0

So I managed to get this nice little virus on my fairly new pc and within minutes my computer became useless. I can no longer open the internet or any other program without receiving a message telling me that Windows cannot find the file and that I may not have permission to access it. I also cannot open the task manages because it tells me it was disabled by the administrator. I have however looked at some of the other posts by people having problems with this virus and noticed everyone posting a log from the HijackThis program so I do have a copy of that to post because for what ever reason it would open when almost no other program would. I have McAfee which I cannot use to scan the computer because I get the error message but it does have popups telling I have infected files that cannot be cleaned and I cannot quarantine or delete them. Any help would be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:51:02 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Brando\My Documents\HIJACK\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\RunOnce: [KB926239] rundll32.exe apphelp.dll,ShimFlushCache
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe

2
Contributors
1
Reply
2
Views
9 Years
Discussion Span
Last Post by gerbil
0

If you are using Pro you can enable Taskmanager via group policy - run gpedit.msc and work down the tree thus:
User Configuration, Administrative Templates, System, Ctrl+Alt+Del Options.....
Else if you have Home [or as well Pro ] run this script:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showtm.reg, as type "all files", to your desktop; dclick it to run...
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"= -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"= -
__________________________________________________________

If TM works now, try to open explorer.exe or iexplore.exe with it.
On the net?
First, clean:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Next scan for malware:
==Pandasoftware ActiveScan using IE only from http://www.pandasoftware.com/products/activescan? -link is at right above the padlock: free online virus scan; just follow through the pages, supply a "valid" email address...
No net? Try in Safe Mode with Networking... yes? then do as above.
Still no net? Dl this file to a pendrive or rewritable, copy it to your sys.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Please delete your copy of hijackthis and get this one:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
Post any logs you can get...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.