NO IE + loadza viruses

[big_king_frosty]

Im in at the deep end here. A long time ago a virus infected some files for the internet explorer. Once i figured that IE wasnt going to run propperly i installed mozilla firefox to use instead. After i did this my brother thought it be a good idea to unistall IE and at the time i didnt think it'd be bad either. Through extensive use of download programs somehow weve managed to get alot of viruses on the computer. Most of them have been rid of yet one i cant seem to... the symptoms
1.The sound is disabled in all games, sound options are disabled in winamp etc.
2.when i do ctlr+alt+delete under the processes tab, it has the processes yet no identification from user name, just left blank, and the virus name doesnt apper in the processes list.
3.Also under ctrl+alt+delete in the user tab there seems to be no usersd running
4.The desktop changes from the windows xp layout and seems to change to that of windows 95 format, with all grey boxes and block titles etc

The only sure fire way i could think of getting rid of the problem/virus was going on trend micro housecalls. The only problem, you cant run a test if you dont have IE on the computer. I have it on disk but its on a broadband installation disk and theres no way to get at it without re-installing broadband which i really really cant do!!!! Ive searched over the internet, you can only get the updates for IE (as it figures you should already have it installed) and so i have no way of getting IE back on the computer.

Has ANYONE got a clue, or can help!!!???

 

[giant384]

i thought u could dl IE 6 off of microsoft.com is it not there anymore?

 

[Laivasse]

Google and download a program called "hijackthis" (it's very small), run a scan and save a log file, then post the log on here. From that, I, or maybe even one of the people who know what they're talking about on here, might be able to figure out what's running that is causing you the problem. We can advise you from there.

 

[big_king_frosty]

IE 6 is an upgrade from IE 5, you cannot dl the full version, well not off the microsoft website.

Logfile of HijackThis v1.99.1
Scan saved at 9:33:11 PM, on 5/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe

These are the persistant files which wont be removed. As you cansee at the top that it cannot find the IE version. There is also 2 ATI files which link to my graphics card and 2 AVG files which are part of the anti virus service.
winlogon, svchost and wtsrv have also been a problem for a while yet i have never found away to get rid of them.

*This virus or problem seems to come and go, it has occured twice before. The first it randomly just stopped, the second i upgraded my internet connection. After a while it seems to get worse and i wont be able to connect to the internet*

 

[Cole]

I suggest dling "Microsoft Anti Spyware" and runnign that. Free to dl by microsoft. Great for getting rid of virus's.

I would also suggest AdAware if you don't have that. Get a few virus scanners....they help. Also Microsoft Anti Spyware has security agents(A small popup asking if you want to let certain scripts run....saved me a few times).
It offers real time protection and things and is overall...great!

 

[giant384]

he already has microsoft antispyware and what is grisoft never heard of it

 

[Laivasse]

Grisoft is AVG antivirus. Does he have Microsoft Antispyware...? I don't see it in the startup list. If you don't have it it comes recommended.

svchost, winlogon, and WtSrv.exe are all legitimate files in most instances (WtSrv seems to be a driver for a graphics tablet , do you use one?)

However it's possible that they are malware masquerading as legit stuff (same goes for spoolsv.exe). It's certainly weird that svchost appears in your startup config so many times. Technically it shouldn't appear at all, I think...? It doesn't show up in my startup config, but still runs. I can't give you thorough advice on this, since I'm not an expert and wouldn't want to tell you to do something overly risky...

Do this, though - get microsoft antispyware, make sure avg is fully updated, maybe grab a few other good anti-spy progs, then reboot in safe mode and run them all there.

It's also strange that you can't perform the micro trends online check with Firefox, since they claim to support it on their page...maybe try dl'ing Opera 8 (www.opera.com) and having a go with that (it's a good browser based on Firefox). I just ran the online check with Opera just to see if it worked and it ran fine, so if you can't do it there's something dodgy.

edit - could be you need to update your java if you can't run the online check?

double edit - I read some of that log wrong :bonce: What you put as "running processes", I thought were startup entries...it is not unusual at all to have 3 instances of svchost running. This makes it all less suspect. There's nothing obviously screwing you up from what I can see, unless one of those legit processes is a fraud.

 

[giant384]

i no he has it becaus of this program running C:\WINDOWS\System32\MsPMSPSv.exe

MSP=Microsoft Spyware Protection

 

[Laivasse]

i no he has it becaus of this program running C:\WINDOWS\System32\MsPMSPSv.exe

MSP=Microsoft Spyware Protection

That file is actually connected with Windows Media Player:
http://www.liutilities.com/products/wintaskspro/processlibrary/mspmspsv/

 

[FictiousWill]

If you can bear redownloading windows updates, I'd reccommend a windows repair installation. However, I know nothing about virus removal.

 

[big_king_frosty]

I will try the microsoft anti-spyware.
Ive also noticed, linked with svchost, in the running processes...
svchost.exe local service
wdfmgr.exe local serive
svchost.exe network service

Far as i know these didn't run before 3 months ago and im sure that the network service shouldn't be there, i have no network running.

 

[Laivasse]

I will try the microsoft anti-spyware.
Ive also noticed, linked with svchost, in the running processes...
svchost.exe local service
wdfmgr.exe local serive
svchost.exe network service

Far as i know these didn't run before 3 months ago and im sure that the network service shouldn't be there, i have no network running.

It's usually normal to have about 4, or even more instances of svchost running, one of which will be a local service, one which will be a network service, and the rest will be "system". I have 4 running atm, one network, one local, and 2 system (and I'm not running a network).

wdfmgr.exe is another legit program, to do with windows media player, and it turns up out of nowhere (same thing happened to me and I thought it was spyware).

When you run your anti-spy/whatever, do it in safe mode because it's more likely that dodgy stuff will show up there. There is a lot of crap which makes itself invisible under a normal windows startup. Other than that I really have no idea what is causing you the problems