Hey guys,
Having a nightmare time with my laptop at the moment.
Basically got a virus (or possibly several at the same time)..I need to get the computer into a working state so that I can scan the C drive with data recovery software to get back some pictures belonging to the mrs that I deleted. I reinstalled windows without backing them up. Yeahhh.
Anyway my nads are on the line so please give us a hand!
What the virus did:
- Disabled regedit, msconfig, cmd, enabling hidden folders
- Popped up windows that looked like windows security center trying to warn you about viruses saying your computer is infected with the following:
rootkit.win32.agent.pp or net-worm.win32.mytob.t or backdoor.win32.kbot.al or trojan-downloader.js.multi.ca (Theyre the 4 different ones it would come up with). This would be followed with some pop up allowing you to download an antivirus. Obviously didnt, assumed it was part of the virus. I don't even know if this is what the laptop was infected with or just the virus popping stuff up to make you download more rubbish
- It opened Internet explorer hidden - couldnt see it anywhere other than the taskman.
- When logging onto internet, any antivirus pages wouldnt work. e.g. avg page but avg on another site like cnet would work. Not downloading anything either
- not opening applications
So here's what Ive done so far...
- Deleted some files by cross checking interweb with taskman... cant remember what they were names like 1.tmp 2.tmp and each time you closed them, later some other numbers would pop up. Also C.exe
- Got some applications to open up again but they dont all seem to be working correctly...e.g. the paretologic data recovery thing wont scan my C drive..
- Tried loading installation files for various antiviruses on a mem stick and loading them but none work. They seem to need internet and although im conneted via wifi and it works, the antiviruses cant seem to access...perhaps virus is blocking somehow? Any program requiring updates from the internet wont update.
- Tried all of this in safe mode too.. no better results.
- Tried using Registry mechanic but it didnt seem to do much
- Tried PC tools antivirus, it picked up 2 viruses. 1. rootkit.agent!sd5 and I cant find the name of the other one.
Either way, the computer <i>seems</i> to be working ok now other than some serious virus residue... (or maybe still a virus?)
Problems now:
- Regedit, msconfig, folder options all still not working
- C drive is accessible to explore but none of my data recovery software will scan it.. I tried scanning it before the virus and it worked fine.
- No programs that need to connect to the interweb to update will update. Sites like the homepages for antiviruses will redirect to www.bankofindworld.com/click/go.php?long link....
Heard something about viruses being gone but changing registry entries so that even after they're removed, there are still issues?
I just need it to work well enough to scan the C drive
Any ideas?
Thanks!!
Here's the highjack this file if it's any help!
Logfile of HijackThis v1.99.1
Scan saved at 02:05:52, on 13/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Downloads\PC Tools AntiVirus\PCTAVSvc.exe
C:\DOCUME~1\Martins\LOCALS~1\Temp\smss.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ParetoLogic\Data Recovery\PLDataRecovery.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DDR - Digital Picture Recovery(Demo)\DDR - Digital Picture Recovery(Demo).exe
D:\System Stuff\HijackThis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {bf56a325-23f2-42ad-f4e4-00aac39caa53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pridl] "C:\Documents and Settings\Martins\Application Data\pridl\pridl.exe" no
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Martins\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O20 - AppInit_DLLs: yeyatene.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\system32\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (pctavsvc) - PC Tools Research Pty Ltd - D:\Downloads\PC Tools AntiVirus\PCTAVSvc.exe
Having a nightmare time with my laptop at the moment.
Basically got a virus (or possibly several at the same time)..I need to get the computer into a working state so that I can scan the C drive with data recovery software to get back some pictures belonging to the mrs that I deleted. I reinstalled windows without backing them up. Yeahhh.
Anyway my nads are on the line so please give us a hand!What the virus did:
- Disabled regedit, msconfig, cmd, enabling hidden folders
- Popped up windows that looked like windows security center trying to warn you about viruses saying your computer is infected with the following:
rootkit.win32.agent.pp or net-worm.win32.mytob.t or backdoor.win32.kbot.al or trojan-downloader.js.multi.ca (Theyre the 4 different ones it would come up with). This would be followed with some pop up allowing you to download an antivirus. Obviously didnt, assumed it was part of the virus. I don't even know if this is what the laptop was infected with or just the virus popping stuff up to make you download more rubbish
- It opened Internet explorer hidden - couldnt see it anywhere other than the taskman.
- When logging onto internet, any antivirus pages wouldnt work. e.g. avg page but avg on another site like cnet would work. Not downloading anything either
- not opening applications
So here's what Ive done so far...
- Deleted some files by cross checking interweb with taskman... cant remember what they were names like 1.tmp 2.tmp and each time you closed them, later some other numbers would pop up. Also C.exe
- Got some applications to open up again but they dont all seem to be working correctly...e.g. the paretologic data recovery thing wont scan my C drive..
- Tried loading installation files for various antiviruses on a mem stick and loading them but none work. They seem to need internet and although im conneted via wifi and it works, the antiviruses cant seem to access...perhaps virus is blocking somehow? Any program requiring updates from the internet wont update.
- Tried all of this in safe mode too.. no better results.
- Tried using Registry mechanic but it didnt seem to do much
- Tried PC tools antivirus, it picked up 2 viruses. 1. rootkit.agent!sd5 and I cant find the name of the other one.
Either way, the computer <i>seems</i> to be working ok now other than some serious virus residue... (or maybe still a virus?)
Problems now:
- Regedit, msconfig, folder options all still not working
- C drive is accessible to explore but none of my data recovery software will scan it.. I tried scanning it before the virus and it worked fine.
- No programs that need to connect to the interweb to update will update. Sites like the homepages for antiviruses will redirect to www.bankofindworld.com/click/go.php?long link....
Heard something about viruses being gone but changing registry entries so that even after they're removed, there are still issues?
I just need it to work well enough to scan the C drive
Any ideas?
Thanks!!
Here's the highjack this file if it's any help!
Logfile of HijackThis v1.99.1
Scan saved at 02:05:52, on 13/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Downloads\PC Tools AntiVirus\PCTAVSvc.exe
C:\DOCUME~1\Martins\LOCALS~1\Temp\smss.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ParetoLogic\Data Recovery\PLDataRecovery.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DDR - Digital Picture Recovery(Demo)\DDR - Digital Picture Recovery(Demo).exe
D:\System Stuff\HijackThis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {bf56a325-23f2-42ad-f4e4-00aac39caa53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pridl] "C:\Documents and Settings\Martins\Application Data\pridl\pridl.exe" no
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Martins\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O20 - AppInit_DLLs: yeyatene.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\system32\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (pctavsvc) - PC Tools Research Pty Ltd - D:\Downloads\PC Tools AntiVirus\PCTAVSvc.exe