Good Morning Bleeping Computer!
Dell Latitude D620, WinXP Pro SP3, Intel Core2 CPU T7200 @ 2GHz, 2.0GB RAM, 945GM Chipset.
Iíll mention upfront that I got a Vundo infection about 1.5 years ago and despite seeming eradication, I think I have lasting effects.
I had prepared logs per http://www.bleepingcomputer.com/forums/topic34773.html
but want to redo them cleanly and so will post ASAP tomorrow (it's 4AM in Upstate New York and I've been up for 20 hours, again -- you know the feeling).
I purchased the above described used laptop from an authorized Dell reseller. The OS was freshly installed. I connect to an unsecured network at my community college and downloaded and installed some minor stuff (Adobe Reader, Flash, Shockwave, Google Chrome and a college PDF of accessing their encrypted sight) and Symantec Endpoint Protection (SEP) v11.0.6100.645. I did a small regedit on SEP (same edit I did on my other two Dell PC's) to disable admin established weekly scans and startup scans, because I prefer scan manually. All good. I get home and the WiFi catches my router. I install Microsoft Office XP Professional off CD. I reboot. Before the WiFi connects, before SEP gets a green light (it is just a yellow shield in the system tray; it doesn't yet have the "all's well" green dot) I get a File Download message: Do you want to open or save this file? Name: bsbsyncvp.png (seems to always be 4 consonants, 1 vowel, 4 consonants), Type: MS Photo Ed, From: C:\Doc&Setting\Owner\Local SeÖ and the rest is cut off. If I choose Open, MS Photo always shows a 22px W x 15px H 24bit color French Flag at 1320 KB, which seems way too many KBís given that the size and color add up to less than 0.99KB. If I choose Save, then scan with SEP I get zero risk detection. So I choose Cancel now.
Yesterday evening Internet Explorer (IE8) would give me Google results, but any click on a result sent me to a seemingly random place, and in the instance I checked, the displayed URL was spoofed for the site. This occurred for a period of time but then stopped at some point. Google Chrome did not have this problem during the same time period.
Last night I performed a surface scan with error fix enabled. No issues in log file. I did a SEP scan: one tracking cookie.
I have a Belkin 54g router, FW ver F5D7230-4_UK_8.01.09. Since http://www.bleepingcomputer.com/forums/topic418146.html
sounded close, last night I also flushed the DNS, stopped and restarted DNS Client, shut down, reset the router (pushed pinhole about 10+ times until lights briefly went off and came back on), restarted, and reset to my typical router config. Hereís some highlights: IP Pool limited to 9; I do broadcast the SSID until I get the laptop WiFi settled; ICMP Ping is blocked; WPA/WPA2-Personal(PSK) WPA-PSK TKIP passworded Security.
I donít see the IE8 redirect behavior today.
Since problems started, upon shut down I sometimes get End Program - Sunupdt32 (Symantec Update?), which sometimes self-resolves, but I always get End Program - rundll32.exe and I have to click End Now.
Tonight I rebooted and let the laptop sit idle for about 15 minutes. I ran CCleaner after enabling a couple extra items on the Windows tab of the Cleaner function, namely Autocomplete Form History, Saved Passwords, and Old Prefetch data. CCleaner removed 24MB in 790 IE Temp Internet files plus 76 cookies, 2 System - Temporary Files, 7 System - Windows Log Files, and 15 Multimedia - Adobe Flash Player files. I reset CCleaner to defaults, sat for 5 minutes, and hit the CCleaner Analyze button: 2,260 KB in 226 IE Temp Internet Files, and 9 cookies. 10 minutes later, 7,514KB in 565 IE Temp Internet files, 43 cookies, 2 Flash files. You get the idea.
So I go to look at these Temp IE files and Windows Explorer does not show a C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files directory, despite my having set options to display system folder contents, and to show hidden files and folders. So I chose to get to the folder via, IE8>Tools>Internet Options>Settings button in Browsing history>View files button. Refresh shows there's new files every minute or so. It looks like someone is surfing using my laptop, yet it is just sitting here untouched. There are alot of small KB JPG files. They only display the default JPG icon ion thumbnail view. When I tried to open one I get an Internet Explorer message: "Running a system command on this item might be unsafe. Do you wish to continue?" I hit no. I scan the Temporary Internet Files directory and SEP finds nothing. I close Win Explorer and get a message that Win Explorer has encountered a problem and needs to close. etc. For more info Click Here. It does not give me the usual button to send an error report. Click Here's error signature has APPName: explorer.exe, AppVer: 6.0.2900.5512, ModName: shlwapi.dll, ModVer:6.0.2900.5912, Offset: 00008434. There's a Click Here for tech info about the report in an appcompat.txt.
Next I shut the Hardware Radio Switch off at 2:40AM. So my state is no WiFi internet, NIC active, and no CAT5 connected. I have one last cookie at 2:40AM, but the next nine most recent files over six minutes are files with internet files with Internet Address res://ieframe.dll/<filename>, where filename is for example httpErrorPagesScripts.js. The Last Accessed date and time stamp for these 9 files updates every few minutes.
Some side info: (1) I have the OEM CDís. It'd be really easy for me to start over. However, this 'no data / low risk' environment provides an excellent learning experience as also I need to tackle the two misbehaving desktops which basically contain my and my wife's life. (2) This is my daughters laptop. I bought it used for her for college. I have had the D620 for three days. Since my daughter's school has been in session two days already I am on borrowed time to do my virus removal learning on the laptop. I wanted to let you know in case my daughter needs this for school and I need to cut bait and just reinstall the OS and drivers. However, I feel the problem will re-occur as it seems likely related to my router, to which all three of my computers are connected so I really want to stick in and solve this. My daughter is wonderfully patient, which makes me want to help her as much as I can.
I am sorry this is very long. I would appreciate comments aimed at helping me improve my write ups. I want this to be what's best for you. I've read the many pages of good instruction and looked for examples, but feedback on how to make things easiest for you would be great.
Thanks to every potential helping BC member who reads this. Especially thank you to the person who picks this up for being willing to try helping. Itís awesome that there are people like you. It makes up for the people who hijack PCís.