Is there any hope for me?

Status
Not open for further replies.

bsb

Broken In
hi all,
i am using an IBM Thinkpad with 1GB RAM. Few days back, I got my wall paper changed to an ad of one anti spyware. Some other observations were as follows:

1. I could not right click on the desk top but if check my display settings through control panel>system..., no change was noticed.

2. adaware doesn't fine anything bad with my computer.
3. Spybot runs toooo slow and may take few days to scan whole system
4. The Log of utility 'hijackthis' is reproduced below

Logfile of HijackThis v1.99.1
Scan saved at 7:03:03 PM, on 11/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\links.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\mailskinner\mailskinner.exe
C:\WINDOWS\System32\DrvMon.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\CW9147.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Bora\hijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.205.3.101:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.205.3.211; 10.205.15.94; 10.205.13.57;10.205.*;<local>
F1 - win.ini: run=REGE32.EXE
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NICTTEXE] C:\WINDOWS\System32\NICTT.EXE AUTO
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [links] links.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1074.dll,InstantAccess
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - *10.205.8.88:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {04CCFF26-7D52-4E42-BF6A-F8ECE0896EB7} - *scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1071_XP.cab
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - *akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - *10.205.8.88:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - *10.205.8.88:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - *akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - *ddnmail.ongc.co.in/iNotes.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - *10.205.8.88:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - *software-dl.real.com/0895412b590685749518/netzip/RdxIE601.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - *10.205.8.88:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - *update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129784522578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - *update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129784463483
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - *scripts.downloadv3.com/binaries/P2EClient/EGAUTH_1047_EN_XP.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - *dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - *scripts.downloadv3.com/binaries/IA/syswbsvc32_EN_XP.cab
O16 - DPF: {8D8BAF56-B581-4B90-A549-C4AC6B03F1BB} - *scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1074_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - *scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN_XP.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - *scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1069_XP.cab
O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - *akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1062_XP.cab
O16 - DPF: {EFB23983-5803-4914-ADA3-C0EA2CFBDC37} - *scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1072_XP.cab
O16 - DPF: {FA83E942-B796-46DE-9155-1632ECC5473B} - *akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1061_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01538EA0-A963-46DC-BD3E-845743D05240}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{0767D67C-3FB7-42B0-8BA0-39F19B722330}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{365A72C5-4A86-43AC-9E29-36E16EBED29F}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F04D541-951F-451F-BE63-FB413AF40654}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{676BDF73-D92E-4EAC-AD0B-7B9A809B82A9}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{921F529E-31D9-496D-8721-7B895CD75A26}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{93576E25-3285-4EEA-AE93-63052954ADCA}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CS1\Services\Tcpip\..\{01538EA0-A963-46DC-BD3E-845743D05240}: NameServer = 85.255.116.101,85.255.112.184
O17 - HKLM\System\CS2\Services\Tcpip\..\{01538EA0-A963-46DC-BD3E-845743D05240}: NameServer = 85.255.116.101,85.255.112.184
O20 - AppInit_DLLs:
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Symbol Technologies, Inc. - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

-----Log ends---

Two days back, I noticed files 'Unspy.htm' and 'desktop.htm' in C/programfiles... folder. Suspecting them as culprit I deleted both of them. Now the real problem begins:

My computer boots normally. As I log on, my desktop is shown for 2-3 seconds and immediately a blue screen appears with a long message indicating that windows has been shut down.

It says a process or thread crucial to system operation has unexpectedly exited or been terminated.

then after some more advice

Tech info

STOP: 0x000000F4 (0x00000003, 0x8649F020, 0x8649F194, 0x805A5744)

Now the question is, 'Whether the problem can be solved without reformatting my disk?

Please help

BSB



Regards,

BSB
 

anandk

Distinguished Member
u r infected , intera alia, with the worms reg32.exe w32depress.

friend, copy paste ur logfile here for complete analysisand soln : :)
:arrow: www.hijackthis.de

running ur anti-virus and anti-spy in sage mode, and using ccleaner shud help u.
 
OP
B

bsb

Broken In
thanks anandk,

the problem has been resolved. In safe mode, I uninstalled some of the programmes, i am not using frequently, including 'Nokia PC suit' (on advice of one of my friends). I could log on in normal mode and then antivirus did rest of it.

thanks,

bsb
 
Status
Not open for further replies.
Top Bottom