[little87]

The computer I'm asking about was bought 7 years ago solely for this kids to play their games on, it only had internet access a couple times last year to download some game. The game had to be activated online or something. At that time I installed a free antivirus software but have never kept it up-to-date, since the computer hasn't had internet access in a year. It also doesn't have any MS patches. There was never any need.

So my nephew plugged in his flash drive and ended up infecting the computer with a couple trojans. I was able to get my hands on some software that removed the trojans and scanned the rest of the computer. No other trojans showed up. But the registry is still disabled.

I know you require the MS patches but like I said before, this computer doesn't have internet access - at all. There's no way to get those patches. Unless MS has a CD I can buy? Besides, this infection didn't come from being unpatched. It came from my nephew not following my rules.


I think there are references to WildTangent, Shadowbar, and KBD. I'd like to leave those alone, if that's ok. They came pre-installed on the computer.


Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:48 AM, on 7/26/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\System\svchost.exe"
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\ss69olnp.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\ss69olnp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5277E001-1190-3001-0699-ca3230262a11} - C:\Program Files\Common Files\System\wship_help.acm (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdat...ols/getcab2.dll
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1208326043655
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208325198967
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208325107639
O17 - HKLM\System\CCS\Services\Tcpip\..\{741FC4F0-3D90-4E34-93B4-A1EDDBF3AEFD}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe



Thanks in advance to anyone who can help me.

[greyknight17]

Welcome to GTG.

Why can't this computer connect to the internet? We must follow the rules and without it being patched, we will not provide support for this computer.

[little87]

I don't have an internet connection. Meaning that my household is one of the few that doesn't have any computers connected to the internet. With the kids, we just don't allow it. We tried it out early in 2007 but it didn't work out, especially since it was dialup and we only have one telephone line. I have to go all the way over to my parent's house to use their computer just to make these posts.

The computer didn't even get infected because it wasn't patched. It was infected because my nephew was using his infected flash drive (so he says). The computer won't EVER be connected to the internet. And my nephew isn't allowed to even touch the computer for the next six months.

I can't get anyone to help me because I don't have the service packs installed. Yet I have no way to install them. And once again, the computer wasn't infected because it isn't patched.

Can't you make an exception and help me out this one time? I understand your policy on not helping unpatched computers, but those are ones that probably got infected from being connected to the internet. My case is completely different.

[admin]

If you have access to a computer with a high-speed connection and a CD burner, you can download the Windows XP Service Pack 3 CD image file:
http://www.microsoft.com/downloads/details...;displaylang=en

It's an ISO file, meaning you'll need a special program to burn it to a CD. I like the free and simple ISO Recorder.

Microsoft has not yet made a Windows Service Pack 3 CD available for order. I guess they're assuming most people either have a broadband connection, or access to broadband and a CD burner (work, friend, neighbor).

Once you have the CD, simply insert it to install Windows XP Service Pack 3. No internet connection required.

[little87]

I thought it was recommended to only install SP1 until the infection has been completely removed? It also sounds like you're saying SP3 includes all previous service packs/patches, but it doesn't look that way from the link you provided. Does SP3 contain all the previous service packs? How would I install SP3 from a CD?

Is SP1 available on a CD to order? I am having a terrible time navigating Microsoft's website. I can't find squat.


I don't know, this seems like a lot to do for a computer that won't ever have an internet connection. I honestly don't understand why you can't just can't tell me what to do to clean up this infection. I'm tired of going back and forth to my parents house just to make these posts. At this rate, it will take a month to clean up this infection.

[greyknight17]

I haven't downloaded SP3 to a XP computer with no updates before, but you might need SP1 installed first. Give it a try to see what the outcome is.

OK, let's get started on this....

For the below fix, if you intentionally disabled the registry editor access, you may skip them (do not check the box to fix them).

Make sure you download the Combofix tool and recovery console utility ahead of time and copy it to this computer.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\System\svchost.exe"
O2 - BHO: (no name) - {5277E001-1190-3001-0699-ca3230262a11} - C:\Program Files\Common Files\System\wship_help.acm (file missing)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\Common Files\System\svchost.exe

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

[little87]

Thank you so much for helping me.

I fixed the entries in HJT as you instructed.

C:\Program Files\Common Files\System\svchost.exe - This was one of the trojans - it has already been sent to the virus vault.

I have downloaded ComboFix as you instructed.


I have a couple of questions about the recovery console, because I have never understood it. The infected computer is an HP from about 2001 or 2002. It was one of the ones that didn't come with any recovery disks or even an XP disk. I think the recovery stuff is in some hidden partition on the HD. Then there was that class action lawsuit against HP and I got a bunch of disks in the mail. I guess they're the recovery disks and maybe the XP disk, I don't remember.

Sorry for all the questions but I guess I should make a point to learn about this stuff.

1) What is the purpose of the Recovery Console on XP? Is it because XPs don't have DOS?
2) How do I know if I already have it installed?
3) Should all XPs have it installed?
4) Would it be better to install the recovery console from the HP disks?
5) Why does ComboFix want me to install the recovery console?

[greyknight17]

1. That's correct. We want users to install the recovery console (command prompt in a way) so in case disaster strikes, we may be able to assist with the issue.

2. If you already have it installed and it's enabled, you should see a selection prompt every time you power up your computer.

3. It depends who you ask. I see no harm in having it. It's just another handy feature to have in case trouble stirs.

4. You may use the Microsoft link provided in the BleepingComputer site to install the recovery console.

5. You don't have to install the recovery console if you don't want to, but it is recommended.

Hope that answers your questions.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.