Options

Need help for girlfriend's computer

Unknown
edited October 2007 in Spyware & Virus Removal
Ok basically what happened was she tried to restart her computer and it started going into a multiple steady beep/no loading as it went to the windows loading screen. We finally got it to load and are now getting a blank desktop with no applications in the start menu and nothing accessible. She can't get it to connect to the internet. Also the C drive shows it being full of data (about 90gig worth used) but nothing is showing up in the "my documents" folders or any other for that matter. Since we have been able to start it up it gives an error along the lines of "cannot find file C:...fservice.exe"

I can't have her run hijack this as she has no access to anything at the moment. If anyone can give me some advice as to how to get to a fixable location without losing all the data that would be fantastic.

Comments

  • perasite
    edited October 2007
    Allright so I got access to the internet and to program files but still no saved files via my documents etc.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:43:26 PM, on 10/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
  • perasite
    edited October 2007
    I ran spybot and here is the new log

    Logfile of HijackThis v1.99.1
    Scan saved at 3:13:20 PM, on 10/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [SpybotDeletingA7134] command /c del "C:\Program Files\Internet Explorer\msimg32.dll_tobedeleted_old"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC492] cmd /c del "C:\Program Files\Internet Explorer\msimg32.dll_tobedeleted_old"
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
  • TroganTrogan London, UK
    edited October 2007
    Hi perasite,

    The computer has been infected by a Backdoor Trojan. This can give intruders complete control of your computer, logging key strokes, stealing information, etc. :(

    You are strongly advised to do the following immediately!:
    • Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
    • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
        Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
      Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

      To help you make a more informed decision, please read the following articles: Should you have any questions, please feel free to ask

      Please let me know your decision and we'll get started with clean up if that's what you choose.
    Sign In or Register to comment.