Vista on Gateway Laptop

Vista on Gateway Laptop

Unread postby cdmccreary » October 17th, 2011, 1:58 pm

System running well with no suspected malware prior to the following. (One other system in the house have similar problem but with a different history.)

To the best of my recollection, the history and symptoms are:

0. Unable to run Safari browser. I did not worry about it. MSIE acting strangely, I think.

1. Went to pdflite.com and tried to download pdfprinter.

2. No viruses reported prior to execution. Afterwords, antivirus notified me executable changed its file and asked if I wanted to continue running. I chose no. (using drweb)

3. Seems executable ran anyway. It unlinked so-to-speak the Adobe Acrobat installation. I cancelled the pdflite and deleted the executable. Did not notice any other ill-effects.

4. I reinstalled Adobe Acrobat X from the adobe website.

5. A few days later, computer will not run user "charles" with administrator privileges except in safe mode. Windows explorer keeps crashing.

6. Unable to run DDS. My antivirus says it is infected with Trojan.Muldrop3.6866. Seems strange a script would be reported infected.

7. Included Hijackthis reports.

Thank you.

Hijack This Log

Code: Select all
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:49:01 PM, on 10/17/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Program Files\PC Tools Utilities\Tools\Defrag\DMDefragSrvProxy.exe
C:\Program Files\PC Tools Utilities\Tools\Repair\DMRepairSrvProxy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\DrWeb\spiderml.exe
C:\Program Files\DrWeb\frwl_notify.exe
C:\Program Files\DrWeb\spideragent.exe
C:\Program Files\Acronis\DriveMonitor\adm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://translate.reference.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6919
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost #[IPv6]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WRShell.BHO - {255215E2-87DC-4819-8724-D0B4C94DBEF5} - C:\Program Files\WebResearch\WRShell.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: WRShell.ToolBand - {8F0F47B1-7D4B-4834-A981-91E2A3DCE069} - C:\Program Files\WebResearch\WRShell.dll
O3 - Toolbar: WRShell.EditBand - {5338DF6C-3B3B-4E38-8B31-7B99986627B2} - C:\Program Files\WebResearch\WRShell.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Cm102Sound] RunDll32 cm102.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe" -autorun
O4 - HKLM\..\Run: [Dr.Web Firewall] "C:\Program Files\DrWeb\frwl_notify.exe"
O4 - HKLM\..\Run: [SpIDerAgent] "C:\Program Files\DrWeb\SpIDerAgent.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [adm_tray.exe] C:\Program Files\Acronis\DriveMonitor\adm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: CaptureWiz.lnk = C:\Program Files\CaptureWiz\Pro\CaptureWiz.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O8 - Extra context menu item: WebResearch: Save Link Address As... - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#110
O8 - Extra context menu item: WebResearch: Save Page Area (Frame) - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#102
O8 - Extra context menu item: WebResearch: Save Page Area (Frame) As... - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#106
O8 - Extra context menu item: WebResearch: Save Picture - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#101
O8 - Extra context menu item: WebResearch: Save Picture As... - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#108
O8 - Extra context menu item: WebResearch: Save Selected Targets As... - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#111
O8 - Extra context menu item: WebResearch: Save Selection - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#104
O8 - Extra context menu item: WebResearch: Save Selection As... - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#109
O8 - Extra context menu item: WebResearch: Save Target - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#103
O8 - Extra context menu item: WebResearch: Save Target As... - res://C:\PROGRA~1\WEBRES~1\wrshell.dll/#107
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Atomic Alarm Clock Time (AtomicAlarmClock) - Unknown owner - C:\Program Files\Clock Tray Skins\timeserv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\Cygwin\bin\cygrunsrv.exe
O23 - Service: Performance Toolkit Disk Defrag Service (DMDefragService) - PC Tools - C:\Program Files\PC Tools Utilities\Tools\Defrag\DMDefragSrv.exe
O23 - Service: Performance Toolkit Disk Repair Service (DMRepairService) - PC Tools - C:\Program Files\PC Tools Utilities\Tools\Repair\DMRepairSrv.exe
O23 - Service: Dr.Web Scanning Engine (DrWebEngine) (DrWebEngine) - Doctor Web, Ltd. - C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
O23 - Service: Dr.Web Firewall Application Filter (DrWebFWSvc) - Doctor Web, Ltd. - C:\Program Files\DrWeb\frwl_svc.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: FlipShare Server (FlipShareServer) - Unknown owner - C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\Windows\System32\xwntserv.exe
O23 - Service: XwpXSetSrvProNFS service (XwpXSetSrvProNFS) - Unknown owner - C:\Users\Public\Program Files\Lab-NC\ProNFS\xsetsrv.exe

End of file - 13047 bytes

Uninstall List

Code: Select all
7-Zip 9.20
Acronis Drive Monitor
Acronis True Image WD Edition
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.5
Agere Systems HDA Modem
Allway Sync version 11.1.11
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Browser Address Error Redirector
BurnOn CD&DVD, Version 3.1.3 ( Build 2009-2-22, Win32, )
Canon MP Navigator EX 1.0
Canon MX310 series
CaptureWizPro 4.50
Clock Tray Skins 4.2
CloneSpy 2.61
Compatibility Pack for the 2007 Office system
CompuApps SwissKnife V3
CyberLink PhotoNow
CyberLink PhotoNow
CyberLink PowerDirector
CyberLink PowerDirector
Dr.Web anti-virus for Windows Pro 6.0 (x86)
ffdshow v1.1.3800 [2011-03-28]
Flash Drive Tester v1.14
Free NaturalReader
Gateway Connect
Gateway Recovery Center Installer
GIMP 2.6.11
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
H&R Block Deluxe + Efile 2010
Help Explorer 3.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP USB Disk Storage Format Tool
Infinite Pre-Algebra
Infinite Pre-Algebra Trial
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Java(TM) 6 Update 26
Java(TM) SE Runtime Environment 6 Update 1
KWorld Editing Device Driver
Malwarebytes' Anti-Malware version
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended
Microsoft Access database engine 2010 (English)
Microsoft MapPoint North America 2011
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (3.6.23)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MuseScore MuseScore score typesetter
Notation Composer 2.6.3 (Trial Version)
OpenOffice.org 3.2
Opera 11.00
Pegasus Mail
Performance Toolkit 1.0
Power2Go 5.0
Python 2.7.2
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
Registry Mechanic 10.0
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SigmaTel Audio
SmartSound Quicktracks Plugin
Spare Backup
Synaptics Pointing Device Driver
Tar-1.13 Binaries (GnuWin32)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
USB Audio Device
WebResearch 3
WinHTTrack Website Copier 3.44-1
WinNc 5 .5.0.0

Re: Vista on Gateway Laptop

Unread postby DFW » October 19th, 2011, 4:20 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post the required log/s in the forum and wait for help.

Hi cdmccreary and welcome..

I'm DFW and I am going to try and help you with your Malware problem. Please observe the following points and rules while we work:

  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The clean up process can take time. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Some of the Logs we ask for can take some time to Analise, so please be patient
  • This may or may not, solve other issues you have with your machine.
    Note: No Reply Within 3 Days Will Result In Your Topic Being Closed.

I am going over your logs be back as soon as possible
Re: Vista on Gateway Laptop

Unread postby DFW » October 20th, 2011, 10:57 am

Hi cdmccreary

Scan with WVCheck:

Please download WVCheck and save it to the desktop.

  • Right click on WVCheck.exe and select Run As Administrator to run it. If Windows UAC prompts you, please allow it.
  • The scan may take some time depending on the Hard-Drive size.
  • Please post the contents of the notepad file WVCheck_1436_dd-mm-yyyy that can be located on the desktop.

Please download this tool from Microsoft (MGADiag.exe).


Right click on MGADiag.exe and select Run As Administrator to run it. If Windows UAC prompts you, please allow it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in.
Save this file and post it in your next reply.

Please post back both log
Re: Vista on Gateway Laptop

Unread postby Cypher » October 23rd, 2011, 11:25 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
