1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Compaq Laptop

Discussion in 'Virus & Other Malware Removal' started by spikefan, Jan 19, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hello,
    Unfortunately my husband has inherited a compaq laptop from work to enable him to do slide shows for customers. He was wished the best of luck - I know why now...
    I have posted a hijack log. Prior to this I used adaware, ccleaner, bazooka and cwshredder. Adware removed 118 items (I couldnt update any of them) as I have no internet access to this machine at the moment. The computer belongs to the firm and I dont have administrator rights, although I managed to get into registery and startup configuration via safemode.
    I think I have managed to stop the minidump occurring by disabling the item in the start up configuration. I am unable to get rid of a log on screen which requires a password (which we were given, but doesnt work), you just press enter and it takes you to the desk top so not imperative to remove, just annoying. You even have to control, alternate and delete to even get to the password screen. I have removed btopenworld and aol from the machine so those items so far as I can see dont need to be there, I suppose the same would be true of the speed touch usb, as when I do eventually get to internet access it would be via my wireless router.
    I can see a few items on this log that are suspicious and I appreciate it would be best with an upto date operation but its the best I can provide at the moment. The other thing I was unable to do was install service pack 2 which I thought very strange it went through the motions of extracting files but then nothing. Odd as the previous user had obviously got games and such on the machine, tho I suppose these could have been downloaded. There was a lot of unsavoury items on derbiz.com, real porn and other items.
    Any suggestions would be appreciated.
    Logfile of HijackThis v1.99.1
    Scan saved at 17:27:49, on 19/01/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\regedit.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    E:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/business/bbhome
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Business Broadband
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [blah service] fenr.exe
    O4 - HKLM\..\Run: [System Updates] winsci.exe
    O4 - HKLM\..\Run: [Windows Desktop Daemon] winpadg.exe
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedri32.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\RunServices: [blah service] fenr.exe
    O4 - HKLM\..\RunServices: [System Updates] winsci.exe
    O4 - HKLM\..\RunServices: [Windows Desktop Daemon] winpadg.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\Run: [System Updates] winsci.exe
    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\RunServices: [System Updates] winsci.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: BT - {7A99B953-33DF-4F4B-9171-34F7B3B086A7} - http://www.bt.com (file missing) (HKCU)
    O9 - Extra button: Homepage - {9B6AC083-C539-4CB1-8D8A-3176C523419B} - http://www.btopenworld.com/default (file missing) (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O17 - HKLM\Software\..\Telephony: DomainName = lathams.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86D13A36-D478-4F13-BCFE-12BD3EB45CC6}: NameServer = 10.35.1.5
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    Thanks in anticipation,
    Debs
     
  2. michael_jii

    michael_jii

    Joined:
    Feb 19, 2003
    Messages:
    1,071
    OK this is my first analysed log, i've been doing reading/tutorials on how to analyse them,

    fix:

    Advice removed by Cookiegal
     
  3. michael_jii

    michael_jii

    Joined:
    Feb 19, 2003
    Messages:
    1,071
    Adviced removed by Cookiegal
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    Please do not follow the previous instructions as there are good items being deleted and bad ones were missed.

    michael_jii,

    If you really want to learn how to analyse HijackThis logs, please PM me. Otherwise, I'll have to ask you to leave the logs to the experts.
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    You say you don't have Internet access but does that mean that you are unable to connect this machine to the Internet at all?
     
  6. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hello,
    thanks for your reply. Luckily I was setting up a friends laptop tonight to didnt get round to deleting anything at all.
    I do have internet access, but the advice given to my husband was the machine would be alright if we didnt want to network or anything. 3 of my machines at home are all networked. I didnt really want to put this one on the internet until I had got all the little fiddly bits sorted. In actual fact I wasnt really sure I would be able to in view of the powers that be on the machine stopping me from getting to the start configuration and regedit in normal mode.
    Dont know whether that is any clearer. I look forward to your reply but really must go to bed as it is 1.30. Thanks for your input.
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    Unless we can get this computer on-line, without it being networked to the others as the risk of propagation is very high, I think you're best bet would be to reformat and start over.

    You have several infections, including a rootkit that requires that a tool be run to identify the files. Without any service packs, this computer was left wide open and vulnerable.
     
  8. michael_jii

    michael_jii

    Joined:
    Feb 19, 2003
    Messages:
    1,071
    I'm very sorry, soikefan and cookiegal, I was following a guide reccommended to me found on Help2Go.net
     
  9. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hi Cookiegal,
    What is the best way of connecting this laptop to internet then. I have a netgear router which I use with my other 3 machines. Although they are networked together they also work independantly now thanks to the netgear, previously they replied on the main machine being on to access internet.
    Can I set a manual connection to netgear which doesnt affect the other 3.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    I'm going to ask a Network expert to answer that for you before we proceed.
     
  11. JohnWill

    JohnWill Retired Moderator

    Joined:
    Oct 19, 2002
    Messages:
    106,418
    I'd suggest that you either turn off the other machines or unplug their network cables while you work on the infected machine. That's the simplest way to avoid any possibility of something getting through.

    As far as administrative access, we can fix that too if necessary.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    Thanks John! (y)

    spikefan,

    If you can set aside some time where you could disconnect the others and put this one on-line, we could work on this and get it cleaned up.
     
  13. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Thanks, I am working Monday, Tuesday but have wednesday off and everyone else should be at work (some hope) so can switch off all other machines and leave the netgear to connect to infected laptop. Am I right in assuming if the machines are off then there is no connection between machines.
    If anyone wants to put down a set of instructions to follow I will gladly do so. Thanks
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,027
    Here's your mission, should you choose to accept it. :D ;)


    I will only be available during the evening on Wednesday but if you can have this done by then, I will follow up then.


    Unplug the network connectors and power cords to the other computers.


    Once you get this laptop on-line, please do the following:


    It appears that AOL wasn’t completely uninstalled. Did you do that via the Control Panel – Add/Remove programs? If not, then do so. Then you can delete the following folder if it still remains:

    C:\Program Files\Common Files\AOL


    Now, update and scan with Ad-Aware.


    Click here to download LQfix.exe and Save it to your desktop.
    • Doubleclick LQfix.exe and click install.
    • Leave the default settings. If you change them, the fix will fail.
    • Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
    • Follow the prompts on the screen.
    • Your system will reboot afterwards.
    • Please be patient after reboot, because there is a script running in the background.


    Download Cleanup from Here
    • A window will open and choose SAVE, then DESKTOP as the destination.
    • On your Desktop, click on Cleanup40.exe icon.
    • Then, click RUN and place a checkmark beside "I Agree"
    • Then click NEXT followed by START and OK.
    • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    • Click OK
    • DO NOT RUN IT YET


    Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.

    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com/business/bbhome

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Business Broadband

    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe

    O4 - HKLM\..\Run: [blah service] fenr.exe

    O4 - HKLM\..\Run: [System Updates] winsci.exe

    O4 - HKLM\..\Run: [Windows Desktop Daemon] winpadg.exe

    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedri32.exe

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

    O4 - HKLM\..\RunServices: [blah service] fenr.exe

    O4 - HKLM\..\RunServices: [System Updates] winsci.exe

    O4 - HKLM\..\RunServices: [Windows Desktop Daemon] winpadg.exe

    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe

    O4 - HKCU\..\Run: [System Updates] winsci.exe

    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe

    O4 - HKCU\..\RunServices: [System Updates] winsci.exe

    O9 - Extra button: BT - {7A99B953-33DF-4F4B-9171-34F7B3B086A7} - http://www.bt.com (file missing) (HKCU)

    O9 - Extra button: Homepage - {9B6AC083-C539-4CB1-8D8A-3176C523419B} - http://www.btopenworld.com/default (file missing) (HKCU)

    If I’m correct in assuming that you no longer need these O17 entries as they were the domain from work before the laptop was given to you then include them. Otherwise, leave them.

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O17 - HKLM\Software\..\Telephony: DomainName = lathams.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86D13A36-D478-4F13-BCFE-12BD3EB45CC6}: NameServer = 10.35.1.5
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lathams.co.uk

    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)


    Then boot to safe mode:


    How to restart to safe mode


    Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop



    Run Cleanup:
    • Click on the "Cleanup" button and let it run.
    • Once it’s done, close the program.


    Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:


      C:\windows\system32\msconfig32.exe

      C:\windows\system32\fenr.exe

      C:\windows\system32\winsci.exe

      C:\windows\system32\winpadg.exe

      C:\windows\system32\elitedri32.exe


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.



    Restart back into Windows normally now.


    Do a Panda Active Scan. Be sure to save the log it creates.


    Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.
     
  15. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    *WHEW* I'm exhausted by reading it :eek:


    :D
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/435453

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice