Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Corporate malware ;-)


  • Please log in to reply
5 replies to this topic

#1 Bill Pierce

Bill Pierce

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Burlington, Ontario
  • Local time:10:30 PM

Posted 23 April 2009 - 09:45 AM

My wife recently lost her job when HP closed the part of the company she worked for. She was able to negotiate to keep an older but serviceable Compaq laptop computer she had been given for occasional logging into the corporate network from home. With some trouble I was able to reconfigure the network settings to connect to our very typical wireless home network.

However, I am having considerable difficulty with the software HP has installed to allow for remote corporate administration and updates. I've been able to restore the Microsoft Update functionality, but a huge amount of "stuff" continues to lurk deep in the background, slowing performance considerably (sometimes the computer almost comes to a stop while there is 30-60 seconds of disk activity--yes, I've defragmented the drive several times). I've also used HijackThis and other software to prune as much as I can, but some things are integrated into the Registry at an extremely low level. In that sense it's much like spyware, with the additional problem of almost no information on its removal. In fact, I've posted this message in this section because from my perspective the computer is infected.

Extensive web searching has provided the barest of details about something called "PC COE," referred to as the "Common Operating Environment." The list of installed software on the computer includes "PC COE" and "COE Required Settings," but there is no button to uninstall either.

I can easily delete (or rename) the folders (PC COE and PC COE3) where the software is installed, but of course there are numerous (apparently hundreds) of Registry keys and values that need to be deleted and/or changed, so many that I don't believe I could find them all. My current HiJackThis log shows nothing being loaded or run, and there are no Services started that specifically pertain to it. However, periodically I get an error dialog box that COETL32.EXE has generated an exception, although there is nowhere I can see where COETL32.EXE is running nor are there any Registry references to it.

I realize some people would say I should just reformat the drive and reinstall Windows XP Pro and be done with it. However, there is a lot software installed on the computer that my wife uses and needs to keep. And additionally, I am categorically opposed to reformatting; to me it's the equivalent of using a sledgehammer in place of a scalpel. I take great pride in being able to to a job right. One of our home computers is 11 years old and runs Windows 98 SE. It still has its original format and installation (of course extensively updated).

Any help would be greatly appreciated. I'm not a super guru at these matters, although I am very persistent and have 27 years of extensive PC experience.

BC AdBot (Login to Remove)

 


#2 Bill Pierce

Bill Pierce
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Burlington, Ontario
  • Local time:10:30 PM

Posted 07 May 2009 - 12:44 PM

All right; I posted my original message two weeks ago and did not receive any replies. I realize this particular suite of software (HP/Microsoft PC COE) is only used behind the "corporate curtain." I should not have expected explicit answers when those who read this are likely to have little or no experience with it. But that doesn't mean I didn't think I would receive some general troubleshooting advice.

On my own (I'm anything if not persistent) and using several utilities, I spent about three hours pruning hundreds of Registry keys and values, and renaming folders in an attempt to remove all traces of the software. For the most part I seem to have been successful. Performance has improved somewhat. However, every 15 minutes or so I get a RUNDLL error message: "Error loading C:\PROGRA~1\HEWLET~1\PCCOE~1\reltrksi.dll The specified module could not be found."

Clearly something is calling RELTRKSI.DLL and not finding it, which is not surprising because I have renamed the folder containing the file. But I'd love to know what application is calling that DLL, so I can remove the application. I've used utilities such as HiJack This to identify applications loading on startup, and I've checked the Windows Task Scheduler. I've used Registry search utilities and Regedit to look for references to the renamed folder and the DLL; I now find no explicit references that I have not already removed. Yet the error message continues.

I'm familiar with DLL dependency trackers that can trace all files and modules called by an application. However, what I need to do is trace backward from RELTRKSI.DLL and see what is calling it. That way I could identify the application and remove it. Does such a utility exist?

I'm about 80 percent of the way to the goal of removing this odious "corporate malware" from my wife's computer. While no one may be familiar with the specific software package, surely I've provided enough information here for the experts to provide a little more guidance. Please help a fellow user.

Edited by Bill Pierce, 07 May 2009 - 12:50 PM.


#3 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:08:30 PM

Posted 07 May 2009 - 02:44 PM

Hello Bill,

I'm sorry you haven't received a reply, but as this is a fairly obscure problem, most techs working this section wouldn't know where to begin to look. I've been googling for a bit, and can't find much info on PC COE from HP, other than the fact it's a management system for updates and reliability tracking. That being said, I'm sure there are ways to find and remove the components.

Do you have OpenView installed? From what I could find, it seems to be related to OpenView. If it's there, that may give you more avenues of research.

HijackThis does not show all loading points, so not seeing anything PC COE related isn't a complete indication that there isn't something calling it there. I'm unsure which route to take from here on out, because I am unfamiliar with the service.

This does give a clue though:

"However, every 15 minutes or so I get a RUNDLL error message: "Error loading C:\PROGRA~1\HEWLET~1\PCCOE~1\reltrksi.dll The specified module could not be found."

If you are familiar with dependancy walkers, You may want to look at explorer, svchost, and rundll processes and see what's loaded under them. If you've removed all traces of the service, and it isn't loaded, there may still be references left over. At this point, I'm not entirely sure we can find out without going through some more robust logs. Those logs are only being analyzed in the Malware Removal forum. If that's the way to go, you have to be aware that there are delays in that forum due to the sheer number of topics posted daily. No topic posted there goes unanswered, but the delays can be quite long. Just telling you so you know what to expect. The delays aren't set in stone, but a longer one can be a possibility.

A shot in the dark, have you considered trying Revo Uninstaller? Not sure if it would help, but it might... be worth trying anyway.

Let us know if the malware removal process would be of interest for you. I can't guarantee that this is the way to go, but it might yield more clues as to what's calling the service. If you do decide to go that route, please link to this topic so the tech handling the problem has access to this information.

Good luck.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:30 PM

Posted 07 May 2009 - 03:44 PM

However, every 15 minutes or so I get a RUNDLL error message: "Error loading C:\PROGRA~1\HEWLET~1\PCCOE~1\reltrksi.dll The specified module could not be found."


That looks like an orphaned entry. Autoruns should take care of that:
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Bill Pierce

Bill Pierce
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Burlington, Ontario
  • Local time:10:30 PM

Posted 07 May 2009 - 06:57 PM

Thanks, kind madam and sir. I realize I didn't give all that much to go on in my first post, other than a reference to an obscure suite of corporate software applications.

Well, I think the case is closed. Autoruns (a nifty little utility) appears to have found six Registry keys I couldn't locate with anything else. After deleting them and rebooting, there are no more error messages, and performance, while not snappy (it's an older laptop) is at least adequate.

It reinforces my strong belief that a scalpel is a far better tool than a sledgehammer, and I redeemed myself in the eyes of my wife (a software development manager; myself I'm an English teacher). She had bet me dinner at a very nice restaurant that I was going to have to reformat the drive and reinstall Windows XP Pro. I said otherwise. I'm going to savor this one.

Again, my gratitude.

Edited by Bill Pierce, 07 May 2009 - 07:05 PM.


#6 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:08:30 PM

Posted 07 May 2009 - 07:17 PM

That's great! Glad you got it resolved!

I had somewhat assumed that you had checked autoruns... which is why I didn't mention it. Tis what I get for assuming. Thanks to garmanma for pointing that out. :thumbsup:

Format/reinstall is really only required in extreme cases. We are strong believers of the scalpel method as well 'round here. :flowers:
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users