Re: SP2 makes XP-Home/SP1 CD - TROJAN


"Shenan Stanley" <newshelper@xxxxxxxxx> wrote in message news:OyYKDdpqFHA.3672@xxxxxxxxxxxxxxxxxxxxxxx 
FreeSpirit,

I know these things about your situation, confirm if you will..

- You have an Windows XP Home system from HP that came with all of the hardware you are trying to use with it - this would include any cameras, etc. You have not purchased any third-party hardware at this time and Windows XP Home Edition came with/installed on the computer when you purchased it originally.

## Yes. The hardware was all here when we bought this PC - Correct. But please see above. Microsoft AntiSpyware (MSAS) found a TROJAN hiding on my PC and cannot remove it, nor can I. This TROJAN I believe is the problem!!!

- You have reinstalled from the manufacturers restoration CDs at least 3 to 4 times now.

## HP did it once, we did it twice. The first time was because the HD was failing (they said). I'm starting to wonder of those other 2 issues we had with WXP were also spyware/scumware related as well and nothing saw them. Adaware and Spybot do not see this Trojan, nor did Norton pick up on it.

- You are having troubles downloading software/anything from the Internet and your camera and scanner wizard at the very least on this system.
- You cannot (for monetary and/or distance reasons) have anyone experienced with such things look at it (take it or have them come out.)

## That would be the absolute last resort. The techs we have here in the boondocks are not the most knowledge and charge $75 to come out, and then$40 to $50 an hour thereafter with no guarantees. Been there - done that!

- You cannot (for reason of system choice) integrate SP2 into your installtion media - since you really do not have installation media, but restoration CDs.

## Exactly. If we can't get this Trojan off this PC we're looking at many many hours of work reinstalling and tweaking everything back to the way I like it. I dread it!

Now my questions:

- When you first *restore* the system from the restoration CDs provided by the manufacturer (before doing anything else) - do the functions you are having trouble with WORK? 

## Yes.

- Do you then continue to install things one at a time and see if any of the functions cease to work at any given time?

## Not one at a time, usually 2 at a time. If all goes well, then another two... etc. The problems always started after all was well for weeks, sometimes months.

- Have you been making steady backups to CD or Floppy Diskettes or something - of your valuable data/email/contacts?

## Yes! I've been doing that for years now. We GHOSTED the whole system with Norton Ghost last May. We were about to do it again. We never used Ghost before and are leery about trying it. As I said, techs here are expensive when you can find one, and their work isn't always good. Or we have to haul it out to CompUSA which is a long drive from here.

- Have you checked HP for any BIOS specific updates to your computer? (I only mention this because there were some computers out there that could not function properly without a BIOS flashing when certain Service Packs/Patches were applied to them - and if I remember correctly - HP as one of the manufacturers who has had this problem several times in the past.)

## Yes, HP has a BIOS update/flash but that would be like having a first aid course and trying to do brain surgery for me.

- Can you (even if you have done so in the past) post the Model of your computer here (along with general specs like memory, hard drive size, CPU speed and any external devices you have connected to it at any time.)?

## Yes and I'm going to post the HiJackThis log here as well. Maybe someone will see something I don't.

This PC was bought in Aug 2003 with WXP-Home/SP1. It's the a250n with a 2.60 Intel Pentium 4 processor, 512 MB of RAM & a 120 GB Western Digital HD. It has 2 burners and a floppy drive. We replaced the original CD-ROM with a better Sony. It also has read drives for flashcards, smart-media, an mmc drive and MSMS pro drive (I don't know what they are). It has an old HP printer that we update the drivers for and an old Epson Scanner. The HP camera has a flash card that goes into the flashcard reader on the front of the PC. The monitor is a ViewSonic about 6 months old.

You can see the "Trojan.downloader.hbo.req's" pmkhh.dll and some other suspicious stuff at the *** s.

Logfile of HijackThis v1.97.7
Scan saved at 8:53:43 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\DIRECWAY\BIN\dpcnav.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\A - FreeSpirit\Download-program\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) ***
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1 \tools\iesdsg.dll ***
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\pmkhh.dll***
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll ***
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (NEW)
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Navigator.lnk = C:\Program Files\DIRECWAY\BIN\dpcnav.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Spyware Doctor (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab ***
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093243719343
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{4027C9D0-ABA5-4111-A56F-387EEC5C221D}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4027C9D0-ABA5-4111-A56F-387EEC5C221D}: NameServer = 66.82.4.8

Do YOU see see anything else that looks suspicious above?

- Are you prepared and willing to restore your system to its purchased state again - so it can be configured correctly from the beginning and get only the software you need to maintain, protect and use it properly/the way you desire installed? 

## GOOD GRIEF YES!!!!  :-)))

(You are likely going to need to do this, but you should
also know all the steps to go through in order to get it completely updated and stay fully functional afterwards - which we will be more able to provide if you answer all the other questions I have completely.)

## I understand. Would you recommend that rather then try and get this Trojan off my PC?

FS ~ 

--
Shenan Stanley
    MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


.

Loading