Need quick help!! Working on wife's friend's laptop & Geek Squad told her she had worm, but I'm not finding one!!!

[redgtxdi]

So wife's friend calls her freaking out. I helped her before on an older laptop she had a couple years ago & now she bought a new one (HP dv6000) and bought everything Best Buy wanted to sell her. (Norton 360, backup discs, etc.)

(Yes, I already reprimanded her for not letting me set it up barebones in the first place, but whatever)

She said initially her icons were distorted and the system was slow. However, I'm not sure that was a video fluke and the slowness isn't coming from her recently installed NORTON 360!! She let Geek Squad look at it. They gave her paperwork saying it's "Got a wormy little fella" and that's all.

AVG doesn't see a worm.

Antivir also doesn't find a worm.

Any suggestions????

 

[mechBgon]

It sounds like you want to determine whether the system is still infected or not.

1) do you have the system on hand to work with it in person? If so, run HijackThis and post the log. If you have the system on hand, you're probably already uninstalling the useless nannyware 🙂

2) you mentioned AVG, AntiVir and Norton 360. Which ones are currently installed? As you probably know, it's not a good idea to have more than one at a time.

 

[redgtxdi]

I've known of HijackThis for a long time, but never understood what I'm supposed to look for???????

TIA anyway, for the help!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:16 PM, on 2/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\wsqmcons.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/...&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/...&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/...&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [LightScribe Control Panel] "C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6250 bytes

 

[lxskllr]

I'm not seeing any problems with your HJT file. It would probably be easier if you could get the computer in hand, and look for problems in person.

 

[redgtxdi]

I actually do have it & am not seeing ANY problems!!!

I took off Norton 360 and ran AVG, Antivir, *AND* Avast, and, yes, separately.....(now HJT).

All she can say about what concerned her was that icons were distorted.......(haven't seen any evidence of such since I got it back).......and that it was slow.

Well, I took off Norton360 (huge bloated POS, imho) as well as Webroot spysweeper and things have improved quite a bit. It's still not lightning (Vista), but nothing that would lead me to believe it's infected with anything.

No websites are difficult to go to.
Downloads go smoothly.

(I put Antivir on there to keep the lightest background load and just made sure IE's phisher's on)


I'm either thinking that Geek Squad got the worm off & didn't know she was gonna ask for the laptop back before giving the "ok" to do the work or there never WAS a worm & they simply lied to her to get some $$$ out of her in which case, if it were my wife, mother or sister, I'd probably walk into BB w/ a Mossberg hallsweeper & express my sincere disdain for people who steal other people's money!! :|

 

[lxskllr]

Hook it up to the web, and log network traffic. If everything looks legit, it's probably ok.

 

[redgtxdi]

Any suggestions for a program to use??

(I know Windows tells you rec'd/sent but can't tell what's coming/going)

Thx

 

[Crusty]

Wireshark

 

[mechBgon]

Your HJT log shows that you have a vulnerable, out-of-date version of Sun Java installed. Suggestion:

1) uninstall any and all versions of Sun Java Runtime, using the usual Control Panel applet for uninstalling software.

2) install and run Secunia's Personal Software Inspector. Fix anything it indicates needs fixing.

3) if you have an actual need for Sun Java, then install the latest version from Java.com. If there's no actual need for it, don't install it until you have an actual need for it.


If it were me, I'd also uninstall the HP "nannyware" software that I see in the HJT log.


While you've got your hands on the system, you might as well:

1) fully enable Data Execution Prevention system-wide

2) ...and also the IE-specific DEP

3) ...and also the SEHOP.

4) Right-click AntiVir's tray icon, choose "Configure," and enable Expert Mode. Now you can go through the full range of settings and max them out, including spyware/adware/unwanted-software detection.

 

[balloonshark]

Maybe you can tell by how much she paid as to what they did. http://www.geeksquad.com/servi...r/category.aspx?id=231

You could also run a MalwareBytes AntiMalware scan as well as SuperAntiSpyware scan. They both have free on-demand versions for scanning.

http://www.malwarebytes.org/
http://www.superantispyware.com/

 

[Raincity]

I reccomend scanning from Kaspersky and F-Scure boot iso's

Kaspersky

F-Secure

Then install and run Wireshark

 

[redbeard1]

I'd say download and run a program called Combofix from Bleepingcomputer. I assume it will run on Vista. It does a good job of finding hidden suspicious items.

 

[redgtxdi]

Just wanted to say thank you to everyone who helped out here.

I had to give the laptop back this weekend due to time constraints, but I've told the person to see how things work for her. I stripped the system down to the way I like it and things are definitely smoother. I feel bad cuz she probably paid good money for the Norton 360 but it was just too cumbersome. She now has Antivir and I've got IE7 set up the way I feel comfortable.

I told her not to hesitate if she just wants it wiped clean, but in an effort to preserve as much of her stuff as possible, I think its current state is optimal.

If I end up getting it back, I'll probably run some more of the suggestions here.

I'll post back asap if I get it back.

🙂 P.S. Geek Squad didn't charge her, so either no work was done, or they did the work & didn't expect her to say, 'no'.

 

[KoolDrew]

I feel bad cuz she probably paid good money for the Norton 360 but it was just too cumbersome.

Have you even used the newer versions of Norton or did you just remove it due to past experiences? Because I do admit Norton used to really suck, but I was definitely surprised by the newer versions. So much that I actually run NIS 2009 on my home PC.

 

[redgtxdi]

I removed it based on its weight.

I do know, however, that the new NIS2009 is supposedly a good product. I can't say from personal experience yet, but I typically use AVG free or Antivir and have not had problems in years, so I'm not provoked to swich anytime soon.

If I had to buy AV, though, I'd probably buy NIS2009.

 

[Red Squirrel]

Antivirus 360 actually *IS* a virus. We see this appear on computers all the time at work. It's basically spyware/virus that comes through an IE exploit if you land on a bad site. It's same with the Antivirus XP, Vista, 2009 (though norton also has a AV 2009). They look very legit, but they are actually viruses. If you google those you'll see they're viruses.