I was reading through a thread which seemed to cover a very similar problem I've recently encountered on my computer. It can most easily be identified by the multiple instances of "iexplore" spawning.
http://www.geekpolice.net/virus-spyware-malware-removal-f11/multiple-instances-of-iexplorer-in-task-manager-appearing-t17665.htm
The first thing I noticed was my Google Desktop flashing, then a message asking if I wanted to make IE my default browser. I checked the task manager and had multiple instances of "iexplore" which I ended but only to have them respawn. I use Google Chrome as my default browser and noticed that any website I tried to access would return a "Web page not available" error. I tried IE and my searches would get redirected, possibly some DNS attack. I tried Firefox and that seemed to have the same issue, could google search but clicking on any result would land me at something like searchquest.com. I ran ATF Cleaner, cleared all for IE and Firefox. I ran Hijackthis, noticed a suspicious "adobemedia.exe" and removed that, but it reappeared upon restarting. I ran Malwarebytes, updated, full-scanned and no infected items appeared. I became worried about leaving my computer connected to the internet so I pulled the network cable and switched over to a crappy spare laptop. However, I noticed the instances of "iexplore" would continue to spawn. As a quick fix for the spawning, I changed the iexplore.exe file to iFAIL.exe and that's working. I'm inclined to say the problem is that adobemedia.exe, but you're the experts, so I'll sit and wait to see what you guys can come up with.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:44 AM, on 1/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\program files\steam\steam.exe
C:\Documents and Settings\JOHNATHAN\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\JOHNAT~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wexe.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\JOHNATHAN\Desktop\HijackThis.exe
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\JOHNATHAN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [adobemedia.exe] C:\WINDOWS\system32\adobemedia.exe
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A64AA40-16BC-4324-B004-3FEFDF91BE6C}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\PR19.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5699 bytes
Note:
The first O2 - BHO and the two O8 - Extra context menu items come up with the use of a download manager called Flashget, I assume these are harmless.
The O17 is due to a DNS direction which I entered per recommendation by Time Warner Cable.
In anticipation of having to download ComboFix would you advise is safe to use a USB drive to transfer files to and from this laptop and my infected computer? I had another virus a while back (amv0, I think) and that spread by removable media so I'm hesitant.
In advance, thank you so much for your time!
Johnathan
http://www.geekpolice.net/virus-spyware-malware-removal-f11/multiple-instances-of-iexplorer-in-task-manager-appearing-t17665.htm
The first thing I noticed was my Google Desktop flashing, then a message asking if I wanted to make IE my default browser. I checked the task manager and had multiple instances of "iexplore" which I ended but only to have them respawn. I use Google Chrome as my default browser and noticed that any website I tried to access would return a "Web page not available" error. I tried IE and my searches would get redirected, possibly some DNS attack. I tried Firefox and that seemed to have the same issue, could google search but clicking on any result would land me at something like searchquest.com. I ran ATF Cleaner, cleared all for IE and Firefox. I ran Hijackthis, noticed a suspicious "adobemedia.exe" and removed that, but it reappeared upon restarting. I ran Malwarebytes, updated, full-scanned and no infected items appeared. I became worried about leaving my computer connected to the internet so I pulled the network cable and switched over to a crappy spare laptop. However, I noticed the instances of "iexplore" would continue to spawn. As a quick fix for the spawning, I changed the iexplore.exe file to iFAIL.exe and that's working. I'm inclined to say the problem is that adobemedia.exe, but you're the experts, so I'll sit and wait to see what you guys can come up with.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:44 AM, on 1/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\program files\steam\steam.exe
C:\Documents and Settings\JOHNATHAN\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\JOHNAT~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wexe.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\JOHNATHAN\Desktop\HijackThis.exe
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\JOHNATHAN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [adobemedia.exe] C:\WINDOWS\system32\adobemedia.exe
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A64AA40-16BC-4324-B004-3FEFDF91BE6C}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\PR19.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5699 bytes
Note:
The first O2 - BHO and the two O8 - Extra context menu items come up with the use of a download manager called Flashget, I assume these are harmless.
The O17 is due to a DNS direction which I entered per recommendation by Time Warner Cable.
In anticipation of having to download ComboFix would you advise is safe to use a USB drive to transfer files to and from this laptop and my infected computer? I had another virus a while back (amv0, I think) and that spread by removable media so I'm hesitant.
In advance, thank you so much for your time!
Johnathan