Help required please after virus removal

[OxfordPete]

I have recently picked up a number of trojans and worms (including W32 alcra B and have run sophos (with all recent updates included) and initially I renamed a number of files and then two of them I quarantined but since I rebooted I cannot load many windows programmes such as IE, Windows explore and the links to places like my documents or any file management capability does not seem to work. I therefore cannot even find out the filenames of the reneamed or quarantined files or the virus names as I cannot access the log without windows explorer.

Other windows programmes for example applications in office will work but every time I try to launch IE or windows explorer from either desktop shortcut or programme menu all the icons disappear momentarily and then gradually refresh anfd the application does not launch. I have tried to restore sytme to sevearal previos restore points but without any success - it refuses to restore to anything before that.

Any advice would be appreciated I have enclosed HJT log but donlt think this is much help here

regards

Pete
Logfile of HijackThis v1.99.1
Scan saved at 15:35:52, on 30/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\UGV0ZXI\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP\SWNETSUP.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{3CF7200A-0AE9-1033-0517-04041620002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\idd3BE.tmp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://outlook.business.brookes.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097765544421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156901424187
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGV0ZXI\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP\SWEEPSRV.SYS

[jholland1964]

I think we need more information here...what do you mean you renamed these files...and why did you rename them?

What were the names of these files BEFORE you renamed them?

You seem to have processes running from your TEMP files as indicated here;
C:\WINDOWS\TEMP\idd3BE.tmp.exe

Also, what do you mean by this "mad" face in your log?
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Go into Task Manger; ctl-alt-delete and end the following processes;
command.exe
Update.exe

Your log shows that Windows Explorer IS running.


Have you followed these steps given here?
READ ME Before Posting A Request For Assistance!

[OxfordPete]

Thanks -my problem now appears to be solved having followed most of the advice in the instructions you related to me to read before coming back although I could not run Defender in safe mode for some reason.

In answer to your question about the viruses - I am not sure what they were because Sophos renamed tham because I incorecclty set this as the default action for disinfection - I also had to relaoad sophos which seemed to overwrite the logs so cannot even go back now. Anyway thanks for the advice and all now seems to be well and I now have a nuch better suite of malware/adware and security tools than I had before and have learned a lot about PC housekeeping and fixing - I have also ditched Limewire.

regards
OxforPete

Many thanks

[jholland1964]

Fantastic Pete. The programs recommend in PP's thread are the best. I would not worry about being unable to run the Defender in safe mode. It is still a beta version so maybe something was in conflict there or something.