This forum had a database connection problem earlier, which gave me a good opportunity to catch a couple of screen captures. I couldn't catch each one because they were happening too quickly. But the screen captures, starting with 04, show how this progresses. I can only attach 5 per post, so I will continue with the next message.
Attachments
Notice with this set of captures, I end up with 3 pages open, and 4 processes running. It started with 1 page and 3 processes, then went to 2 pages and 3 processes, and now I have 3 pages and 4 processes.
Attachments
it's like cookies running after you close a page?
Clear Browser Cache in IE11
~~~~~
Add-ons - Enable or Disable Add-On Manager
http://www.sevenforums.com/tutorials/86771-internet-explorer-add-ons-enable-disable-add-manager.html
See if a browser add-on is preventing the additional IE processes from closing.
Start Internet Explorer without add-ons by right-clicking the IE icon on the desktop. Choose Start without add-ons.
or
from Start> Programs> Accessories> System tools> Internet Explorer (no add-ons)
If the problem goes away, an add-on is causing it.
Since version 8, Internet Explorer uses a tab-per-process model. That means there is a "iexplore.exe" for the user interface, then each tab you have open is another "iexplore.exe" This is done for security reasons and increases stability of the browser.
http://answers.microsoft.com/en-us/...-manager/a1bea766-a499-4ba5-b485-e0277ec4b08b
~~~~~
Also please download Windows Repair (all in one) from here
Install the program then go to step 4 and create a new system restore point and new registry backup.
Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
NEXT
On the the Start Repairs tab => Click the Start
Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):
Click on box next to the Restart System when Finished. Then click on Start.
Clear Browser Cache in IE11
- Close all Internet Explorer and Windows Explorer windows that are currently open.
- Open Internet Explorer.
- Click the Tools button
, and then select theGeneral tab, then select Browsing history select the Delete button.
- Select the check box next to each of the following categories.
- Temporary Internet files and website files
- Cookies and website data
- History
- Click Delete
~~~~~
Add-ons - Enable or Disable Add-On Manager
http://www.sevenforums.com/tutorials/86771-internet-explorer-add-ons-enable-disable-add-manager.html
See if a browser add-on is preventing the additional IE processes from closing.
Start Internet Explorer without add-ons by right-clicking the IE icon on the desktop. Choose Start without add-ons.
or
from Start> Programs> Accessories> System tools> Internet Explorer (no add-ons)
If the problem goes away, an add-on is causing it.
Since version 8, Internet Explorer uses a tab-per-process model. That means there is a "iexplore.exe" for the user interface, then each tab you have open is another "iexplore.exe" This is done for security reasons and increases stability of the browser.
http://answers.microsoft.com/en-us/...-manager/a1bea766-a499-4ba5-b485-e0277ec4b08b
~~~~~
Also please download Windows Repair (all in one) from here
Install the program then go to step 4 and create a new system restore point and new registry backup.
Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
NEXT
On the the Start Repairs tab => Click the Start
Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):
Click on box next to the Restart System when Finished. Then click on Start.
I don't think so... all I need to do is open Firefox and wait. IExplore magically appears in the process list. Internet Explorer is *not* running, but task manager says it is. It's not available on the task bar, and I can't Alt-Tab to it. It's not running, it isn't there. That's how I found this rogue process - I don't use Internet Explorer. For anything. Ever. Period. If I could uninstall it, I would, but Redmond Washington has different ideas about that.
When these rogue processes are running, I can open Internet Explorer, and I see the page that I'm navigating to in the task list along with the rogue processes. I can close the instance of Internet Explorer that I opened, and the processes associated with it drop out of the task list. But the rogue processes continue.
Think of it as a case of identity theft. This process has stolen Internet Explorer's credentials, and is presenting them to Task Manager.
Let's see if we can remove IE plugin in Firefox and see if it makes a differnece. If it's there.
Disable FireFox plug-in
IE is an integral part of Windows (used by Core Windows services such as Windows Update). If the machine appears clean, it's unlikely caused by malware.
I would like to Check MD5's of each copy of Explorer.exe
http://windows.microsoft.com/en-us/...-safe-mode#start-computer-safe-mode=windows-7
Boot your computer into safe mode insructions if needed.
Open FRST
Click Search button and post the log (Search.txt) it makes to your reply.
Please copy and paste this in the search box
iexplorer.exe
After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Search.txt). Please post it to your reply.
- At the top of the Firefox window, click on the Firefox button (Tools menu in Windows XP), and then click Add-ons. The Add-ons Manager tab will open.
- In the Add-ons Manager tab, select the Extensions or Appearance panel.
- Select the add-on Internet Explorer
- Click the Disable button.
- Click Restart now if it pops up. Your tabs will be saved and restored after the restart.
IE is an integral part of Windows (used by Core Windows services such as Windows Update). If the machine appears clean, it's unlikely caused by malware.
I would like to Check MD5's of each copy of Explorer.exe
http://windows.microsoft.com/en-us/...-safe-mode#start-computer-safe-mode=windows-7
Boot your computer into safe mode insructions if needed.
Open FRST
Click Search button and post the log (Search.txt) it makes to your reply.
Please copy and paste this in the search box
iexplorer.exe
After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Search.txt). Please post it to your reply.
Last edited:
- Please download Process Explorer and save the file to your Desktop.
- Right-Click ProcessExplorer.zip and click Extract All. Click Extract.
- Open the ProcessExplorer folder on your Desktop, right-click procexp.exe and click Run as administrator to run the programme
- Click View DLLs.
- If any of the following processes are highlighted in blue, click the process.
Click File, Save As, and save the file in the same folder. Do so for each highlighted process.- Internet Explorer
- Attach the file(s) in your next reply.
There was no IE plugin. I'll have to run Process Explorer tomorrow. Here's the results of the search:
Farbar Recovery Scan Tool (x64) Version: 25-02-2015 01
Ran by Henry at 2015-02-28 20:22:28
Running from C:\Users\Henry\Desktop
Boot Mode: Safe Mode (minimal)
================== Search Files: "iexplore.exe" =============
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1beb53526fc80c8d\iexplore.exe
[2010-11-20 22:25][2010-11-20 22:25] 0673040 ____A (Microsoft Corporation) C613E69C3B191BB02C7A191741A1D024 [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17633_none_854dedf9f74389b0\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:09] 0815288 ____A (Microsoft Corporation) 363BC25BACB34E9D40441968B1B3D5BE [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17501_none_8555ea97f73dee78\iexplore.exe
[2014-12-09 18:23][2014-11-26 20:10] 0815280 ____A (Microsoft Corporation) A24BFBAE8B50A6780B68FF3673FAB52F [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17420_none_8562d1dff733eb94\iexplore.exe
[2014-11-11 19:51][2014-11-07 14:23] 0815280 ____A (Microsoft Corporation) 591C6FD1541BAFAEEE82B1F5831C8532 [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17358_none_856fec69f729e8b0\iexplore.exe
[2014-11-01 10:56][2014-10-06 21:04] 0812736 ____A (Microsoft Corporation) F9F310F9FB7F294F00ABDD03453D8CEE [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17239_none_8578a4f9f723b3b2\iexplore.exe
[2014-11-01 10:55][2014-07-31 18:16] 0812224 ____A (Microsoft Corporation) CDF01A5C7927786A708EAEE91F14797B [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17207_none_8575d1abf726346b\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0812216 ____A (Microsoft Corporation) CD900EFB4F8946A2BB1950D9F45915C2 [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17041_none_858ffb5bf711c81f\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0811728 ____A (Microsoft Corporation) 0667ED9F8E905E1F73DB60ACCEDCBCA7 [File is signed]
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_856219b9f734bb75\iexplore.exe
[2014-10-26 18:17][2014-10-26 18:17] 0806096 ____A (Microsoft Corporation) C8A8321292A459B0A17FB39A782A5C74 [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1196a9003b674a92\iexplore.exe
[2010-11-20 22:24][2010-11-20 22:24] 0695056 ____A (Microsoft Corporation) 86257731DDB311FBC283534CC0091634 [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17633_none_7af943a7c2e2c7b5\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:47] 0813744 ____A (Microsoft Corporation) 2D4AB594AABBEBA938F36BA1BC71C3F6 [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17501_none_7b014045c2dd2c7d\iexplore.exe
[2014-12-09 18:23][2014-11-26 20:43] 0813744 ____A (Microsoft Corporation) 2A9DA9E7462EBA3F6D2036E8D18FF773 [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17420_none_7b0e278dc2d32999\iexplore.exe
[2014-11-11 19:51][2014-11-07 14:49] 0813744 ____A (Microsoft Corporation) F00FC8AF1B04C4611F92BC3DA01A2F49 [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17358_none_7b1b4217c2c926b5\iexplore.exe
[2014-11-01 10:56][2014-10-06 21:54] 0810680 ____A (Microsoft Corporation) 6B9FDB34A5A490FF6A7EDE280062626A [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17239_none_7b23faa7c2c2f1b7\iexplore.exe
[2014-11-01 10:55][2014-07-31 18:41] 0810176 ____A (Microsoft Corporation) 31A7689F580F37B52F65B9653F8916D4 [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17207_none_7b212759c2c57270\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0810160 ____A (Microsoft Corporation) 24868C9D422EDB5B249C0C81B01A0C19 [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17041_none_7b3b5109c2b10624\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0809680 ____A (Microsoft Corporation) EA8386CA87165460D39A1D29FF11080B [File is signed]
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_7b0d6f67c2d3f97a\iexplore.exe
[2014-10-26 18:17][2014-10-26 18:17] 0804560 ____A (Microsoft Corporation) 0685765C0CBE095BA0C6C8790BAE21EF [File is signed]
C:\Windows\erdnt\cache86\iexplore.exe
[2015-02-25 09:11][2015-01-14 00:09] 0815288 ____A (Microsoft Corporation) 363BC25BACB34E9D40441968B1B3D5BE [File is signed]
C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows\iexplore.exe
[2015-01-03 09:26][2014-11-21 06:12] 0761656 ____A (MalwareBytes) 625BB08813743947985B0DEEFC35ED12 [File is signed]
C:\Program Files (x86)\Internet Explorer\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:09] 0815288 ____A (Microsoft Corporation) 363BC25BACB34E9D40441968B1B3D5BE [File is signed]
C:\Program Files\Internet Explorer\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:47] 0813744 ____A (Microsoft Corporation) 2D4AB594AABBEBA938F36BA1BC71C3F6 [File is signed]
====== End Of Search ======
Process Explorer
- Please download Process Explorer and save the file to your Desktop.
- Right-Click ProcessExplorer.zip and click Extract All. Click Extract.
- Open the ProcessExplorer folder on your Desktop, right-click procexp.exe and click
Run as administrator to run the programme- Click
View DLLs.- If any of the following processes are highlighted in blue, click the process.
Click File, Save As, and save the file in the same folder. Do so for each highlighted process.
- Internet Explorer
- Attach the file(s) in your next reply.
I didn't have a 'view DLL's' option... but there was an option to show a lower pane. I used that. There were 3 instances of Iexplore running. 1 appeared to be a subprocess of Firefox (that's the '1a.txt' file). 1 appeared to be a main Internet Explorer process (.2a,txt' file) and 1 appeared to be a subprocess of Internet Explorer ('3a.txt' file).
It's all legit.
I had another colleague step in and look over logs and the same remarks are as mine, the machine appears clean, it's unlikely caused by malware.
I cannot explain why all the IE processes are loading now that don't or didn't used to.
Use the computer for a while and let's see if any alerts or error messages come up.
Let's remove tools and quarantine folders.
DelFix
I had another colleague step in and look over logs and the same remarks are as mine, the machine appears clean, it's unlikely caused by malware.
I cannot explain why all the IE processes are loading now that don't or didn't used to.
Use the computer for a while and let's see if any alerts or error messages come up.
Let's remove tools and quarantine folders.
- Please download DelFix
or from here http://www.bleepingcomputer.com/download/delfix/ and save the file to your Desktop.
- Double-click DelFix.exe to run the programme.
- Place a checkmark next to the following items:
- Activate UAC
- Remove disinfection tools
- Reset system settings
- Click the Run button.
I don't have any alerts or error messages, but I still have the rogue processes coming up occasionally. I was checking a few other forums, and I found one that described almost exactly what's happening here. The only differences are that I don't have the volume turned on, so I don't know if any audio is being downloaded, and I don't know if Google searches are redirecting, because Firefox now uses Yahoo. Here's the link to the forum message I'm referring to:
http://www.techspot.com/community/t...-exe-in-task-manager-unable-to-remove.174094/
I know the tech that helped in that topic. His name is Broni, very dedicated hard working guy. Has helped many people.
One thing I picked up on is this topic was started Dec 1, 2011.
This User was alerted to Service (*** hidden *** ) [DISABLED] USBSTOR <-- ROOTKIT !!!
of which you didn't have but rather your machine had malware.
The only tool listed in that topic we haven't used is GMER. There were other rootkit scan ran but nothing was identified.
GMER
------------------------------------
If you would like to change Firefox search engine to Google, please read the below link.
https://support.google.com/websearch/answer/464?hl=en
One thing I picked up on is this topic was started Dec 1, 2011.
This User was alerted to Service (*** hidden *** ) [DISABLED] USBSTOR <-- ROOTKIT !!!
of which you didn't have but rather your machine had malware.
The only tool listed in that topic we haven't used is GMER. There were other rootkit scan ran but nothing was identified.
- Please download GMER and save the file to your Desktop.
- Right-Click the randomly named GMER file and select Run as administrator to run the programme.
- Note: If asked to allow gmer.sys driver to load, please consent.
- Important: If you receive a warning regarding Rootkit Activity, click NO.
- You will see the following window (click the image to enlarge):
- Referring to the image above, please ensure the following boxes are unchecked.
- IAT/EAT
- Drives/Partitions other than Systemdrive (typically C:\)
- Show All (Important!)
- Click Scan.
- Upon completion, click [Save ...], and name the file, Gmer.txt.
- Save the file (GMER.txt) to a convenient location (eg. Desktop). Copy the contents of the log and paste in your next reply.
------------------------------------
If you would like to change Firefox search engine to Google, please read the below link.
https://support.google.com/websearch/answer/464?hl=en
I ran GMER, but I can't get the log file to you. The file is over 44K in length, which exceeds the 20,000 character length for the message. The upload manager is taking forever to upload it, like more than 10 minutes so far. I'll have to split it tomorrow and post it in several messages.
- Status