Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems too numerous to mention


  • Please log in to reply
2 replies to this topic

#1 SimonShaw

SimonShaw

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 09 March 2005 - 09:21 AM

My PC is seriously messed up, and I really am at a loss to know what to do next.

I have McAffee antivirus software and mcAffee firewall, and I regularly run the lavasoft ad-aware software - so I guess i thought i was pretty well covered.

The symptoms
a)When the computer is switched on, once I have selected the user it takes an extremely long time to get to the desktop
b)The start bar only has a subset of what I would expect to see there
c)the sound has gone
d)I can't get on the internet (I am writing this from work). When I open up an Internet Explorer window, my home page has been hijackd by "About:Blank" (changing this makes no difference).
e)Much of the software I have tried to run fails dismally. I can't McAffee virus check for example. The cursor will go busy for a few seconds then disappear.
f)I can run the lavasoft ad_aware program, and it always finds one critical item, that deletes - but is still there next time I scan.
g)I can open window explorer windows but can't move files about (copy ansd paste don't work either)
h)I can go into start/Programs, but it won't let me navigate through past the top level, nor can I run anything that way.
i) I can't stop tasks from task manager as I don't have permissions...

There's probably more though that's all I can think of for now.

I did see a tutorial for removing the "About:Black" hijacker, and I downloaded HijackThis, RegistarLiteand CWShredder from another machine and put it onto a memory stick

I followed instructions to a point, but it soon became evident that this particular tutorial wasnt going to help me.

I couldn't copy the new software onto the infected pc, but I ran registrar lite and it managed to install successfully. After eventually navigating to

HKEY_LOCAL_MACHINE...\\AppInit_DLL's there was nothing in the value field (but the tutorial said not to worry - so I didnt).

I backed up winkey.reg and winkey.hiv, but when I came to rename the windows folder it just said "Error Renaming"

I then ran the hijackthis.exe from the removable drive (as I couldn't copy it to the effected machine). iincidentally, when I extracted it from the zip file from another machine, lavasoft warned me that it had a worm. is that normal?

Anyway, I ran HijackThis from the removable drive and it came up with four or five errors when I did the scan and log option.

These were to the effect of...

An Unexpected Error has occured at procedure modregistry_iniget string, csfile=System.Ini, ssection=boot, svalue=shell, error #75 Path/File Error

This was repeated for other files such as wini.ini/windows/load (I didn't not all of them).

It did produce a log though which I have included...

Logfile of HijackThis v1.99.1
Scan saved at 13:10:24, on 09/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wauctlxp4.exe
C:\WINDOWS\System32\perfcl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\virus\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuactl2.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirec...=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchpage.biz/bar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\RunServices: [Microsoft Update] esplorer.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Corel Network monitor worker - {118B9EF5-72CF-45F2-A124-3ACC10D24D54} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {118B9EF5-72CF-45F2-A124-3ACC10D24D54} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Corel Network monitor worker - {118B9EF5-72CF-45F2-A124-3ACC10D24D54} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {118B9EF5-72CF-45F2-A124-3ACC10D24D54} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E2D5786-A779-4E7E-8794-2F47C4CA8992}: NameServer = 158.43.128.1,158.43.192.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E2D5786-A779-4E7E-8794-2F47C4CA8992}: NameServer = 158.43.128.1,158.43.192.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe


I had a quick look at some of the taskmanager processes - and it looks a rare old mess to me. It is amazing how depressing this all is.

If anyone here can help - then I really would appreciate it. Thanks for taking the time to read, and please feel free to ask any questions.

Is there any hope?

Simon

BC AdBot (Login to Remove)

 


#2 SimonShaw

SimonShaw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 09 March 2005 - 05:41 PM

The latest update on this problem is thatI can't even copy files from the harddrive on to a removable drive - so I really am fearing the worse now.

Will I need to reformat and reinstall all my software?

thanks again for any help
Simon

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:19 AM

Posted 16 March 2005 - 04:26 PM

We just implemented a way to find posts that may have been over looked. We apologize for that and if you are still having a problem, which we hope you are not, then post a new log.

Sorry for the inconvenience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users