Author Topic: win32 trojan-gen corrupt scvhost file and 2 restore files= no internet HELP!  (Read 4956 times)

0 Members and 1 Guest are viewing this topic.

live4me

  • Guest
I have re installed the win xp from recovery console an lost all user data (*gripe; grumble against my sons best wishes) he lost internet connection the other dayand avast was running but we found on hijackthis that the scan shows that avast was not enabled ?  I was not able to run it because we could not manaully submit the registration code seems it would not accept it. but anyhow now we got past that and it found win32 trojan-gen infected svchost and  also 2 in the restore folder which i have written down some where  but they had to be deleted
avast vault shows this:
kernel32.dll     c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am   
kernel32.dll     c:\windows\system32   7/5/2006 6:55:01 am   9/26/2006  5:05:58  am
winsock.dll      c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am
wsock32.dll     c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am

hijackthis shows this:
Logfile of HijackThis v1.97.7
Scan saved at 1:25:42 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Desktop\APPLICATIONS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Connection Help (HKLM)
O9 - Extra 'Tools' menuitem: Connection Help (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159254315903

I'm not clear on this but it looks like 3 of those results on hijackthis (04) may be a concern.. I can not find anything on them to validate them being accurate...  but the  whole problem is that I can no longer get online with the computer ..

well I can but not with the router anymore, only direct connect via the modem...4 people in the house need the connection up !!!
 the thing was working fine before this infection appeared so what do we need to fix to get the router to see the computer connection again ( or vise versa) according the the status there is a connection and all but when you try to open a bowser it "can not find" .....tried a winsock fix NG!!
 tried to unistall and reinstall card and driver NG!
 tried to release and renew ip address.. NG !
 tried to ping .. all lost!
so frustrating and probably the answer is right under my nose but I am so disgusted after this one..
I have run ATF-cleaner:
CCsetup 133:
Drweb cureit: 
kasperskylab:
superantispyware:
vundofixit:
winsockxpfix
Still not able to get online.... plz HELP!!!!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
We found on hijackthis that the scan shows that avast was not enabled ?
Try the AntiKill feature of avast (http://forum.avast.com/index.php?topic=22184.msg184340#msg184340).

I was not able to run it because we could not manaully submit the registration code seems it would not accept it.
Which avast version are you using? Did you try to use a Home key?

avast vault shows this:
kernel32.dll     c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am   
kernel32.dll     c:\windows\system32   7/5/2006 6:55:01 am   9/26/2006  5:05:58  am
winsock.dll      c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am
wsock32.dll     c:\windows\system32   8/4/2004 8:00:00 am   9/26/2006  4:31:14  am
Where? On the System folder? If so, these files are there due to backup purposes...

kasperskylab
What is it? A second installed antivirus?
« Last Edit: September 27, 2006, 05:02:55 AM by Tech »
The best things in life are free.

live4me

  • Guest
Hey Tech,
Which avast version are you using? Did you try to use a Home key?

version 4.7 home user
As I said, I finally got past that by directly connecting the modem to the machine did my windows updates and registered avast (new version) since the other one was no longer any good ...plus downloaded all the other programs which were lost due to the recovery.. Adaware, spybot, hijackthis etc...
?? HP gets a ton of money that way!!!
the reboot after the recovery proved there was a trojan in the system.... after using the recovery console to restore  this is way to involved to explain all of it but trying to delete norton so I could use avast it removed a config file so ended updoing a recovery which revealed the reason for the lost internet was the trojan TY for the wonderful virus scanner!!
if I do a recovery will it reinfect the system again?

 must have missed the update warning .( you know how kids are)
kaperskylab is another back up scanner to double check like Bit defender and Trend micro (I used to work in a call center as a computer tech.. ) I swear by avast  and highly recommend to others.. I find them better than mcaffee and norton...got in trouble for saying this while on tech calls too!!! big time!!
never install two virus scanners .. just a temp to run to double check and remove after,,,
just puzzled as to how to get the net back up and running.... I have never run into this issue before .. I was not internet tech help so this is not my area..I was business end high level user.. I know something needs to be reinstalled but I can't put my finger on it
maybe a dyed blonde moment for me...
thanks for the forum and a quick reply.. looking forward to putting this behind me..I will try the antikill but it appears there is no more infection found anywhere just need to know what went missing to keep me off line...
I'll reply back in a sec as to what fiels exactly were affected (infected)
Linda

Spiritsongs

  • Guest
 :) Hi Linda :

     Since your HJT log says you have Win XP SP2, you should
     click "Run", type "cmd", click "ok", type "netsh winsock
     reset" to restore an internet connection .
     Currently looks like you have "hijacker(s)", but I see no
     antiSPYWARE or antiTROJAN program(s) on this machine;
     am I missing something ? Sounds like you should get
     help from a volunteer Expert on one of the many
     antiSPYWARE forums !? If you know of none, I recommend
     www.landzdown.com .

live4me

  • Guest
thank you for the info.. I will try that this time I am giving it a shot at a one more time in recovery console

maybe now that avast could identify the problem file and it as removed it may come back in fixed and clean,  if NOT, 
then I will follow thru with your suggestion on command prompt then if that all fails.

Nope you arent missing that part ....they were removed on reboot with avast.. thank you for the program!!!

I will resort to another forum to find my answer.. always something with technology ---gotta love it..

this one is just stumping me completely or as you ask "am I missing something?"

Nice to meet you and thank you again, I will also give the antikill a try too, still waiting for recovery......

Linda

live4me

  • Guest
It appears that this was a router setting issue:
It seems the router was working fine for a year (even with a change of computers all around) before it recognized that the new owner was me and both my sons had a new computer added (seems it had one computer being used by two different people) but never changed his ip and computer title. I have manually gone in and updated this information and we are all able to get on now.. totally a router issue...
thank you for the input.. but this was not spyware or virus issue as we thouht it was in the first place.. seems the router needed to be manually reset even after we were using it for a year the way it was .. ?? oh well live and learn...
Linda
PS seems there are a bunch of people out there who have =seconduser listed in a  HJT log this is a result of router setting issues not always a trojan or hijack.. just to be wary in the  future ,,,  make cetain they have checked the router settins first before going throuh all this testing 
I lost a great deal of files thanks to HP and  some sugestions from other people 
  like i said before "live and learn".. but make sure people have the router set up right before you have them go through these other tests and checks....Personaly I never once thought this might be a router setup issue... since it has always been a virus or spyware issue in the past..
=seconduser may very well be a rtouer setting issue
« Last Edit: October 02, 2006, 06:48:27 PM by live4me »