1. Hey Guest Did you know you can win an Honor 10 phone worth ₹33,000 and an additional ₹70,000 in paytm vouchers, just by replying to some threads and taking part in the discussions happening in the Honor Hub?

    What are you waiting for? Start commenting and start winning! Remember to read the instructions posted here.

    Dismiss Notice

Is there any hope for me?

Discussion in 'QnA (read only)' started by bsb, Feb 15, 2006.

Thread Status:
Not open for further replies.
  1. bsb

    bsb New Member

    Joined:
    Nov 22, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    0
    hi all,
    i am using an IBM Thinkpad with 1GB RAM. Few days back, I got my wall paper changed to an ad of one anti spyware. Some other observations were as follows:

    1. I could not right click on the desk top but if check my display settings through control panel>system..., no change was noticed.

    2. adaware doesn't fine anything bad with my computer.
    3. Spybot runs toooo slow and may take few days to scan whole system
    4. The Log of utility 'hijackthis' is reproduced below

    Logfile of HijackThis v1.99.1
    Scan saved at 7:03:03 PM, on 11/02/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\VM_STI.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
    C:\WINDOWS\System32\links.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\program files\mailskinner\mailskinner.exe
    C:\WINDOWS\System32\DrvMon.exe
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    C:\Program Files\IPMsg\ipmsg.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\TEMP\CW9147.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Bora\hijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.205.3.101:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.205.3.211; 10.205.15.94; 10.205.13.57;10.205.*;<local>
    F1 - win.ini: run=REGE32.EXE
    O1 - Hosts: localhost 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NICTTEXE] C:\WINDOWS\System32\NICTT.EXE AUTO
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
    O4 - HKLM\..\Run: [links] links.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1074.dll,InstantAccess
    O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
    O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
    O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://10.205.8.88:4343/officescan/console/ClientInstall/WinNTChk.cab
    O16 - DPF: {04CCFF26-7D52-4E42-BF6A-F8ECE0896EB7} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1071_XP.cab
    O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
    O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://10.205.8.88:4343/officescan/console/ClientInstall/setupini.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://10.205.8.88:4343/officescan/console/ClientInstall/setup.cab
    O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://ddnmail.ongc.co.in/iNotes.cab
    O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://10.205.8.88:4343/officescan/console/html/AtxEnc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0895412b590685749518/netzip/RdxIE601.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://10.205.8.88:4343/officescan/console/ClientInstall/RemoveCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129784522578
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129784463483
    O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downloadv3.com/binaries/P2EClient/EGAUTH_1047_EN_XP.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - http://scripts.downloadv3.com/binaries/IA/syswbsvc32_EN_XP.cab
    O16 - DPF: {8D8BAF56-B581-4B90-A549-C4AC6B03F1BB} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1074_XP.cab
    O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN_XP.cab
    O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1069_XP.cab
    O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1062_XP.cab
    O16 - DPF: {EFB23983-5803-4914-ADA3-C0EA2CFBDC37} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1072_XP.cab
    O16 - DPF: {FA83E942-B796-46DE-9155-1632ECC5473B} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1061_XP.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{01538EA0-A963-46DC-BD3E-845743D05240}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0767D67C-3FB7-42B0-8BA0-39F19B722330}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{365A72C5-4A86-43AC-9E29-36E16EBED29F}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4F04D541-951F-451F-BE63-FB413AF40654}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{676BDF73-D92E-4EAC-AD0B-7B9A809B82A9}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{921F529E-31D9-496D-8721-7B895CD75A26}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{93576E25-3285-4EEA-AE93-63052954ADCA}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CS1\Services\Tcpip\..\{01538EA0-A963-46DC-BD3E-845743D05240}: NameServer = 85.255.116.101,85.255.112.184
    O17 - HKLM\System\CS2\Services\Tcpip\..\{01538EA0-A963-46DC-BD3E-845743D05240}: NameServer = 85.255.116.101,85.255.112.184
    O20 - AppInit_DLLs:
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
    O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Symbol Technologies, Inc. - C:\WINDOWS\system32\S24EvMon.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

    -----Log ends---

    Two days back, I noticed files 'Unspy.htm' and 'desktop.htm' in C/programfiles... folder. Suspecting them as culprit I deleted both of them. Now the real problem begins:

    My computer boots normally. As I log on, my desktop is shown for 2-3 seconds and immediately a blue screen appears with a long message indicating that windows has been shut down.

    It says a process or thread crucial to system operation has unexpectedly exited or been terminated.

    then after some more advice

    Tech info

    STOP: 0x000000F4 (0x00000003, 0x8649F020, 0x8649F194, 0x805A5744)

    Now the question is, 'Whether the problem can be solved without reformatting my disk?

    Please help

    BSB



    Regards,

    BSB
     
  2. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    u r infected , intera alia, with the worms reg32.exe w32depress.

    friend, copy paste ur logfile here for complete analysisand soln : :)
    :arrow: www.hijackthis.de

    running ur anti-virus and anti-spy in sage mode, and using ccleaner shud help u.
     
  3. OP
    OP
    bsb

    bsb New Member

    Joined:
    Nov 22, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    0
    thanks anandk,

    the problem has been resolved. In safe mode, I uninstalled some of the programmes, i am not using frequently, including 'Nokia PC suit' (on advice of one of my friends). I could log on in normal mode and then antivirus did rest of it.

    thanks,

    bsb
     
Thread Status:
Not open for further replies.

Share This Page