Free PC Support
PC Help Forums from the Experts at Technical-Assistance.co.uk
 
Google
 
Search The Web Search This Site
 RSS FeedRSS Feed   FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Virus has left battle scars!

 
Reply to topic    Free PC Support Forum Home -> Helproom
Author Message
kyoung1219



Joined: 10 Sep 2009
Posts: 2

PostPosted: Thu Sep 10, 2009 9:08 am    Post subject: Virus has left battle scars! Reply with quote

A recent tussle with a virus (and possibly some of its mates, too) has left my poor XP Home SP3 somewhat battered and bruised. Specifically, when I open up the My Computer folder, my two hard drives (C: and D:) do not appear. I can access items on them through applications but cannot access the drives directly through Windows. Also, I can no longer access Task Manager. When I try to do so, a message tells me that Task Manager has been disabled by my administrator. Given that I am the administrator on my own PC at home, I feel it's the sort of thing I would remember doing!

A few people I have spoken to have said that I need to wipe both hard drives and do a complete re-install of everything, but I have nearly 200Gb of data stored on the two drives and lots of applications that I really don't want to have to start installing all over again. Can anyone suggest a fix for this problem that isn't so drastic? Please?!
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Thu Sep 10, 2009 10:58 am    Post subject: Reply with quote

These issues are probably fixable, although it may take some time to sort out. Before we do though, I would like you to post a HijackThis log, so we can be sure the system is clear of any nasties. If we don't do this, then problems we fix may reappear.
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
kyoung1219



Joined: 10 Sep 2009
Posts: 2

PostPosted: Thu Sep 10, 2009 3:47 pm    Post subject: HijackThis log file Reply with quote

I've done as you asked and run HijackThis. Here is the log from it:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:41: VIRUS ALERT!, on 10/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
D:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Program Files\Canon\MyPrinter\BJMyPrt.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Teleca Shared\Generic.exe
D:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\PROGRA~1\IDENTI~1\IdentityPatrol.exe
D:\Program Files\RegistryPatrol3.0\RegistryPatrol.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Creative\MediaSource5\CTCMSU.exe
D:\Program Files\Creative\MediaSource5\CtDetctu.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R3 - URLSearchHook: (no name) - {4FBACD73-F67C-42AE-B46A-03960AFE3DFB} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - D:\Program Files\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: (no name) - {7499C7D9-F599-4B91-B0FC-FBEA946A5692} - (no file)
O2 - BHO: WebPerform - {AB692F9B-27FE-4511-8885-ED62BB45197B} - D:\WINDOWS\system32\webperform.dll
O2 - BHO: (no name) - {B20586F6-FA08-4C8B-87E0-EAF6F243FC53} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - D:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - D:\Program Files\Orange Toolbar UK\ToolbarContainer255.dll
O3 - Toolbar: peltodgx - {1E54E389-923C-4DA3-B476-AFC5DB6EA302} - (no file)
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [OSSelectorReinstall] D:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [OM_Monitor] D:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] D:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] D:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IdentityPatrol] D:\PROGRA~1\IDENTI~1\IdentityPatrol.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LightScribe Control Panel] D:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ATI Remote Control] D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [OM_Monitor] D:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - D:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - D:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)
O9 - Extra button: (no name) - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157224239234
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yaywwVNd - D:\WINDOWS\SYSTEM32\yaywwVNd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Update Service (gupdate1c9f05eb2eb8a00) (gupdate1c9f05eb2eb8a00) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - D:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - D:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 12244 bytes


Hope this helps, looking forward to your reply.
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Thu Sep 10, 2009 5:15 pm    Post subject: Reply with quote

It looks like there are still some left overs from your infection. Please try the following:

Arrow Boot the computer in Safe Mode
Arrow Run HijackThis
Arrow Check the following entries and then select Fix:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7499C7D9-F599-4B91-B0FC-FBEA946A5692} - (no file)
O2 - BHO: WebPerform - {AB692F9B-27FE-4511-8885-ED62BB45197B} - D:\WINDOWS\system32\webperform.dll
O2 - BHO: (no name) - {B20586F6-FA08-4C8B-87E0-EAF6F243FC53} - (no file)
O3 - Toolbar: peltodgx - {1E54E389-923C-4DA3-B476-AFC5DB6EA302} - (no file)
O4 - HKLM\..\Run: [IdentityPatrol] D:\PROGRA~1\IDENTI~1\IdentityPatrol.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: yaywwVNd - D:\WINDOWS\SYSTEM32\yaywwVNd.dll
Arrow Delete the following files:
D:\PROGRA~1\IDENTI~1\IdentityPatrol.exe
D:\Program Files\RegistryPatrol3.0\RegistryPatrol.exe
D:\WINDOWS\system32\webperform.dll
D:\WINDOWS\SYSTEM32\yaywwVNd.dll
Arrow Reboot the computer normally, and run HijackThis again, and post the new log.

Above I make reference to IdentityPatrol.exe - I'm not 100% sure on this one, if it's something you know about as being OK, then don't fix/delete as requested above. I think it is malicious though, so if in doubt, get rid!
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Reply to topic    Free PC Support Forum Home -> Helproom All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 



Powered by phpBB © 2001, 2005 phpBB Group

2005 - 2017 All Rights Reserved www.technical-assistance.co.uk
Terms and Conditions