Hello,
I really need your help! I have a virus or malware of some sort on my system that I cannot get rid of and was wondering if you could help me remove it? Or direct me to a proper forum for some help?
I was on Southwest Airlines web site (www.southwest.com) last Friday when my system slowed down and I noticed Java loading in the system tray, which I don't recall seeing when on this site in the past. Then internet explorer was shutdown. I then noticed that the Task Manager buttons were disabled so I could not start the task manager. Every time I reboot my computer now there is an iexplore.exe process running in the background. If I kill it it will restart after a minute or two. In addition, when I try to go to different web sites, internet explorer will randomly redirect me to other sites. It will also pop up ads occassionally. This iexplore.exe background process will normally continue to eat up memory until it finally causes it to crash.
At one point after rebooting, only a few of my services would start? After doing some investigating I realized that the SVCHOST.EXE program was deleted. I restored it from another computer and then they started fine. This hasn't happened again.
I occassionally notice that winword.exe is also running in the background after rebooting, even though Word and Outlook are not running. However, this happens much less frequently than iexplore.exe showing up in the background.
Not sure if this is of any help or not, but a file was created in c:\windows\system32 when I noticed this stuff happening called d3d9caps.dat.
If I boot under Safe Mode, iexplore does not show up in the background. However, if I boot up inder Safe Mode with Networking, then it does launch in the background. So this eliminates a lot of the various programs that get launched at boot time from being the culprit since it happens when booting into Safe Mode with Networking.
The program Process Explorer shows that iexplore.exe (when running in the background) is being launched by Explorer.exe. If I kill the Explorer.exe process, then iexplore.exe does not get launched in the background, which confirms it is being launched by Explorer.exe. One thing I noticed is that after killing the Explorer.exe process, it does not get restarted automatically, which I seem to remember it doing in the past? The malware may be doing this to prevent it from being killed by simply restarting Explorer.exe?
I am running Windows XP Pro (Service Pack 3)
For anti-virus software I am running Symantec Endpoint Protection Version 11.
Here is a list of the services that are running under Safe Mode with Networking and not under Safe Mode:
Computer Browser
DHCP Client
DNS Client
Messenger
Net Logon
Network Connections
Server
TCP/IP Net Bios Helper
Terminal Services
Windows Firewall/Internet Connection Sharing (ICS)
Wireless Zero Configuration
Workstation
I disabled all of these services a few at a time and the only one that made a difference was the DHCP Client.
If I disable the DHCP Client service then iexplore does not get launched in the background. As soon as I enable DHCP Client then it gets launched. Not sure if my DHCP Client service got hijacked or if the malware does not try to do anything if an internet connection cannot be established?
I installed Malwarebytes and ran the various scans.
Here is the Malwarebytes Quick Scan log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8092
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/5/2011 1:51:12 PM
mbam-log-2011-11-05 (13-51-12).txt
Scan type: Quick scan
Objects scanned: 301177
Time elapsed: 14 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cl.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Temp\mgkpyeoriquvgj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Here is the Malwarebytes Flash Scan log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8092
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/5/2011 2:04:26 PM
mbam-log-2011-11-05 (14-04-26).txt
Scan type: Flash scan
Objects scanned: 246983
Time elapsed: 2 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is the Malwarebytes Full Scan log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8092
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/5/2011 3:50:42 PM
mbam-log-2011-11-05 (15-50-42).txt
Scan type: Full scan (C:\|)
Objects scanned: 419013
Time elapsed: 1 hour(s), 41 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\system volume information\_restore{b5900582-1901-4f7e-bafe-8feb08721d95}\RP2722\A0477191.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Here is the latest Malwarebytes Protection log:
01:47:35 don MESSAGE Scheduled update executed successfully
01:47:36 don MESSAGE IP Protection stopped
01:48:48 don MESSAGE Database updated successfully
01:48:52 don MESSAGE IP Protection started successfully
07:56:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:56:55 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:57:01 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:49 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:58 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:48 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:51 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:57 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:10:14 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:17 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:23 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:34 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:37 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:43 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:55 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:58 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:11:04 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:12:12 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:15 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:21 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:32 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:35 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:41 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:34:24 don MESSAGE Protection started successfully
08:34:43 don MESSAGE IP Protection started successfully
08:48:22 don IP-BLOCK 206.161.121.100 (Type: outgoing)
08:48:25 don IP-BLOCK 206.161.121.100 (Type: outgoing)
09:08:05 don MESSAGE Protection started successfully
09:08:14 don MESSAGE IP Protection started successfully
09:20:06 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:20:09 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:20:15 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:33:34 don MESSAGE Protection started successfully
09:33:38 don MESSAGE IP Protection started successfully
After having Malwarebytes correct the errors it found, I still have the same problem with iexplore.exe getting launched in the background.
Here is the HijackThis log file:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:14:47 PM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\WINDOWS\SYSTEM32\k9nt.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: http://www.powerball.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://srv1/ConnectComputer/nshelp.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20efd968ff9dfa15b416/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250176051031
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.splashspot.com/ssviewer2/2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datalink.lan
O17 - HKLM\Software\..\Telephony: DomainName = datalink.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datalink.lan
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith - C:\WINDOWS\SYSTEM32\k9nt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
--
End of file - 11597 bytes
I tried to run GMER.exe and got the following error:
LoadDriver("C:\Temp\pxtdapow.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.
After clicking OK, the program came up and seemed to be OK.
Here is the GMER.EXE log file:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 10:30:02
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\TEMP\pxtdapow.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}
Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...
---- EOF - GMER 1.0.15 ----
I have been unable to find the hook this virus/malware has into Explorer. Please let me know if there is anything else I can provide for you to help me eliminate this virus or malware! Thank you so much for any help you could provide me.
Don
I really need your help! I have a virus or malware of some sort on my system that I cannot get rid of and was wondering if you could help me remove it? Or direct me to a proper forum for some help?
I was on Southwest Airlines web site (www.southwest.com) last Friday when my system slowed down and I noticed Java loading in the system tray, which I don't recall seeing when on this site in the past. Then internet explorer was shutdown. I then noticed that the Task Manager buttons were disabled so I could not start the task manager. Every time I reboot my computer now there is an iexplore.exe process running in the background. If I kill it it will restart after a minute or two. In addition, when I try to go to different web sites, internet explorer will randomly redirect me to other sites. It will also pop up ads occassionally. This iexplore.exe background process will normally continue to eat up memory until it finally causes it to crash.
At one point after rebooting, only a few of my services would start? After doing some investigating I realized that the SVCHOST.EXE program was deleted. I restored it from another computer and then they started fine. This hasn't happened again.
I occassionally notice that winword.exe is also running in the background after rebooting, even though Word and Outlook are not running. However, this happens much less frequently than iexplore.exe showing up in the background.
Not sure if this is of any help or not, but a file was created in c:\windows\system32 when I noticed this stuff happening called d3d9caps.dat.
If I boot under Safe Mode, iexplore does not show up in the background. However, if I boot up inder Safe Mode with Networking, then it does launch in the background. So this eliminates a lot of the various programs that get launched at boot time from being the culprit since it happens when booting into Safe Mode with Networking.
The program Process Explorer shows that iexplore.exe (when running in the background) is being launched by Explorer.exe. If I kill the Explorer.exe process, then iexplore.exe does not get launched in the background, which confirms it is being launched by Explorer.exe. One thing I noticed is that after killing the Explorer.exe process, it does not get restarted automatically, which I seem to remember it doing in the past? The malware may be doing this to prevent it from being killed by simply restarting Explorer.exe?
I am running Windows XP Pro (Service Pack 3)
For anti-virus software I am running Symantec Endpoint Protection Version 11.
Here is a list of the services that are running under Safe Mode with Networking and not under Safe Mode:
Computer Browser
DHCP Client
DNS Client
Messenger
Net Logon
Network Connections
Server
TCP/IP Net Bios Helper
Terminal Services
Windows Firewall/Internet Connection Sharing (ICS)
Wireless Zero Configuration
Workstation
I disabled all of these services a few at a time and the only one that made a difference was the DHCP Client.
If I disable the DHCP Client service then iexplore does not get launched in the background. As soon as I enable DHCP Client then it gets launched. Not sure if my DHCP Client service got hijacked or if the malware does not try to do anything if an internet connection cannot be established?
I installed Malwarebytes and ran the various scans.
Here is the Malwarebytes Quick Scan log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8092
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/5/2011 1:51:12 PM
mbam-log-2011-11-05 (13-51-12).txt
Scan type: Quick scan
Objects scanned: 301177
Time elapsed: 14 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cl.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Temp\mgkpyeoriquvgj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Here is the Malwarebytes Flash Scan log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8092
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/5/2011 2:04:26 PM
mbam-log-2011-11-05 (14-04-26).txt
Scan type: Flash scan
Objects scanned: 246983
Time elapsed: 2 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is the Malwarebytes Full Scan log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8092
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/5/2011 3:50:42 PM
mbam-log-2011-11-05 (15-50-42).txt
Scan type: Full scan (C:\|)
Objects scanned: 419013
Time elapsed: 1 hour(s), 41 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\system volume information\_restore{b5900582-1901-4f7e-bafe-8feb08721d95}\RP2722\A0477191.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Here is the latest Malwarebytes Protection log:
01:47:35 don MESSAGE Scheduled update executed successfully
01:47:36 don MESSAGE IP Protection stopped
01:48:48 don MESSAGE Database updated successfully
01:48:52 don MESSAGE IP Protection started successfully
07:56:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:56:55 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:57:01 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:49 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:52 don IP-BLOCK 64.120.141.165 (Type: outgoing)
07:58:58 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:48 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:51 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:00:57 don IP-BLOCK 64.120.141.165 (Type: outgoing)
08:10:14 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:17 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:23 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:34 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:37 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:43 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:55 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:10:58 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:11:04 don IP-BLOCK 86.55.210.83 (Type: outgoing)
08:12:12 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:15 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:21 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:32 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:35 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:12:41 don IP-BLOCK 208.73.210.29 (Type: outgoing)
08:34:24 don MESSAGE Protection started successfully
08:34:43 don MESSAGE IP Protection started successfully
08:48:22 don IP-BLOCK 206.161.121.100 (Type: outgoing)
08:48:25 don IP-BLOCK 206.161.121.100 (Type: outgoing)
09:08:05 don MESSAGE Protection started successfully
09:08:14 don MESSAGE IP Protection started successfully
09:20:06 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:20:09 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:20:15 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:22:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:05 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:08 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:24:14 don IP-BLOCK 64.120.141.165 (Type: outgoing)
09:33:34 don MESSAGE Protection started successfully
09:33:38 don MESSAGE IP Protection started successfully
After having Malwarebytes correct the errors it found, I still have the same problem with iexplore.exe getting launched in the background.
Here is the HijackThis log file:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:14:47 PM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\WINDOWS\SYSTEM32\k9nt.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: http://www.powerball.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02E09B2E-2A03-4572-9291-69900C068564} (LCSim Control) - http://www.learnitcorp.com/cabs/lcsim.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://srv1/ConnectComputer/nshelp.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/20efd968ff9dfa15b416/netzip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250176051031
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {A6B13EE4-A974-11D2-8DB7-00C04FB6E8F6} - http://www.splashspot.com/ssviewer2/2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datalink.lan
O17 - HKLM\Software\..\Telephony: DomainName = datalink.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datalink.lan
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: K9 Time Synchronization (K9) - H.C. Mingham-Smith - C:\WINDOWS\SYSTEM32\k9nt.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
--
End of file - 11597 bytes
I tried to run GMER.exe and got the following error:
LoadDriver("C:\Temp\pxtdapow.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.
After clicking OK, the program came up and seemed to be OK.
Here is the GMER.EXE log file:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 10:30:02
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\TEMP\pxtdapow.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}
Reg HKLM\SOFTWARE\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}
Reg HKLM\SOFTWARE\Classes\CLSID\{D19C1E37-C88F-6D4D-695F1151D26FA9B0}\{82ADB184-4273-F4A9-8B3869F4D9D9F30C}\{3C71EBCF-572C-11DA-DA6A44EB5C52EFBA}@NRDFOBLVNAUE2QOGEQXAH1Y2DD1 0x01 0x00 0x01 0x00 ...
---- EOF - GMER 1.0.15 ----
I have been unable to find the hook this virus/malware has into Explorer. Please let me know if there is anything else I can provide for you to help me eliminate this virus or malware! Thank you so much for any help you could provide me.
Don