Help for virus removal - Free Antivirus Forum

Help for virus removal

BullGuard Antivirus Forum > Virus Removal > Removal Help > Help for virus removal

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

sudhanshudube
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-6-2008 12:37 (GMT +1)

i have some peculiar things happening in my system which i presume is a virus, although i have run the updated anti virus, no prompt has been given to detect any virus.

The main problem is that the system priviliges of task manager, msconfig, etc have now been restricted and i cannot access them, I even cannot change the system date and time, I cannot install/uninstall any programme, with a message that user priviliges are not existing, although i log in as administrator and there are no other user accounts existing.

On running Hijackthis the message came that system denied acces to some host files. On trying to access the files manually the system denied the access. soon afterwards the message on hijackthis stated "an unexpected error has occured at the procedure:modmain_Checkother1Item()Error # 75-path/ file access error"

the logfile is as under:-

Logfile of HijackThis v1.99.1
Scan saved at 9:25:31 PM, on 2/4/2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,New Folder.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{00CA385E-2EE9-414D-AB7E-0BDA534EE0F0}: NameServer = 218.248.240.24 218.248.240.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{00CA385E-2EE9-414D-AB7E-0BDA534EE0F0}: NameServer = 218.248.240.24 218.248.240.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

can you find some answers to the problem. i had downloaded malawarebytes however it is not getting installed with the message that one has to log in as administrator

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-6-2008 2:08 (GMT +1)

Hello

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

and save it to your Desktop.

Please boot into Safe Mode (Tap F8 during startup).

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
and save it to your desktop.

Open the extracted folder - C:\ SDFix and doubleclick on RunThis.bat to start the script.

Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons.

Open the SDFix folder on your desktop and copy and paste the contents of Report.txt

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

sudhanshudube
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-6-2008 4:28 (GMT +1)

thanks for a quick reply. I had carried out the instructions to run SDfix. However the problem seems to stay. although logged as administrator the admin rights were not run for SD fix programme.

The report of SD fix is as under

Rebooting

[b]Checking Files [/b]:

No Trojan Files Found

Removing Temp Files

[b]ADS Check [/b]:

[b]Final Check [/b]:

driver loading error disk not found C:\

please note that you need administrator rights to perform deep scan

[b]Remaining Services [/b]:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\\ROADRASH\\ROADRASH.EXE"="E:\\ROADRASH\\ROADRASH.EXE:*:Enabled:Road Rash for Windows 95 Executable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:

Wed 4 Aug 2004        93,184 A.SH. --- "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Wed 4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 4 Aug 2004         4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 4 Aug 2004        73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Wed 8 Jan 2003        38,400 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0001.tmp"
Wed 8 Jan 2003        21,504 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0003.tmp"
Wed 8 Jan 2003        30,720 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0004.tmp"
Wed 8 Jan 2003        22,016 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0005.tmp"
Wed 8 Jan 2003        38,912 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0006.tmp"
Wed 8 Jan 2003        57,856 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0291.tmp"
Wed 8 Jan 2003        26,112 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0414.tmp"
Wed 8 Jan 2003        35,328 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0487.tmp"
Wed 8 Jan 2003        58,368 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0741.tmp"
Wed 8 Jan 2003        56,832 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL0762.tmp"
Wed 8 Jan 2003        44,544 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1318.tmp"
Wed 8 Jan 2003        40,960 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1509.tmp"
Wed 8 Jan 2003        54,784 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1593.tmp"
Wed 8 Jan 2003        38,912 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1610.tmp"
Wed 8 Jan 2003        55,808 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1640.tmp"
Wed 8 Jan 2003        57,856 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1829.tmp"
Wed 8 Jan 2003        28,160 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1923.tmp"
Wed 8 Jan 2003        45,568 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1928.tmp"
Wed 8 Jan 2003        30,720 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2040.tmp"
Wed 8 Jan 2003        30,720 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2048.tmp"
Wed 8 Jan 2003        47,616 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2110.tmp"
Wed 8 Jan 2003        52,224 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2387.tmp"
Wed 8 Jan 2003        46,080 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2468.tmp"
Wed 8 Jan 2003        46,592 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2506.tmp"
Wed 8 Jan 2003        57,856 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2619.tmp"
Wed 8 Jan 2003        57,856 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2739.tmp"
Wed 8 Jan 2003        31,744 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2757.tmp"
Wed 8 Jan 2003        57,856 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2783.tmp"
Wed 8 Jan 2003        23,552 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2829.tmp"
Wed 8 Jan 2003        57,856 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL2841.tmp"
Wed 8 Jan 2003        58,368 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3001.tmp"
Wed 8 Jan 2003        26,624 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3135.tmp"
Wed 8 Jan 2003        29,184 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3240.tmp"
Wed 8 Jan 2003        27,648 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3276.tmp"
Wed 8 Jan 2003        45,568 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3478.tmp"
Wed 8 Jan 2003        58,368 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3514.tmp"
Wed 8 Jan 2003        57,344 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3560.tmp"
Fri 17 Jan 2003        23,040 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3586.tmp"
Wed 8 Jan 2003        57,856 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3878.tmp"
Fri 17 Jan 2003        22,016 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3893.tmp"
Wed 8 Jan 2003        23,040 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL4040.tmp"
Thu 18 Nov 2004        94,458 ...H. --- "C:\Program Files\Nero\data\Nero PhotoShow Express.exe"
Wed 8 Jan 2003       109,056 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\~WRL3107.tmp"
Thu 9 Jan 2003       110,592 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\~WRL4011.tmp"
Wed 8 Jan 2003        27,648 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL0049.tmp"
Thu 9 Jan 2003       101,888 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL0459.tmp"
Thu 9 Jan 2003        41,472 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL0568.tmp"
Thu 9 Jan 2003        47,104 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL0843.tmp"
Thu 9 Jan 2003        49,152 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1013.tmp"
Thu 9 Jan 2003        81,920 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1074.tmp"
Thu 9 Jan 2003        40,448 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1093.tmp"
Thu 9 Jan 2003        49,664 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1225.tmp"
Thu 9 Jan 2003        54,784 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1584.tmp"
Thu 9 Jan 2003       116,224 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1716.tmp"
Thu 9 Jan 2003        86,016 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1806.tmp"
Wed 8 Jan 2003        37,376 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL1896.tmp"
Wed 8 Jan 2003        24,576 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL2217.tmp"
Thu 9 Jan 2003        93,696 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL2298.tmp"
Thu 9 Jan 2003       112,640 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL2637.tmp"
Thu 9 Jan 2003        95,744 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL2877.tmp"
Wed 8 Jan 2003        26,624 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL2932.tmp"
Thu 9 Jan 2003        73,728 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL3161.tmp"
Wed 8 Jan 2003        26,624 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL3693.tmp"
Thu 9 Jan 2003        65,024 ...H. --- "C:\Documents and Settings\Administrator\Desktop\word docs\ICP\~WRL4027.tmp"

[b]Finished![/b]

the log of hijack this is as under

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-6-2008 4:38 (GMT +1)

Ok.

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

And save to the desktop.

Reboot to safe mode.

Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Reboot normally.

Post the contents of that log in your next reply

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

sudhanshudube
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-7-2008 7:21 (GMT +1)

I carried out the actions as instructed. The combofix ran for few seconds which i presume was some scanning. The action was completed ,however in!!!!e of my best efforts i could not locate Combofix.txt anywhere. Please advice further action.

Thanks

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-7-2008 8:27 (GMT +1)

See if you can find in C: Qoobox folder

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

sudhanshudube
New Member

Date Joined Sep 2008
Total Posts : 4

Posted 9-7-2008 9:16 (GMT +1)

no, i have searched thoroughly. i think the log was not created.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 9-9-2008 6:01 (GMT +1)

Ok, let´s try this scanner then ->

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Click on Format and Uncheck Word wrap, if checked.

Post back with both the resulting logs.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Wednesday, December 03, 2008 6:18 AM (GMT +1)
There are a total of 64.512 posts in 15.910 threads.
In the last 3 days there were 19 new threads and 77 reply posts. View Active Threads