Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Alcan D worm [RESOLVED]


  • This topic is locked This topic is locked

#1
gizmops

gizmops

    Member

  • Member
  • PipPip
  • 10 posts
Hi guys, I am new to this . Help its been 5 days now and no advice
Iam running win 2000 with sp4. I believe all updates are current.
I have 2 hard drives both 80 gig. C is blue screened and am now on F. Zone labs scanned and foud the above worm in Recyler folder.
I have followed some steps suggested to delete & remove it but to no avail
"Access Denied. Source file in use"
When i run Hijack this, it only sees f drive not c where the problem is.
Log Below
Logfile of HijackThis v1.99.1
Scan saved at 15:02:08, on 09/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\system32\ZoneLabs\isafe.exe
F:\WINNT\system32\nvsvc32.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\SOUNDMAN.EXE
F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINNT\system32\internat.exe
F:\WINNT\system32\RUNDLL32.EXE
F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
F:\Program Files\Internet Explorer\iexplore.exe
C:\Installs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Telefónica Net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [hpsjbmgr] F:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Microsoft Outlook.lnk = F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...ES_ZNxdm119YYDE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F5353C9-8F44-47B1-9D5D-51A0B5D0F7C7}: NameServer = 80.58.61.250 80.58.61.254
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - F:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINNT\system32\ZoneLabs\vsmon.exe
I have also run EWIDO twice logs belowewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:29:24, 14/07/2005
+ Report-Checksum: B94A1F33

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Hauppauge\WinTV-Nexus\HighendTV.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\VVSN\VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\WINNT\autoclk.exe -> Trojan.Klacc.B : Cleaned with backup
C:\WINNT\system32\myself.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINNT\system32\playme.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@bilbo.counted[2].txt -> Spyware.Cookie.Counted : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@ehg-aladdin.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8H6NKHEZ\FunBuddyIconsFWBInitialSetup1.0.0.8-2[1].cab/f3Setup1.exe -> TrojanDropper.FunWeb.a : Cleaned with backup
F:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup
F:\WINNT\autoclk.exe -> Trojan.Klacc.B : Cleaned with backup
F:\WINNT\image.exe -> Backdoor.SdBot.aad : Cleaned with backup
F:\WINNT\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
F:\WINNT\system32\logi0.scr -> Backdoor.Rbot.ts : Cleaned with backup
F:\WINNT\system32\logi2.scr -> Backdoor.Rbot.ts : Cleaned with backup
F:\WINNT\system32\specific.exe/myself.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\WINNT\system32\specific.exe/playme.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\WINNT\system32\specixic.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup


::Report End
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:01:16, 14/07/2005
+ Report-Checksum: 3777A79B

+ Scan result:

C:\WINNT\system32\__delete_on_reboot__myself.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
F:\WINNT\system32\__delete_on_reboot__specixic.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup


::Report End
Drive F is still BLUE SCREENED:
From reading other posts it seems that my REGISTRY is corrupted. What can I do to correct this. I have also tried doing a repair from 2000 cd. No luck

Help please

Edited by gizmops, 14 July 2005 - 05:07 AM.

  • 0

Advertisements


#2
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Heya and welcome to Geeks to Go, gizmops. My name is Guse and I'll be helping you.

Let’s get to removing some of the infection.

Run HijackThis and place check marks next to the following entries in bold:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O8 - Extra context menu item: &Search - http://bar.mywebsear...ES_ZNxdm119YYDE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm


Make sure that you’ve visually double-checked that those (and only those) entries have been selected and click Fix

Next, reboot into safe mode. You can do this by restarting your computer and continually tapping the F8 key when you hear the first beep from your computer, then choosing Safe Mode from the menu.

Now, let’s remove some of the offending programs… go to Start | Settings | Control Panel | Add/Remove Programs.

Find the following programs and remove them (if they exist):

MyWebSearch

Then, using Windows Explorer, find and delete the following files and folders (if they exist):

F:\Program Files\MyWebSearch (check for C:\Program Files\MyWebSearch as well)

If you get an error when deleting a file, right-click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Lastly, while still in Safe Mode, run another Ewido scan just to make sure everything is gone. It probably won't find much (if anything)... it looks like it's already cleared most of that out. Save your log to post in your next reply.

Reboot into normal mode. Run HijackThis again and save the log to post in your next reply.

Now, that takes care of all the little things in your log. What do you mean by "blue screened"? Do you mean that there's a blue screen with a message on it, or is it just a blank blue screen (with icons) that you can't change?

Also do something for me. Open My Computer. Click Tools | Folder Options | View. Then, make sure that the radio button for Show Hidden Files and Folders is checked and clear the boxes for Hide Protected Operating System Files (Recommended) and Hide Extensions for Known File Types.

Then, using Windows Explorer (not Search, browse there) and check for these files and let me know if they're there (they may not be):

D:\Winnt\System32\cmd.com
D:\Winnt\System32\netstat.com
D:\Winnt\System32\ping.com
D:\Winnt\System32\regedit.com
D:\Winnt\System32\taskkill.com
D:\Winnt\System32\tasklist.com
D:\Winnt\System32\taskmgr.exe
D:\Winnt\System32\tracert.com


Be really careful that you match up the extension (*.com, *.exe). There SHOULD be a file called "cmd.exe"... "cmd.com" is bad. Don't do anything yet... just give it a look-see.

Let me know how that comes out, plus post (using New Reply) the HijackThis log and the Ewido one as well as an accurate description of your Blue Screen.
  • 0

#3
gizmops

gizmops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Guse,

Many thanks for taking your time to help me.

I printed out your instructions and below is what I was able to achieve.
Hijack this
03 & 08 checked and fixed.
Both 09 items were not there.
Visually double checked and fixed.
Safe Mode.
Win Explorer No file found for MywebSearch. In either C or F my 2 hard drives.
Ewido scan found Nothing as you predicted
New Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 17:41:15, on 14/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\system32\ZoneLabs\isafe.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINNT\system32\nvsvc32.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\SOUNDMAN.EXE
F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINNT\system32\winconf.exe
F:\WINNT\system32\internat.exe
F:\WINNT\system32\RUNDLL32.EXE
F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
F:\WINNT\system32\wuauclt.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Installs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Telefónica Net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [hpsjbmgr] F:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Ffxfasw] C:\WINNT\SYSTEM32\myself.exe
O4 - HKLM\..\Run: [specific] specixic.exe
O4 - HKLM\..\Run: [Login Screen Saver] login.scr
O4 - HKLM\..\Run: [Windows Config Manager] winconf.exe
O4 - HKLM\..\RunServices: [specific] specixic.exe
O4 - HKLM\..\RunServices: [Login Screen Saver] login.scr
O4 - HKLM\..\RunServices: [Windows Config Manager] winconf.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [specific] specixic.exe
O4 - HKCU\..\Run: [Login Screen Saver] login.scr
O4 - HKCU\..\Run: [Windows Config Manager] winconf.exe
O4 - Startup: Microsoft Outlook.lnk = F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F5353C9-8F44-47B1-9D5D-51A0B5D0F7C7}: NameServer = 80.58.61.250 80.58.61.254
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - F:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WIN32 (image) - Unknown owner - F:\WINNT\image.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINNT\system32\ZoneLabs\vsmon.exe

By Blue screen I mean , completely blue screen with the following error message.
" ***STOP : 0x0000007B (0xEB41B84C, 0x 00000034, 0x00000000, 0x00000000
INACCESSIBLE BOOT DRIVE, if first time you have seen this screen RESTART. If this screen occurs again Check for viruses , remove any newly installed harddrive etc

I also opened MY COMP etc and follow the view files instruction.
Then using windows explorer I looked for the files you list under D:\ . As D:\ is my dvd burner i checked both C:\ and F;\ drives for these files and found nothing.

What is todo next
  • 0

#4
gizmops

gizmops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Guse,

Many thanks for taking your time to help me.

I printed out your instructions and below is what I was able to achieve.
Hijack this
03 & 08 checked and fixed.
Both 09 items were not there.
Visually double checked and fixed.
Safe Mode.
Win Explorer No file found for MywebSearch. In either C or F my 2 hard drives.
Ewido scan found Nothing as you predicted
New Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 17:41:15, on 14/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\system32\ZoneLabs\isafe.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINNT\system32\nvsvc32.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\SOUNDMAN.EXE
F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINNT\system32\winconf.exe
F:\WINNT\system32\internat.exe
F:\WINNT\system32\RUNDLL32.EXE
F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
F:\WINNT\system32\wuauclt.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Installs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por Telefónica Net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "F:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [hpsjbmgr] F:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Ffxfasw] C:\WINNT\SYSTEM32\myself.exe
O4 - HKLM\..\Run: [specific] specixic.exe
O4 - HKLM\..\Run: [Login Screen Saver] login.scr
O4 - HKLM\..\Run: [Windows Config Manager] winconf.exe
O4 - HKLM\..\RunServices: [specific] specixic.exe
O4 - HKLM\..\RunServices: [Login Screen Saver] login.scr
O4 - HKLM\..\RunServices: [Windows Config Manager] winconf.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [specific] specixic.exe
O4 - HKCU\..\Run: [Login Screen Saver] login.scr
O4 - HKCU\..\Run: [Windows Config Manager] winconf.exe
O4 - Startup: Microsoft Outlook.lnk = F:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = F:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F5353C9-8F44-47B1-9D5D-51A0B5D0F7C7}: NameServer = 80.58.61.250 80.58.61.254
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - F:\WINNT\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WIN32 (image) - Unknown owner - F:\WINNT\image.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINNT\system32\ZoneLabs\vsmon.exe

By Blue screen I mean , completely blue screen with the following error message.
" ***STOP : 0x0000007B (0xEB41B84C, 0x 00000034, 0x00000000, 0x00000000
INACCESSIBLE BOOT DRIVE, if first time you have seen this screen RESTART. If this screen occurs again Check for viruses , remove any newly installed harddrive etc

I also opened MY COMP etc and follow the view files instruction.
Then using windows explorer I looked for the files you list under D:\ . As D:\ is my dvd burner i checked both C:\ and F;\ drives for these files and found nothing.

What is todo next.
I forgot to mention F drive is the 1 I am using. C drive which I cant find a way to use Hijack this on is the one with the blue screen and I cant get into.
Regards

Gizmops
  • 0

#5
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
I see... let me post some assumptions, you tell me how close I am:

1) You have 2 hard drives, each of them with an operating system installed on it.

2) C drive's operating system (Windows XP) gives you a critical error when you try to boot up, so you're running off of the operating system installed on the F drive.

Am I close?

If I am, can you boot to safe mode on your C drive?
  • 0

#6
gizmops

gizmops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Guse,

Yes I am running 2 harddrives, c & F . Both have win 2000 pro installed plus misc programs. One is for my wife and I for me. She often complained when I screwed up the machine, often not my fault, but who gets the blame. So , now mine C is screwed up again, and we are running on F.

regards
Gizmops

ps I cant boot to c drive even in safe mode. All i get is the blue svreen with the message described in my earlier mail.-

Edited by gizmops, 14 July 2005 - 12:33 PM.

  • 0

#7
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
You ready for this?

This is a complicated problem, with only one even remotely simple thing to try.

First off, here's a good article from Microsoft on this problem:

http://support.micro...om/?kbid=122926

Now, we can try one from your F drive.

Go to Start | Run and type in "cmd" (no quotes)

At the command prompt, type:

chkdsk c: /r

If you get a message about chkdsk not being able to run because the disk is locked, it'll ask you if you want it to run the next time Windows boots. Hit Y

After it gets done running and fixing, reboot then try to access your C drive.

Let me know how that works out.
  • 0

#8
gizmops

gizmops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Guse,

Tried your instructions and also read the MS database info.

After running the chkdsk cmd pgm I rebooted and tried to go into the C drive. Failed , I got the same blue screen with the stop message.
What else can i try.
Is there any way I can run hijack this on the c drive.

Regards

Gizmops
  • 0

#9
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
To be honest, I'm not sure where to go next with this. Let me consult with some other staff members to see if there's a way to fix this.
  • 0

#10
gizmops

gizmops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Guse,

Thanks for your persistance.
I will keep my fingers crossed as I really dont want to do a reinstall.

Regards

Gizmops
  • 0

Advertisements


#11
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Have you added any new hardware lately? If not, we can still work.. but this is going to get sticky.
  • 0

#12
gizmops

gizmops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Guse

No I havent added any new Hardware.

Regards

Gizmops
  • 0

#13
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Use these instructions at your own risk. They involve some pretty intense "computering".

Alright, we’re going to do this the hard way. You’ll want to print these off, since the internet will most definitely NOT be available for you to use.

Make sure any data that you’d like to keep off drive C is BACKED UP before attempting any of these fixes. You can use a CD burner from drive F’s operating system to backup info on drive C if you have to.

After booting into Windows on the F-Drive, go to:

My Computer | Local Disk C:

Then, click File | New | Text Document

Name it Regcopy1

Copy the following text and insert it INTO the new Regcopy1.txt

md tmp
copy c:\winnt\system32\config\system c:\winnt\tmp\system.bak
copy c:\winnt\system32\config\software c:\winnt\tmp\software.bak
copy c:\winnt\system32\config\sam c:\winnt\tmp\sam.bak
copy c:\winnt\system32\config\security c:\winnt\tmp\security.bak
copy c:\winnt\system32\config\default c:\winnt\tmp\default.bak

delete c:\winnt\system32\config\system
delete c:\winnt\system32\config\software
delete c:\winnt\system32\config\sam
delete c:\winnt\system32\config\security
delete c:\winnt\system32\config\default

copy c:\winnt\repair\system c:\winnt\system32\config\system
copy c:\winnt\repair\software c:\winnt\system32\config\software
copy c:\winnt\repair\sam c:\winnt\system32\config\sam
copy c:\winnt\repair\security c:\winnt\system32\config\security
copy c:\winnt\repair\default c:\winnt\system32\config\default

Save it and follow the next set of instructions:
  • Insert the Windows 2000 startup disk into the floppy disk drive, or insert the Windows 2000 CD-ROM into the CD-ROM drive, and then restart the computer.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console (in your case the one on your C drive) *If you can't determine which is your C-Drive and which is your F-Drive just STOP and let me know. Don't guess.*
  • When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
  • Run the following command when you start in Recovery Console:
    batch regcopy1.txt

    With the batch command in Recovery Console, you can process all the commands in a text file sequentially
Then, tell me if you can boot into Safe Mode.

Edited by Guse, 16 July 2005 - 07:43 AM.

  • 0

#14
gizmops

gizmops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Guse
I have tried to follow your instructions and i must be doing something wrong.
How do I find out if i am repairing C or F when in console.
I tried to make sure i was in the right one by disconnecting the power cable to F drive, is this a good idea.
When in console i get the line c;\WINNT
I type in batch regcopy1.txt and i get a message saying it can find the file.the file i copied from your mail is in local disk C as instructed.
should i be in c:\WINNT or in C:\ to run this file.
Can you walk me through this in more detail please.

Regards
Gizmops
  • 0

#15
Guse

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
I'm glad you asked. This is a tricky set of instructions. Please don't be afraid or embarrassed to ask a question.

If you saved it where I told you to, the file you're looking for will be in C:\. If you think it would be easier, you can place a copy of Regcopy1 in the C:\Winnt folder as well.

The short answer: you'll need to be in C:\. You can get there by typing:

cd ..

when the console comes up. that's CD followed by a space and two dots

Also, disconnecting power to your F drive was a really good idea. That way, we're positive that no changes we do affect the good drive.

Edited by Guse, 17 July 2005 - 09:18 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP