Please Help! Access Denied... No Media will play.... all .exe's removed!

[Nikki1986]

 

Hello,

Please can someone help. Ive had problems with my computer in the past and always been able to resolve but this is beyond me!

It happened suddenly. Turned computer on a couple of days ago and Avast found lots of things.. moved them all to chest and things were ok. Next day, turn it on again and its all gone wrong. All my .exe's have been removed, no media will play - songs or videos - on media player or VLC (which ive never ever had a problem with before even with other virus's) all my .exe's have gone (there images have turned to that "we dont know what this is" picture). If I try to do anything it says Access denied, like even copying and pasting documents.

Ive ran AVG, Avast and spybot - normally and in safe mode - and none have found anything. I dont know what to do, I want to try everything to avoid losing my whole hard drive.

Can anyone help?

[Nikki1986]

Ive just done a Hijack This if that is any help.....



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:05 PM, on 6/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Nikki!\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Star Downloader Toolbar Helper - {E16AB45F-35A8-4f4d-922F-8D00D760F85B} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Star Downloader Toolbar - {8CEB3591-5DDC-47ec-AF97-66699BC85FE0} - C:\Program Files\Star Downloader Toolbar\v2.0.0.5\Star_Downloader_Toolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\Nikki!\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Nikki!\Desktop\uTorrent.exe.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRA~1\STARDO~1\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Nikki!\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Nikki!\Desktop\WH GBP Casino.lnk (file missing) (HKCU)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://C:\Program Files\Escape Rosecliff Island\Images\stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Escape Rosecliff Island\Images\armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Dawn of Magic Drivers Auto Removal (pr2ahqjb) (pr2ahqjb) - Koch Media - C:\WINDOWS\system32\pr2ahqjb.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 10187 bytes

[Karnac]

Nikki,

Go here and try the process tool......http://www.computerhope.com/forum/index.php/topic,81761.0.html


If that doesn't help go to .......http://www.computerhope.com/forum/index.php/topic,46313.0.html

Follow the quidelines and post three logs and a specialist will review them in turn.

[Nikki1986]

Right, so Hijack this is up there

Here is Malwarebytes log:

Malwarebytes' Anti-Malware 1.38
Database version: 2334
Windows 5.1.2600 Service Pack 2

6/25/2009 6:43:32 PM
mbam-log-2009-06-25 (18-43-32).txt

Scan type: Quick Scan
Objects scanned: 110460
Time elapsed: 11 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\3wPlayer (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
c:\windows\temp\login.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\system.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\taskmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\winamp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\zjhufhdfe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\3847691688.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\3851754188.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\4012066688.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\debug.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\et5j6b3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\3wPlayer\Desktop__.ini (Trojan.Downloader) -> Quarantined and deleted successfully.




  And also SuperAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/25/2009 at 09:51 PM

Application Version : 4.26.1006

Core Rules Database Version : 3955
Trace Rules Database Version: 1897

Scan type       : Complete Scan
Total Scan Time : 02:53:35

Memory items scanned      : 534
Memory threats detected   : 0
Registry items scanned    : 6832
Registry threats detected : 0
File items scanned        : 306733
File threats detected     : 9

Adware.Tracking Cookie
   C:\Documents and Settings\Nikki!\Cookies\[email protected][1].txt
   C:\Documents and Settings\Nikki!\Cookies\nikki!@tribalfusion[2].txt

Adware.Casino Games (Golden Palace Casino)
   C:\DOCUMENTS AND SETTINGS\NIKKI!\MY DOCUMENTS\PADDY POWER POKER\CASINO.EXE

Adware.Vundo Variant
   N:\TV SHOWS\SIMPSONS COMPLETE SEASONS 1-17 [KL0WNZ]\SIMPSONS SEASON 03 - COMPLETE [KL0WNZ]\SUBS\ENGLISH\SIMPSONS 03X01 - STARK RAVING DAD [KL0WNZ].SRT.BC!
   N:\TV SHOWS\SIMPSONS COMPLETE SEASONS 1-17 [KL0WNZ]\SIMPSONS SEASON 03 - COMPLETE [KL0WNZ]\SUBS\ENGLISH\SIMPSONS 03X03 - WHEN FLANDERS FAILED [KL0WNZ].SRT.BC!
   N:\TV SHOWS\SIMPSONS COMPLETE SEASONS 1-17 [KL0WNZ]\SIMPSONS SEASON 03 - COMPLETE [KL0WNZ]\SUBS\ENGLISH\SIMPSONS 03X12 - I MARRIED MARGE [KL0WNZ].SRT.BC!
   N:\TV SHOWS\SIMPSONS COMPLETE SEASONS 1-17 [KL0WNZ]\SIMPSONS SEASON 03 - COMPLETE [KL0WNZ]\SUBS\ENGLISH\SIMPSONS 03X14 - LISA THE GREEK [KL0WNZ].SRT.BC!
   N:\TV SHOWS\SIMPSONS COMPLETE SEASONS 1-17 [KL0WNZ]\SIMPSONS SEASON 03 - COMPLETE [KL0WNZ]\SUBS\ENGLISH\SIMPSONS 03X16 - BART THE LOVER [KL0WNZ].SRT.BC!
   N:\TV SHOWS\SIMPSONS COMPLETE SEASONS 1-17 [KL0WNZ]\SIMPSONS SEASON 03 - COMPLETE [KL0WNZ]\SUBS\ENGLISH\SIMPSONS 03X24 - BROTHER CAN YOU SPARE TWO DIMES [KL0WNZ].SRT.BC!



Hope someone can help!