this is how it all started. I’m playing on line game that uses protect game guard…yesterday i wasn’t able to run the game. everytime i launch the game it says that the game or gameguard has been cracked. i reinstall the game thinking that it would fix it but it did nothing. i tried to run avast but it is not working. tried my antispyware and its the same thing. it was like something is blocking avast and my antispyware from running. tried on line virus scan…not good…my computer wont even show the webpage for virus scanning.
i viewed my hidden files and folders to check if there is anything unusual on my system. i noticed one thing. i cannot access system volume information on my drive C:. i tried looking for solution on line i was able to get one by accessing gpedit and regedit. accessed regedit.exe and it says that it was disabled by administrator. tried gpedit.msc and my computer cannot find the file…tried taskman same thing disabled by administrator…i said wtf its a home PC.so what i did i tried RRT and Hijackthis still the same…last resort…format after 5 mins of smooth running…tried reformatting again…not good help me I’m running out of options… ???
You might have a rootkit or a backdoor trojan. Why don’t you try scanning your PC in safe-mode?
why dont u try malwarebytes, its easy to use.
link to malwarebytes page: http://malwarebytes.org/mbam.php
I hope this helps u.
@iJtaylor83 tried running my pc on safemode but it doesnt allow me to. my pc reboots before it runs on safe mode…in some cases where i try to access taskmanager,gpedit and regedit my pc reboots. i can run other programs except for antivirus and antispyware…i cant even access websites that offers free online virus scanning but other websites works perfectly fine.
@peln2000 i was able to install and run the program that you recomended. hopefully this works. thanks
tried the program but it did not work…help me please. i think its getting worse. other options like firewall settings, automatic updates for winxp not available. its a good thing i still have my internet connection
did u make a full scan or a quick scan? if u tried both i’m afraid u’ll need to format your drive. maybe u dont have 1 virus, maybe it’s more. have u tried avira boot cd, or avast bart cd?
Try a full scan after updating database
Have you tried renaming HijackThis.exe, also you could try DrWeb Cureit ( from a clean pc ) from a usb drive.
Check the hosts file for blocking. It an extentionless file
C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS
Unless you are using a custom host file there should only be 1 entry (ignore the lines that start with #)
127.0.0.1 localhost
If there are others that start with 127.0.0.1 and are related to anti malware sites then this file is blocking you. You can rename the file then try to reach an online scan.
thanks for the responses. i’ll try to do all your suggestions. hope this will all work.
@oldman I only have one entry on HOSTS 127.0.0.01, Do I have any other option?
@mickey77 I only have one PC so I might try this one
@peln2000 where do I get the Cd’s that you are referring to?
really appreciate your responses guys. I’ve been working on this issue for almost 3 days. by the way Hijackthis works…this is the log file help me analyze the issue.taskmanager, regedit are disabled by administrator…I’m using a home PC. its only for personal use…gpedit not functioning too. cannot access system volume information. tried reformatting my PC twice and I still get the same result.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:24 AM, on 10/21/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Ogie’s Files\acolyte\start.exe
D:\Ogie’s Files\taekwon\start.exe
C:\DOCUME~1\AQUINO~1\LOCALS~1\Temp\winjrwdg.exe
C:\DOCUME~1\AQUINO~1\LOCALS~1\Temp\wingrev.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [RRT-Auto] C:\Documents and Settings\aquinopc1\Desktop\RRT\RRT.exe auto
O4 - HKLM..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224470256091
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
–
End of file - 3169 bytes
Putting a XP system on the Internet without at least SP1 installed is inviting disaster.
You can order a SP3 Update CD from Microsoft for a small shipping charge that you can use to update the system before connection it to the Internet:
https://om2.one.microsoft.com/opa/Validation.aspx?StoreID=d7a098f4-4034-4ccb-a785-9e890e6b4f5b&LocaleCode=en-us&JavaScriptOn=yes
Download the ISO:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2fcde6ce-b5fb-4488-8c50-fe22559d164e&DisplayLang=en
You can get avira rescue cd here
http://dlpro.antivir.com/down/vdf/rescuecd/rescuecd.iso
Date: 21 Oct 2008 - Version : 20081021142837
According to the HijackThis.De Analyzer these 4 entries look highly suspicious.DO NOT fix them until one of the experienced helpers has looked at your log
C:\DOCUME~1\AQUINO~1\LOCALS~1\Temp\winjrwdg.exe
C:\DOCUME~1\AQUINO~1\LOCALS~1\Temp\wingrev.exe
O4 - HKLM..\Run: [RRT-Auto] C:\Documents and Settings\aquinopc1\Desktop\RRT\RRT.exe auto
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
@micly77 tried disabling this one but HijackThis doesnt stop this process
@peln200 try to download this file later. im at work
@YoKenny just reformatted my pc so i doesnt have SP1.try to update it after i removed the virus
thanks for the responses guys!
you’re welcome! Hope it is helpfull the info i gave u. Take care
i found out where the virus came from. its from my flash drive. so what i did i inserted my flash drive to my clean pc running on xp SP2 with updated avast antivirus and updated spybot…drive autorun is disabled via registry and group policies. i tried formatting my usb since my infected pc doesnt allow me to format my flashdrive…it formatted the flash drive but after five minutes. the windows auto update turned off, firewall turned off and it also says no antivirus installed but infact i have avast installed…tried accessing task manager…and there it goes. :o it was infected…i made a full format on my newly infected pc and its a good thing i dont have much files on that pc. formatted both partition…and it was clean. i guess that is the last option i have…i will format my other pc…but i need to back up my files first. i hope there is a way for me to forward this information to avast since it infected my pc with an updated avast antivirus. thanks guys for all of your responses…you rock guys! ;D
Download and run this
1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done.Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.
Disable system restore.
Get www.simplysup.com Trojan remover
Install update, then select all options under utilities menu. It’ll reset the registry entries etc to default