System Volume Information is not accessible, Access is denied, after PE_PATCHED.ET virus found on machine

Posted on 2009-02-08
Last Modified: 2012-05-06
Ok, I have WIN XP Home SP3 (fully up to date), Trend Micro running always but I recently got PE_PATCHED.ET virus.  I wanted to restore to a previous restore point, but while restore points are visible clicking "NEXT" does not launch the restore process.  I tried to look into the System Volume Information folder and I get the message it is not accessible.  I have checked and unchecked all of the appropriate boxes to see hidden system files and folders and have tried to run system restore in safe mode (as well as trying to see t he System Volume Information folder.  All no luck.  Does anyone out there have any ideas?  Also, some other issues are 1) about half of the time I click on an internet address I get some other spam website, and 2) in My Computer I cannot open any drives (I need to open drives from explorer.
Thanks for any help in advance, Jay
Question by:cbsquidss
    LVL 66

    Expert Comment

    How to take ownership of a file or a folder in Windows XP

    This might help the Restore problem. Use this procedure on the System Volume Information problem....

    Look for an Autorun.inf in the root of the C Drive..

    If present, delete it.....

    Additionally, go to the registry and look for the following key....


    Delete the _autoplay and Shell values you find....

    Backup the reg key first....
    LVL 66

    Assisted Solution

    As for the IE redirects.....

    Perhaps a HijackThis logfile might shed some insight...

    I would do a few things....Install and update Super Anti Spyware and reboot to Safe Mode. Then do a full scan, and see what it finds. - AntiAdware, AntiSpyware, AntiMalware!
    One of the best on the market (and it is free, although you can upgrade and get Real Time Protection)

    Manual Definitions Download....

    You can do all of this from the Task Manager, using a Thumb Drive with these downloaded from another PC....

    Author Comment

    Thanks John - I am at work now but will follow your advice asap tonight - I'll get back with you,

    Author Comment

    I had some success, but while I can now get to the System Volume Information folder, Restore still will not run.  Here is the HiJack This file:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:49:06 PM, on 2/9/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
    C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\NETGEAR\WN121T\wn121t.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
    O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) -
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A17D03D1-1AE7-4D2C-BC24-3F123930A907}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F4E8AAA8-E6F4-4A2A-9055-BE923EA305EF}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =,
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Protection Against Spyware  (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    End of file - 7884 bytes

    Accepted Solution

    Things worked out pretty well after trying the solution presented here, as well as using both:
    Malwarebytes' Anti-Malware and VundoFix.exe, which I found suggested on another site.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
    The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
    The viewer will learn how to start File History, a MACINTOSH like backup utility built into windows 8, on your Windows 8 computer. To open the File History control panel swipe from the right  side to get the search menu or position the cursor in the…
    The viewer will learn how to install the Spideroak software to backup files. Start your default browser: In the URL location bar type and press enter: When you see the spideroak site, click the “Try for free” button in the upper ri…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now