jpfulton
asked on
Vundo? - Help with Virus Removal - Internet connection blocked -- See hijackthis log
Working on a laptop for a friend. The most obvious thing that I notice is that certain "features" of internet access are blocked. Almost as if certain outgoing ports are blocked. When I try to update malwarebytes, eset online scanner and hitman pro, the program claims that there is no internet connection available... even though web browsing is fully accessible. The computer is running very hot (just based on touch... not on sensors) and has suddenly shut down more than once.
The computer is running VIsta 32-bit
The first hitman pro scan came up with a Vundo virus entry and it appeared to have removed it successfully.
When I go into safe mode with networking I have full, unblocked internet access. I've tried first running atf cleaner, tdsskiller, a winsockfix, hosts file seems clean, ran eset online scanner, malwarebytes scan and hitman pro.
Not sure what else to say. Hijackthis log to follow:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:25:23 PM, on 12/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\system32\tasken
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\HP\QuickPlay\QPServi
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.ex
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
C:\Windows\ehome\ehmsas.ex
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shar
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\owner\Downloads\H
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-9
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-0
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-F
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-A
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPServi
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStart
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\M
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirec
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER
--
End of file - 8046 bytes
The computer is running VIsta 32-bit
The first hitman pro scan came up with a Vundo virus entry and it appeared to have removed it successfully.
When I go into safe mode with networking I have full, unblocked internet access. I've tried first running atf cleaner, tdsskiller, a winsockfix, hosts file seems clean, ran eset online scanner, malwarebytes scan and hitman pro.
Not sure what else to say. Hijackthis log to follow:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:25:23 PM, on 12/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\system32\tasken
C:\Program Files\Synaptics\SynTP\SynT
C:\Program Files\HP\QuickPlay\QPServi
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.ex
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
C:\Windows\ehome\ehmsas.ex
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shar
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\owner\Downloads\H
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-9
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-0
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-F
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-A
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPServi
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStart
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\M
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirec
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVER
--
End of file - 8046 bytes
willcomp
Have you checked for a proxy server in Internet Options?
ASKER
Yes. none.
I would fix the following:
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
Reset hosts file:
http://www.funkytoad.com/index.php?option=com_content&id=13
Defensive hosts file:
http://www.mvps.org/winhelp2002/hosts.htm
"...ran eset online scanner, malwarebytes scan and hitman pro..." Did they all come up clean?
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
Reset hosts file:
http://www.funkytoad.com/index.php?option=com_content&id=13
Defensive hosts file:
http://www.mvps.org/winhelp2002/hosts.htm
"...ran eset online scanner, malwarebytes scan and hitman pro..." Did they all come up clean?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On my way home last night I picked up a can of compressed air, came home and blew out the laptop's fans in case the random restarts/shutdowns were a feature of overheating as a result of poor ventilation. I haven't seen the problem since so I think I guessed right.
After solving that problem, I ran combofix (even though I know I'm not supposed to without guidance) and as far as I can tell everything looked in order. I became convinced that there was no infection on the computer. The incomplete internet connection issue was still happening... I started to suspect norton internet security 2010. I tried uninstalling... wouldn't even run. Downloaded norton removal tool. Reboot. Success. Problem solved. Did updates, installed avast. I think I'm good.
Thanks for all the help!
After solving that problem, I ran combofix (even though I know I'm not supposed to without guidance) and as far as I can tell everything looked in order. I became convinced that there was no infection on the computer. The incomplete internet connection issue was still happening... I started to suspect norton internet security 2010. I tried uninstalling... wouldn't even run. Downloaded norton removal tool. Reboot. Success. Problem solved. Did updates, installed avast. I think I'm good.
Thanks for all the help!
ASKER
Optoma -- I'm going to post a cf log in a minute if you don't mind taking a look just for safe measure. Thanks!
Good stuff with the compressed air!
ASKER
ComboFix 10-12-11.06 - owner 12/12/2010 11:18:19.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.
Running from: c:\users\owner\Downloads\C
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-4
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-D
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 ))))))))))))))))))))))))))
.
2010-12-12 16:28 . 2010-12-12 16:28 -------- d-----w- c:\users\Default\AppData\L
2010-12-12 14:21 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\driver
2010-12-12 14:19 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-12 14:19 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoo
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\programdata\Alwil Software
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\program files\Alwil Software
2010-12-11 22:25 . 2010-12-11 22:28 -------- d-----w- c:\windows\system32\Smitfr
2010-12-11 22:16 . 2010-12-11 22:16 -------- d-----w- C:\VundoFix Backups
2010-12-11 20:41 . 2010-12-11 20:41 -------- d-----w- c:\program files\ESET
2010-12-11 20:40 . 2010-12-11 20:40 12872 ----a-w- c:\windows\system32\bootde
2010-12-11 20:36 . 2010-12-11 20:36 16968 ----a-w- c:\windows\system32\driver
2010-12-11 20:35 . 2010-12-11 20:35 -------- d-----w- c:\users\owner\AppData\Loc
2010-12-11 17:16 . 2010-12-11 17:16 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-11 17:15 . 2010-12-11 20:40 -------- d-----w- c:\programdata\Hitman Pro
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\users\owner\AppData\Roa
2010-12-11 17:12 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\driver
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\programdata\Malwarebyte
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 17:12 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\driver
2010-11-26 13:57 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-16 21:57 . 2010-11-16 21:57 -------- d-----w- c:\program files\Olympus
2010-11-16 21:57 . 2005-03-25 20:57 217088 ----a-w- c:\windows\system32\DSSCOR
.
((((((((((((((((((((((((((
.
2010-09-15 09:50 . 2010-06-03 00:19 472808 ----a-w- c:\windows\system32\deploy
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\e
[HKEY_LOCAL_MACHINE\SOFTWA
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynT
"QPService"="c:\program files\HP\QuickPlay\QPServi
"UpdateLBPShortCut"="c:\pr
"UpdatePSTShortCut"="c:\pr
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\p
"UpdatePDIRShortCut"="c:\p
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\p
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.ex
c:\users\owner\AppData\Roa
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.E
[HKEY_LOCAL_MACHINE\softwa
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM
@="Driver"
R2 clr_optimization_v4.0.3031
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\Google
R3 WPFFontCache_v0400;Windows
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DR
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\win
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe
S3 Com4QLBEx;Com4QLBEx;c:\pro
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32
[HKEY_LOCAL_MACHINE\softwa
LocalServiceAndNoImpersona
.
Contents of the 'Scheduled Tasks' folder
2010-12-12 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-12-12 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-12-11 c:\windows\Tasks\HPCeeSche
- c:\program files\hewlett-packard\sdp\
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Offic
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\owner\AppData\Roa
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dl
FF - plugin: c:\program files\Google\Update\1.2.18
FF - plugin: c:\program files\Java\jre6\bin\new_pl
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.d
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPr
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJa
FF - plugin: c:\users\owner\AppData\Roa
FF - plugin: c:\users\owner\AppData\Roa
FF - plugin: c:\users\owner\AppData\Roa
FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-A
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Move Media Player: moveplayer@movenetworks.co
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 11:29
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-12 11:32:30
ComboFix-quarantined-files
ComboFix2.txt 2010-12-12 04:19
Pre-Run: 170,327,412,736 bytes free
Post-Run: 170,338,013,184 bytes free
- - End Of File - - 3B893A59DCA61132B187CD27EC
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.
Running from: c:\users\owner\Downloads\C
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-4
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-D
.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 ))))))))))))))))))))))))))
.
2010-12-12 16:28 . 2010-12-12 16:28 -------- d-----w- c:\users\Default\AppData\L
2010-12-12 14:21 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\driver
2010-12-12 14:21 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\driver
2010-12-12 14:19 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-12 14:19 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoo
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\programdata\Alwil Software
2010-12-12 14:18 . 2010-12-12 14:18 -------- d-----w- c:\program files\Alwil Software
2010-12-11 22:25 . 2010-12-11 22:28 -------- d-----w- c:\windows\system32\Smitfr
2010-12-11 22:16 . 2010-12-11 22:16 -------- d-----w- C:\VundoFix Backups
2010-12-11 20:41 . 2010-12-11 20:41 -------- d-----w- c:\program files\ESET
2010-12-11 20:40 . 2010-12-11 20:40 12872 ----a-w- c:\windows\system32\bootde
2010-12-11 20:36 . 2010-12-11 20:36 16968 ----a-w- c:\windows\system32\driver
2010-12-11 20:35 . 2010-12-11 20:35 -------- d-----w- c:\users\owner\AppData\Loc
2010-12-11 17:16 . 2010-12-11 17:16 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-11 17:15 . 2010-12-11 20:40 -------- d-----w- c:\programdata\Hitman Pro
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\users\owner\AppData\Roa
2010-12-11 17:12 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\driver
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\programdata\Malwarebyte
2010-12-11 17:12 . 2010-12-11 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-11 17:12 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\driver
2010-11-26 13:57 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-16 21:57 . 2010-11-16 21:57 -------- d-----w- c:\program files\Olympus
2010-11-16 21:57 . 2005-03-25 20:57 217088 ----a-w- c:\windows\system32\DSSCOR
.
((((((((((((((((((((((((((
.
2010-09-15 09:50 . 2010-06-03 00:19 472808 ----a-w- c:\windows\system32\deploy
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\e
[HKEY_LOCAL_MACHINE\SOFTWA
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynT
"QPService"="c:\program files\HP\QuickPlay\QPServi
"UpdateLBPShortCut"="c:\pr
"UpdatePSTShortCut"="c:\pr
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\p
"UpdatePDIRShortCut"="c:\p
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\p
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.ex
c:\users\owner\AppData\Roa
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.E
[HKEY_LOCAL_MACHINE\softwa
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM
@="Driver"
R2 clr_optimization_v4.0.3031
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\Google
R3 WPFFontCache_v0400;Windows
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DR
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\win
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe
S3 Com4QLBEx;Com4QLBEx;c:\pro
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32
[HKEY_LOCAL_MACHINE\softwa
LocalServiceAndNoImpersona
.
Contents of the 'Scheduled Tasks' folder
2010-12-12 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-12-12 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
2010-12-11 c:\windows\Tasks\HPCeeSche
- c:\program files\hewlett-packard\sdp\
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Offic
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\owner\AppData\Roa
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dl
FF - plugin: c:\program files\Google\Update\1.2.18
FF - plugin: c:\program files\Java\jre6\bin\new_pl
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.d
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPr
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJa
FF - plugin: c:\users\owner\AppData\Roa
FF - plugin: c:\users\owner\AppData\Roa
FF - plugin: c:\users\owner\AppData\Roa
FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-A
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-A
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-0
FF - Ext: Move Media Player: moveplayer@movenetworks.co
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 11:29
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-12 11:32:30
ComboFix-quarantined-files
ComboFix2.txt 2010-12-12 04:19
Pre-Run: 170,327,412,736 bytes free
Post-Run: 170,338,013,184 bytes free
- - End Of File - - 3B893A59DCA61132B187CD27EC
Looks good!
ASKER
This isn't really it but I didn't give enough info to determine that Norton was the problem. Awarded to optoma for suggesting overheating and for checking my combofix log.
ASKER
Ps... optoma - where did you learn combofix?