Posted 16 July 2008 - 12:05 PM
Hello and greetings from Sweden.
My problems started july 6 when I downloaded what I thought was a videocodec. After trying to fix it and only making it worse, I shut down the computer and have now come back from a short vacation to try to fix it again. I have changed my codes to the bank, but I have a lot of stuff on the computer that I would not want to loose, especially family photos. Luckily, I also have a laptop that Iīm writing from right now.
The infected computer is a P4 2.8 Mhz desktop, 1024 mb ram, 160 Gb harddrive with 3 cd/dvd-drives, that has always been very stable. I have an XP pro Sp2, Panda Titanium 2006 (valid to 2009) (both of which have been continuously updated) and Ad-aware. As far as I know I havenīt had any infection before.
Around 11.30 july 6 I downloaded this malicious "codec" and a popup from the activity bar started to warn me about security problems and urging me to download software. I immediately understood that it was malicious and avoided to click popups, instead shutting them down with ctrl-alt-del. I ran Ad-aware, which found 16 malware items (usually it only finds harmless ones), and I think thats where I saw the name "Win32.TrojandownloaderZlob", or maybe it was written on the ballons from the activity bar. I didnīt have much time then to fix it, so I worked between shutdowns a few more times before the system crashed. Every time I booted up the system, disccheck started and went through the drive and found some broken files. Ad-aware also finally deleted the files it had found in a folder called "Webtechnologies": iebt.dll, iebtm.exe, iebtmm.exe, wcm.exe and wcs.exe; this happened in the beginning of a reboot. After that, I thought the problem was almost fixed. The popups were gone, the fake windows security popup also, (but windows explorer was totally wrecked). Only a little yellow triangle bleeping in the right corner informed me that zlob was still there. After browsing the net, i got the tip to search for files in system 32 changed at the time this happened. I found hkushdr.dll but had no time to fix it then, because i had to go to work. When i came back in the evening to delete this bugger, the computer was cought in an endless reboot.
It goes through the whole start procedure and crashes just before the "user-accounts"-window and then restarts. I can access bios (del) and bootdisk options (F8) at the beginning, and also boot options (F8) later. No boot option works and when I shut off the automatic reboot, the bluescreen message is something like (its in swedish on my computer) "serious system error c000021a the system process windows logon process was unexpectedly terminated with the status 0xc0000135".
At that point Iīm at the limit of my knowledge, and hesitant as to how I should proceed. I have a windows-cd and have been advised both to use the recovery console and the repair function, but donīt know what the problem is. First I thought that there were new commands in the registry trying to load a malware program during startup, and since they fail to initialize (0xc0000135), (since they were removed by Ad-aware) the system crashes. But then I read one of your threads - "Serious Boot Problem, unable to boot after "smitfraud"", I realized that I had made the same mistake as "lightpanther". When trying to reach safe mode at first I didnīt manage to find the F8 command at the right moment, and saw the tip on the net to use MSconfig. As far as I remember, I booted alright into safe mode, after I had already tried Ad-aware in normal mode, but since I didnīt have much time, and the system was very sluggish there, I rebooted back into normal mode, and it was during this reboot that Ad-aware deleted the files. And then I shut down the computer not to be able to get into windows again.
I have read a lot of your threads and been very impressed with the help you have provided to people. Although Iīm just an amateur at computers, I think I know enough to follow your instructions, and I would be very glad to!