jpfulton
asked on
Vundo? - Help with Virus Removal - Internet connection blocked -- See hijackthis log
Working on a laptop for a friend. The most obvious thing that I notice is that certain "features" of internet access are blocked. Almost as if certain outgoing ports are blocked. When I try to update malwarebytes, eset online scanner and hitman pro, the program claims that there is no internet connection available... even though web browsing is fully accessible. The computer is running very hot (just based on touch... not on sensors) and has suddenly shut down more than once.
The computer is running VIsta 32-bit
The first hitman pro scan came up with a Vundo virus entry and it appeared to have removed it successfully.
When I go into safe mode with networking I have full, unblocked internet access. I've tried first running atf cleaner, tdsskiller, a winsockfix, hosts file seems clean, ran eset online scanner, malwarebytes scan and hitman pro.
Not sure what else to say. Hijackthis log to follow:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:25:23 PM, on 12/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex e
C:\Windows\Explorer.EXE
C:\Windows\system32\tasken g.exe
C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
C:\Program Files\HP\QuickPlay\QPServi ce.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.ex e
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
C:\Windows\ehome\ehmsas.ex e
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shar ed\HpqToas ter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\owner\Downloads\H ijackThis. exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=GRfox000&ptb=CIwWZzJK7mifAUOGt53rwQ
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F A578C2EBDC 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lperShim.d ll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-9 5DAC4DFA40 8} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ coIEPlg.dl l
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F 4628F01010 C} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ IPSBHO.DLL
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-0 3dc2f38c34 f} - c:\Program Files\MSN\Toolbar\3.0.0541 .0\msneshe llx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-F FB09D4B49C A} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ coIEPlg.dl l
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-A B4C880C841 4} - c:\Program Files\MSN\Toolbar\3.0.0541 .0\msneshe llx.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPServi ce.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint \MUITransf er\MUIStar tMenu.exe" "C:\Program Files\CyberLink\LabelPrint " UpdateWithCreateOnce "Software\CyberLink\LabelP rint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStart Menu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerS tarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\M UITransfer \MUIStartM enu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2 Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirec tor\MUITra nsfer\MUIS tartMenu.e xe" "C:\Program Files\CyberLink\PowerDirec tor" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerD irector\7. 0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex e
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\Offic e12\REFIEB AR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3 078302C203 0} - C:\Windows\system32\browse ui.dll
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService .exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar ed\hpqwmie x.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ ccSvcHst.e xe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc .exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER S\xaudio.e xe
--
End of file - 8046 bytes
The computer is running VIsta 32-bit
The first hitman pro scan came up with a Vundo virus entry and it appeared to have removed it successfully.
When I go into safe mode with networking I have full, unblocked internet access. I've tried first running atf cleaner, tdsskiller, a winsockfix, hosts file seems clean, ran eset online scanner, malwarebytes scan and hitman pro.
Not sure what else to say. Hijackthis log to follow:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:25:23 PM, on 12/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\system32\tasken
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\HP\QuickPlay\QPServi
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.ex
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
C:\Windows\ehome\ehmsas.ex
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shar
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\owner\Downloads\H
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-9
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-0
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-F
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-A
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPServi
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStart
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\M
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirec
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER
--
End of file - 8046 bytes
Have you checked for a proxy server in Internet Options?
ASKER
Yes. none.
I would fix the following:
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=GRfox000&ptb=CIwWZzJK7mifAUOGt53rwQ
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = :0
Reset hosts file:
http://www.funkytoad.com/index.php?option=com_content&id=13
Defensive hosts file:
http://www.mvps.org/winhelp2002/hosts.htm
"...ran eset online scanner, malwarebytes scan and hitman pro..." Did they all come up clean?
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
Reset hosts file:
http://www.funkytoad.com/index.php?option=com_content&id=13
Defensive hosts file:
http://www.mvps.org/winhelp2002/hosts.htm
"...ran eset online scanner, malwarebytes scan and hitman pro..." Did they all come up clean?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On my way home last night I picked up a can of compressed air, came home and blew out the laptop's fans in case the random restarts/shutdowns were a feature of overheating as a result of poor ventilation. I haven't seen the problem since so I think I guessed right.
After solving that problem, I ran combofix (even though I know I'm not supposed to without guidance) and as far as I can tell everything looked in order. I became convinced that there was no infection on the computer. The incomplete internet connection issue was still happening... I started to suspect norton internet security 2010. I tried uninstalling... wouldn't even run. Downloaded norton removal tool. Reboot. Success. Problem solved. Did updates, installed avast. I think I'm good.
Thanks for all the help!
After solving that problem, I ran combofix (even though I know I'm not supposed to without guidance) and as far as I can tell everything looked in order. I became convinced that there was no infection on the computer. The incomplete internet connection issue was still happening... I started to suspect norton internet security 2010. I tried uninstalling... wouldn't even run. Downloaded norton removal tool. Reboot. Success. Problem solved. Did updates, installed avast. I think I'm good.
Thanks for all the help!
ASKER
Optoma -- I'm going to post a cf log in a minute if you don't mind taking a look just for safe measure. Thanks!
Good stuff with the compressed air!
ASKER
ComboFix 10-12-11.06 - owner 12/12/2010 11:18:19.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18. 1790.1101 [GMT -5:00]
Running from: c:\users\owner\Downloads\C omboFix.ex e
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-4 7DAD597F30 8}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7 CA8AE10B9B 5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-D A132C1ACF4 6}
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))) )))))
.
2010-12-12 16:28 . 2010-12-12 16:28 -------- d-----w- c:\users\Default\AppData\L ocal\temp
2010-12-12 14:21 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\driver s\aswFsBlk .sys
2010-12-12 14:21 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\driver s\aswSP.sy s
2010-12-12 14:21 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\driver s\aswRdr.s ys
2010-12-12 14:21 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\driver s\aswTdi.s ys
2010-12-12 14:21 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\driver s\aswMonFl t.sys
2010-12-12 14:19 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-12 14:19 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoo t.exe
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\programdata\Alwil Software
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\program files\Alwil Software
2010-12-11 22:25 . 2010-12-11 22:28 -------- d-----w- c:\windows\system32\Smitfr audFix
2010-12-11 22:16 . 2010-12-11 22:16 -------- d-----w- C:\VundoFix Backups
2010-12-11 20:41 . 2010-12-11 20:41 -------- d-----w- c:\program files\ESET
2010-12-11 20:40 . 2010-12-11 20:40 12872 ----a-w- c:\windows\system32\bootde lete.exe
2010-12-11 20:36 . 2010-12-11 20:36 16968 ----a-w- c:\windows\system32\driver s\hitmanpr o35.sys
2010-12-11 20:35 . 2010-12-11 20:35 -------- d-----w- c:\users\owner\AppData\Loc al\Adobe
2010-12-11 17:16 . 2010-12-11 17:16 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-11 17:15 . 2010-12-11 20:40 -------- d-----w- c:\programdata\Hitman Pro
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\users\owner\AppData\Roa ming\Malwa rebytes
2010-12-11 17:12 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\driver s\mbamswis sarmy.sys
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\programdata\Malwarebyte s
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 17:12 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\driver s\mbam.sys
2010-11-26 13:57 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-16 21:57 . 2010-11-16 21:57 -------- d-----w- c:\program files\Olympus
2010-11-16 21:57 . 2005-03-25 20:57 217088 ----a-w- c:\windows\system32\DSSCOR E.DLL
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2010-09-15 09:50 . 2010-06-03 00:19 472808 ----a-w- c:\windows\system32\deploy Java1.dll
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\e home\ehTra y.exe" [2008-01-21 125952]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynT PEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPServi ce.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\pr ogram files\CyberLink\LabelPrint \MUITransf er\MUIStar tMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\pr ogram files\CyberLink\DVD Suite\MUITransfer\MUIStart Menu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\p rogram files\CyberLink\Power2Go\M UITransfer \MUIStartM enu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\p rogram files\CyberLink\PowerDirec tor\MUITra nsfer\MUIS tartMenu.e xe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\ program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\p rogram files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe " [2010-09-08 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.ex e" [2010-09-07 2838912]
c:\users\owner\AppData\Roa ming\Micro soft\Windo ws\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.E XE [2009-2-26 97680]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\Wdf010 00.sys]
@="Driver"
R2 clr_optimization_v4.0.3031 9_32;Micro soft .NET Framework NGEN v4.0.30319_X86;c:\windows\ Microsoft. NET\Framew ork\v4.0.3 0319\mscor svw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\Google Update.exe [2010-09-11 136176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microso ft.NET\Fra mework\v4. 0.30319\WP F\WPFFontC ache_v0400 .exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DR IVERS\WSDP rint.sys [2008-01-21 16896]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\win dows\syste m32\driver s\aswMonFl t.sys [2010-09-07 50768]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\pro gram files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32 \drivers\n vhda32v.sy s [2008-05-09 43040]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersona tion REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
2010-12-12 c:\windows\Tasks\GoogleUpd ateTaskMac hineCore.j ob
- c:\program files\Google\Update\Google Update.exe [2010-09-11 20:59]
2010-12-12 c:\windows\Tasks\GoogleUpd ateTaskMac hineUA.job
- c:\program files\Google\Update\Google Update.exe [2010-09-11 20:59]
2010-12-11 c:\windows\Tasks\HPCeeSche duleForown er.job
- c:\program files\hewlett-packard\sdp\ ceement\HP CEE.exe [2008-10-25 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Offic e12\EXCEL. EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\owner\AppData\Roa ming\Mozil la\Firefox \Profiles\ tr4oll9l.d efault\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dl l
FF - plugin: c:\program files\Google\Update\1.2.18 3.39\npGoo gleOneClic k8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_pl ugin\npdep loyJava1.d ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.d ll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPr inter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJa va1.dll
FF - plugin: c:\users\owner\AppData\Roa ming\Faceb ook\npfbpl ugin_1_0_3 .dll
FF - plugin: c:\users\owner\AppData\Roa ming\Move Networks\plugins\npqmp0715 05000010.d ll
FF - plugin: c:\users\owner\AppData\Roa ming\Move Networks\plugins\npqmp0715 05000011.d ll
FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0 8825760534 b} - c:\windows\Microsoft.NET\F ramework\v 3.5\Window s Presentation Foundation\DotNetAssistant Extension\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3 208198ce6f d} - c:\program files\Mozilla Firefox\extensions\{972ce4 c6-7e08-44 74-a285-32 08198ce6fd }
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-A BCDEFFEDCB A} - c:\program files\Mozilla Firefox\extensions\{CAFEEF AC-0016-00 00-0013-AB CDEFFEDCBA }
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-A BCDEFFEDCB A} - c:\program files\Mozilla Firefox\extensions\{CAFEEF AC-0016-00 00-0017-AB CDEFFEDCBA }
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-A BCDEFFEDCB A} - c:\program files\Mozilla Firefox\extensions\{CAFEEF AC-0016-00 00-0019-AB CDEFFEDCBA }
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-A BCDEFFEDCB A} - c:\program files\Mozilla Firefox\extensions\{CAFEEF AC-0016-00 00-0020-AB CDEFFEDCBA }
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-A BCDEFFEDCB A} - c:\program files\Mozilla Firefox\extensions\{CAFEEF AC-0016-00 00-0021-AB CDEFFEDCBA }
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0 8825760534 b} - c:\users\owner\AppData\Roa ming\Mozil la\Firefox \Profiles\ tr4oll9l.d efault\ext ensions\{2 0a82645-c0 95-46ed-80 e3-0882576 0534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0 8825760534 b} - c:\windows\Microsoft.NET\F ramework\v 3.5\Window s Presentation Foundation\DotNetAssistant Extension
FF - Ext: Move Media Player: moveplayer@movenetworks.co m - c:\users\owner\AppData\Roa ming\Move Networks
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 11:29
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system \ControlSe t001\Contr ol\Class\{ 4D36E96D-E 325-11CE-B FC1-08002B E10318}\00 00\AllUser Settings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-12 11:32:30
ComboFix-quarantined-files .txt 2010-12-12 16:32
ComboFix2.txt 2010-12-12 04:19
Pre-Run: 170,327,412,736 bytes free
Post-Run: 170,338,013,184 bytes free
- - End Of File - - 3B893A59DCA61132B187CD27EC F37775
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.
Running from: c:\users\owner\Downloads\C
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-4
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-D
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 ))))))))))))))))))))))))))
.
2010-12-12 16:28 . 2010-12-12 16:28 -------- d-----w- c:\users\Default\AppData\L
2010-12-12 14:21 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\driver
2010-12-12 14:19 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-12 14:19 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoo
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\programdata\Alwil Software
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\program files\Alwil Software
2010-12-11 22:25 . 2010-12-11 22:28 -------- d-----w- c:\windows\system32\Smitfr
2010-12-11 22:16 . 2010-12-11 22:16 -------- d-----w- C:\VundoFix Backups
2010-12-11 20:41 . 2010-12-11 20:41 -------- d-----w- c:\program files\ESET
2010-12-11 20:40 . 2010-12-11 20:40 12872 ----a-w- c:\windows\system32\bootde
2010-12-11 20:36 . 2010-12-11 20:36 16968 ----a-w- c:\windows\system32\driver
2010-12-11 20:35 . 2010-12-11 20:35 -------- d-----w- c:\users\owner\AppData\Loc
2010-12-11 17:16 . 2010-12-11 17:16 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-11 17:15 . 2010-12-11 20:40 -------- d-----w- c:\programdata\Hitman Pro
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\users\owner\AppData\Roa
2010-12-11 17:12 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\driver
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\programdata\Malwarebyte
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 17:12 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\driver
2010-11-26 13:57 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-16 21:57 . 2010-11-16 21:57 -------- d-----w- c:\program files\Olympus
2010-11-16 21:57 . 2005-03-25 20:57 217088 ----a-w- c:\windows\system32\DSSCOR
.
((((((((((((((((((((((((((
.
2010-09-15 09:50 . 2010-06-03 00:19 472808 ----a-w- c:\windows\system32\deploy
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\e
[HKEY_LOCAL_MACHINE\SOFTWA
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynT
"QPService"="c:\program files\HP\QuickPlay\QPServi
"UpdateLBPShortCut"="c:\pr
"UpdatePSTShortCut"="c:\pr
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\p
"UpdatePDIRShortCut"="c:\p
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\p
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.ex
c:\users\owner\AppData\Roa
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.E
[HKEY_LOCAL_MACHINE\softwa
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM
@="Driver"
R2 clr_optimization_v4.0.3031
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\Google
R3 WPFFontCache_v0400;Windows
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DR
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\win
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe
S3 Com4QLBEx;Com4QLBEx;c:\pro
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32
[HKEY_LOCAL_MACHINE\softwa
LocalServiceAndNoImpersona
.
Contents of the 'Scheduled Tasks' folder
2010-12-12 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-12-12 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-12-11 c:\windows\Tasks\HPCeeSche
- c:\program files\hewlett-packard\sdp\
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Offic
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\owner\AppData\Roa
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dl
FF - plugin: c:\program files\Google\Update\1.2.18
FF - plugin: c:\program files\Java\jre6\bin\new_pl
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.d
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPr
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJa
FF - plugin: c:\users\owner\AppData\Roa
FF - plugin: c:\users\owner\AppData\Roa
FF - plugin: c:\users\owner\AppData\Roa
FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-A
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Move Media Player: moveplayer@movenetworks.co
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 11:29
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-12 11:32:30
ComboFix-quarantined-files
ComboFix2.txt 2010-12-12 04:19
Pre-Run: 170,327,412,736 bytes free
Post-Run: 170,338,013,184 bytes free
- - End Of File - - 3B893A59DCA61132B187CD27EC
Looks good!
ASKER
This isn't really it but I didn't give enough info to determine that Norton was the problem. Awarded to optoma for suggesting overheating and for checking my combofix log.
ASKER
Ps... optoma - where did you learn combofix?