Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help, I'm Infected Bad!


  • This topic is locked This topic is locked
4 replies to this topic

#1 rocktunes4u

rocktunes4u

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 01 February 2007 - 12:11 PM

Hi everybody. My pc was first infected with Ultimate Cleaner, then it got worse from there. I've run ad-aware, spybox, ewido, etc... I keep finding spyware on my pc but it will not remove them all. I finally can get out to the internet again, but when I reboot I receive a blue screen of death that says "Fatal system error c000021a". Also, my mapped network drives are disabled. Here's my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:07 AM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\TEMP\YJ255A.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DEFAUL~1.DOM\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: OwlforceB - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\OfB\OWLFOR~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137682462406
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DOMAIN.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = DOMAIN.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DOMAIN.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DOMAIN.LOCAL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\SYSTEM32\ms3d2a43d1.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe



thanks, Brett

BC AdBot (Login to Remove)

 


#2 athelos

athelos

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 01 February 2007 - 12:22 PM

Hi there. Im not an expert at this so i cant directly help you but there is a specialised place for HJT logs on this forum. As youve already used it im guessing you already know what your doing but if you repost it there you will most likely recieve help quicker and by more "knowledgeable" {sp} people.

Once your in the correct place READ THE STICKIED INFO FIRST!! There are rules such as not replying to your own topic. As ive said im not an expert so itll be explained better there. im just trying to help you along :flowers:

Good luck :thumbsup:
Don't worry about the world coming to an end today. It's already tomorrow in Australia.
--Charles Schultz

#3 rocktunes4u

rocktunes4u
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 01 February 2007 - 12:25 PM

thank you for the info! :thumbsup:

Brett

#4 athelos

athelos

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 01 February 2007 - 12:27 PM

No problem. Hope you get it sorted out quickly. im just sorry i couldnt have been anymore help than that.

Edited by athelos, 01 February 2007 - 12:28 PM.

Don't worry about the world coming to an end today. It's already tomorrow in Australia.
--Charles Schultz

#5 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:01:47 PM

Posted 01 February 2007 - 12:33 PM

Since you have also posted a HJT log for our team of experts to review, I am closing this thread to prevent duplication of effort and conflicting instructions.
Regards,
John
Global Moderator
Whereof one cannot speak, thereof one should be silent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users