A few strange symptoms

GHoosdum

Since CrazyJoe moved to Florida, I have become the tech support line for his family's PC. I've been over there twice for the same problem (the first time I was just on a scouting mission) and tonight I'll be making my third visit. Last time, I ran (as suggested by Trogan's great thread) ATF Cleaner, AdAware, Spybot S&D, Spyware Blaster, and a virus scan with AVG Free (it was preinstalled and running resident).

Spybot S&D found a relatively large number of results. It managed to clean them all in two sweeps (the second at boot).

Then I ran HJT and removed all of the suspect entries. The computer started booting faster, but still had issues. I will detail them here and respectfully ask for recommendations:

1. HJT could not remove several entries (even running in Safe Mode). Everything AOL related came back immediately after running "Fix" and there were two entries called ".protected" that would simply not allow me to remove them with HJT in or out of Safe mode under any Admin account.

2. Start/Run/cmd to get to the command prompt would come back with "Windows cannot find 'cmd'" message as if the utility does not exist. I was able to get to the command prompt by typing "command" into the run box, but not with "cmd"

3. System restore would not work. As soon as I click the System Restore tab on the System Properties utility, it crashes to desktop with an error message. The same thing happens if I try to access System Restore upon booting into Safe Mode.

4. There are no Network connections present in the Network Connections CP app. Using IPCONFIG from the command prompt brings up a Network Connection 3. When I attempt to release and renew from IPCONFIG the utility balks and claims that the device is not in a ready state. The computer cannot get a working internet connection in any case.

Any advice on what to try next? It seems that there's still some sort of malware or problem that I've been unable to root out as of yet... I want to finish this thing up tonight so that I don't become a permanent resident of Joe's family's house!

Thrax

• The AOL entries are a service. To disable them, you have to disable the services.

• To check where the .protected stuff is starting from, and to delete the startup hooks from the registry, run Silentrunners and follow the registry locations in the results.

• Is cmd even there? Check to make sure your environment variables are set: Right click my computer -> properties -> advanced -> environment variables.
  
  
  Look for these entries:
  
  ComSpec: %SystemRoot%\system32\cmd.exe
  Path: %SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM;

• For the restore tab, run SFC /scannow from a command line. Some of your CPL files are messed up. Make sure you have the corresponding CD for their version of Windows handy.

• For the network, run the Winsock Fix utility. If that doesn't work, I have several other solutions.

//EDIT: You probably don't have any malware left, but all these are residual symptoms of a removed infection. I see it every day.

QCH

Yeah... my experience with badly infected PC's is that even when everything is clean, the damage left behind is just as debilitating. Hopefully you can repair all the left over damage.

edcentric

How bad would a fresh install be? Do they have the CDs? It might be easier than trying to patch it back together.

Trogan

The ".protected" entries could indicate a Smitfraud infection. Might want to post the HJT log here.

GHoosdum

Thrax wrote:

//EDIT: You probably don't have any malware left, but all these are residual symptoms of a removed infection. I see it every day.

Thanks for the suggestions, amigo. I will give them a try.

QCH2002 wrote:

Yeah... my experience with badly infected PC's is that even when everything is clean, the damage left behind is just as debilitating. Hopefully you can repair all the left over damage.

Indeed, it did appear to have some nasty infections, but I'm surprised that Spybot was the only utility that picked anything up.

edcentric wrote:

How bad would a fresh install be? Do they have the CDs? It might be easier than trying to patch it back together.

I asked where the Windows install CDs were and got a hearty laugh in response. They very well could be down in Florida with Joe! I would hate to try to find out where the install key wound up!

Trogan wrote:

The ".protected" entries could indicate a Smitfraud infection. Might want to post the HJT log here.

I can post the HJT log... once I get the internet connection operational again. What's the procedure for dealing with Smitfraud? The HJT log looked pretty clean after I went over it, aside from the .protected and AOL stuff, it was pretty much just normal useful utilities: AVG's resident stuff and nVidia driver stuff, mostly.

Trogan

How about transferring the HJT log to another computer via USB?

Smitfraud removal

GHoosdum

Trogan wrote:

How about transferring the HJT log to another computer via USB?

Smitfraud removal

I suppose I could do that... if only I weren't so lazy!

Thanks for the removal guide. The symptoms this PC had weren't nearly that bad, but I'll not rule anything out.

profdlp

GHoosdum wrote:

...I asked where the Windows install CDs were and got a hearty laugh in response. They very well could be down in Florida with Joe! I would hate to try to find out where the install key wound up...

If you can determine which version of Windows they have you can use any copy of the same type of CD to do the Repair Install. There are also plenty of utilities to squeeze the key out of the registry. If you decide to go that route, let me know and I'll link you up.

GHoosdum

Thanks Steve. I dredged up a utility a while back that can pull the product key for me... I think I have a copy of my OS disc from MSDN at home that I can bring along just in case. Unless Joe borrowed it last time he had to reinstall his family's OS and it wound up in Florida...

profdlp

How much you want to bet that good old Joe sold the disc on eBay to raise the cash for that new car of his? :shakehead

GHoosdum

The Winsock fix did not work any magic. The SFC command would not run; it threw an error saying something about a missing network logon or some such...

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:03:45 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\windows\System32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\SOUNDMAN.EXE
D:\HJT\HijackThis.exe
C:\windows\system32\mmc.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe

GHoosdum

The netman service appears to be missing on the machine. I'm giving up for tonight and I'm open to any additional suggestions.

Joe, if you read this, I'm planning your demise. I've spent more time at you family's house lately than at my own!

Trogan

Sorry I forgot to reply.

The log is clean. Did you manage to remove the ".protected" entries? Don't see them present in the log.

GHoosdum

Trogan wrote:

Sorry I forgot to reply.

The log is clean. Did you manage to remove the ".protected" entries? Don't see them present in the log.

Thank you for verifying the log for me. I did indeed remove the ".protected" entries. The Silentrunners script that Thrax posted led me to the location from which they needed removal. I also shut down and disabled the AOL services and they dropped off the log, as Thrax predicted.

I'm guessing at this point that all that is left is cleanup after the infections, but for some reason I cannot get the Network Manager service to initialize. I want to try a repair install, I'm hoping that clears up the last few inconsistencies. I just need to find my proper disc image now, as I was able to pull the product key that it's currently installed with. Alternatively, I was thinking that a reinstallation of SP2 alone might cure some of these ailments. I'm not certain of this, however, and I am afraid to waste any more time in blind alleys here. Any advice on that?