Member Avatar for 8boltwheels

Hello Daniweb:

Assisting neighbors with plugged up system 1Gig- RAM, Compac software suite.

Box was shipped w/XP, has been upgraded to Vista Home Premium.

Users are still on dial-up which does not work any longer, although I can interogate the modem and it answers in the hardware manager.

I found 201 iterations of something called 6to4 adapter, on an IPCONFIG check, and multiple iterations of ISTAP{18C09134-4D12-4B0F-8F00-AAB3B2544682} devices in the device manager for modems. repeated attempts to romove these, merely caused them to regenreate.


Kaspersy rescue disk found and deleted two suspect objects, one being C:\Program Files\HP Games\Wheel of Fortune-WT.exe

And the other reported as Troj.winreg.startpage.bj in file C:\<user_helper>\homepagelock.reg

The system is booted into Vista-safe mode while malwarebytes runs, and was in safe mode when the HJT log following was generated:


=====

Logfile of HijackThis v1.99.1
Scan saved at 2:34:34 PM, on 10/18/2010
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Alan\Desktop\sys_ops\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.peoplepc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Many Thanks

8-bolt

  • 3 Contributors
  • 10 Replies
  • 167 Views
  • 1 Year Discussion Span
  • Latest Post Latest Post by jholland1964

Recommended Answers

All 10 Replies

Member Avatar for Biker920

welcome to Daniweb 8boltwheels. Now if you will go here http://www.daniweb.com/forums/thread134865.html and follow posted instructions then post back logs as instructed some one will be glad to take a swat at your problem thank you. Later---

Member Avatar for 8boltwheels

Thanks for the quick reply, Biker920. Please bear with me on how soon I can report back.
Access to machine needing help is limited.

I'm working to implement - in order - all the steps in 1361988.


Thanks,

8bolt

Member Avatar for 8boltwheels

Forum helpers...

How do I make absolutely certain rule 1A in 134865 ( Remove all P2P software ) is complied with if some artifact is hidden/obfuscated? To my knowlege, there is NO intentionaly installed P2P Software of any kind on this machine. Is there an Audit_list of known P2P containing files, that I can bash this machine against?

Thanks,

8-bolt

Member Avatar for jholland1964

If you see none in the Programs list then it is likely there are none installed. Go on with other instructions.

Member Avatar for 8boltwheels

Daniweb team,
Please keep this thread alive, if possible. I'm able to work on this case on a very limited basis, and thus far, meeting the requirements of success in your "before posting",
tutorial have proved near impossible. Whatever has hold of this machine has managed to remove the add_remove software tool from the control panel, and has prevented the successful completion of almost all of the software run steps you specify. I will however keep trying, and if I am unable to finish this up I'll give you clear closure. Client may be at a point where they are willing to cut their losses and let me re-format, and re-load.

Thanks,
8-Bolt

Member Avatar for jholland1964

Think reformat is likely your best option

Member Avatar for 8boltwheels

Hello Helpers,

The project is still alive and hopefully nearing completion. I Have some file clean up and audits to run and will then attempt to follow the explicit steps in the before you post tutorial. I want to make absolutely sure all malware/left-overs is removed from the machine.

Thanks,

8bolt

Member Avatar for jholland1964

You are aware that this thread is nearly 18 months old I presume. We have no idea what project or audits you are talking about here, or what tutorial you are talking about either.No one offered to post a tutorial. We recommended reformatting the machine, which would likely remove all malware because the drive would be wiped clean.

Member Avatar for 8boltwheels

Yes, the thread has been open for nigh-on 18 months. It's way past time to wrap this little nightmare of a project up, for sure. I refer to the "before you post" instructions you require of us, which I called a tutorial.

As to the re-format: not feasible as no OEM media is available.

I do have a HP generated recovery disk, that was apparently created sometime shortly after the machine was purchased. All of the subsequetly installed application software is not on this image. I have loaded a new hard disk with it, and booted successfully from it, but the owner hopes to preserve as much of their original execution environment as possible. This recovery disk also completely wipes any drive it is placed on, ignoring any prior partitions, or data. I'm VERY glad I tried it on a new second drive, to see what the effect would be.

The file audits I refer to were user data operations, not directly related to my request for assistance, and should have no bearing on the assistance you might provide. Back up data de-duplication, re-building new user profiles, etc.


Since no one in the volunteer community looked at my original HJT dump, and I was admonished to perform this "before you post" process, which has never run successfully to completion, would it be better to open a new post, starting from scratch?

Thanks for the timely reply...

Member Avatar for jholland1964

I would suggest you begin from scratch, however, previous advice was reformat, present advice would be no different. HiJackThis is really no longer used that much and offers little if any information that can determine infection. The Read Me first sticky is what we would work from.
Yes, a recovery disk will wipe the drive and bring the computer back to it's factory install condition. After 18 months and having no clean up done of the computer then that would be my recommendation. however if you wish to start a new thread of course this is your option, but those tools in the Read me first sticky would be required, that is the only way we can get the information needed to proceed. If one tool doesn't work, go on to the next. DDS scanner, both logs are two of the key things that must be done.Without those we have no information whatsoever.
But after 18 months without doing anything my advice is a clean install. It would likely take you only a few hours to do so. You have waited 18 months to even think about returning so I am certain a clean up may very well be totally impossible too much time has passed to even half way believe that this computer can be cleaned to the users satisfaction.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.