cbsquidss
asked on
System Volume Information is not accessible, Access is denied, after PE_PATCHED.ET virus found on machine
Ok, I have WIN XP Home SP3 (fully up to date), Trend Micro running always but I recently got PE_PATCHED.ET virus. I wanted to restore to a previous restore point, but while restore points are visible clicking "NEXT" does not launch the restore process. I tried to look into the System Volume Information folder and I get the message it is not accessible. I have checked and unchecked all of the appropriate boxes to see hidden system files and folders and have tried to run system restore in safe mode (as well as trying to see t he System Volume Information folder. All no luck. Does anyone out there have any ideas? Also, some other issues are 1) about half of the time I click on an internet address I get some other spam website, and 2) in My Computer I cannot open any drives (I need to open drives from explorer.
Thanks for any help in advance, Jay
Thanks for any help in advance, Jay
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks John - I am at work now but will follow your advice asap tonight - I'll get back with you,
Jay
Jay
ASKER
I had some success, but while I can now get to the System Volume Information folder, Restore still will not run. Here is the HiJack This file:
************************** ********** ********** *
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:06 PM, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\cisvc. exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
C:\WINDOWS\system32\HPZipm 12.exe
C:\WINDOWS\System32\svchos t.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
C:\WINDOWS\System32\alg.ex e
C:\PROGRA~1\TRENDM~1\INTER N~1\PcScnS rv.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\System32\wbem\w miprvse.ex e
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBT ip.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\NETGEAR\WN121T\wn121 t.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
C:\WINDOWS\System32\wbem\w miprvse.ex e
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0 BBC1D38A37 E} - C:\Program Files\Microsoft Office\Office12\GrooveShel lExtension s.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe" runtime -Delay
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLEC oInst.dll" ,CheckUSBC ontroller
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBT ip.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121 t.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2\bin\n pjpi142.dl l
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2\bin\n pjpi142.dl l
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~1\MICROS~3\Offic e12\ONBttn IE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\Offic e12\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-9 63509EAE56 B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8 226143CFC0 A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-F D6097610AE E} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-F FDE2BAC296 7} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197687889890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{A 17D03D1-1A E7-4D2C-BC 24-3F12393 0A907}: NameServer = 85.255.112.39,85.255.112.4 0
O17 - HKLM\System\CCS\Services\T cpip\..\{F 4E8AAA8-E6 F4-4A2A-90 55-BE923EA 305EF}: NameServer = 85.255.112.39,85.255.112.4 0
O17 - HKLM\System\CS1\Services\T cpip\Param eters: NameServer = 85.255.112.39,85.255.112.4 0
O17 - HKLM\System\CS2\Services\T cpip\Param eters: NameServer = 85.255.112.39,85.255.112.4 0
O17 - HKLM\System\CCS\Services\T cpip\Param eters: NameServer = 85.255.112.39,85.255.112.4 0
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3 CB6248B04C D} - C:\Program Files\Microsoft Office\Office12\GrooveSyst emServices .dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2ev xx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg ag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.e xe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\PcScnS rv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
--
End of file - 7884 bytes
************************** ********** ********** ********** ***
**************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:06 PM, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\cisvc.
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\system32\HPZipm
C:\WINDOWS\System32\svchos
C:\PROGRA~1\TRENDM~1\INTER
C:\PROGRA~1\TRENDM~1\INTER
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\System32\alg.ex
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\System32\wbem\w
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBT
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon
C:\Program Files\NETGEAR\WN121T\wn121
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\WINDOWS\System32\wbem\w
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.e
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLEC
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBT
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {01A88BB1-1174-41EC-ACCB-9
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {2357B3CF-7F8D-4451-8D81-F
O16 - DPF: {4871A87A-BFDD-4106-8153-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2ev
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.e
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
--
End of file - 7884 bytes
**************************
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://support.microsoft.com/kb/308421
This might help the Restore problem. Use this procedure on the System Volume Information problem....
2....
Look for an Autorun.inf in the root of the C Drive..
If present, delete it.....
Additionally, go to the registry and look for the following key....
"HKEY_CURRENT_USER\Softwar
Delete the _autoplay and Shell values you find....
Backup the reg key first....