Think I've got a virus - Little bit stuck

Legacy_user

Hey, ran into a bit of a problem so here goes, hope someone can help.

In our house, got a wireless network set up with a laptop and an xbox 360. (Connected through a Linksys router to a PC)

Basically, got back from holiday last week and opened firefox as normal. I've got several homepages set so there are usually 5 tabs opened at the top with various webpages. This time, however, all the tabs simply said 'Untitled'. Tried Internet explorer just out of interest and got a cannot connect message. Checked the network settings and everything seemed fine, normal connections were there and repairing the connection didn't make any difference.

Went on the laptop to find the internet working fine there, I figured that it probably wasn't a router problem as the PC could still see the files on the laptop etc.

Back on the PC, went in to Mcaffee to see if my dad or brother had changed any settings whilst I was away and noticed the menu/interface seemed different and a bit "buggy" in that the different tabs on the left hand side were labeled twice and would act funny when I rolled the mouse over them (I can be more specific if need be.)

Wanted to close Mcaffee to see if that made any difference so tried to get into task manager using ctrl+alt+del but a pop up message came up saying that Task Manager had been disabled by administrator.... Never happened before so a quick search on the net and found a method to fix this via the registry.

Went to open the regedit command to receive a message saying Registry Editing had been disabled by administrator... Definitely knew something was up now. Managed to fix both these problems in order to get into registry to fix task manager problem, it's just that I don't know what to do next!

Everytime I restart the PC the "...blocked by administrator" messages come back. I tried a couple of virus removal tools as I thought it might have been the Brontak virus but no luck there!

Just not sure what to do now, ran Hijack this and Spybot but neither made any difference and I'm unable to run Windows update or anything and same for Mcaffee update.

Any ideas would be helpful, really don't know where to go with this one tbh, any help is appreciated though

iviv

When you said you ran hijack this, did you do anything with the results? It isn't directly a tool to fix problems, instead it just creates a list of various running processes with information, then you post the log somewhere and people who understand them can interpret the results, figure out which ones are causing the problems, and instruct you on how to remove them. You can try posting the log here, see if anyone here can do much with it, or google for a forum with more specific hijack this help.

System

Hey thanks for replying so quickly.

To loaner, what does that do exactly? I can burn it from the laptop so I'll try that once I find a disc lying around

Iviv: yeah I meant to add to that oops. Just saved the log, meant to add it but I'll need to get it on that laptop to post it here as I can't get on the net on the main computer. I'll do that just now actually, couldn't see anything obvious in it so hope someone else will.

System

Cool, thanks very much - I'll let you know how I get on

System

No luck with the anti virus from boot unfortunately, still starts up with the task manager and registry editing disabled as well as the browsers not connecting to any sites.

I'll post the HijackThis log I ran earlier out of interest and see if anyone spots anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:16:43, on 29/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\Ati2evxx.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\system32\Ati2evxx.exe
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\McAfee\MBK\MBackMonitor.exe
J:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
j:\program files\common files\mcafee\mna\mcnasvc.exe
j:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
J:\Program Files\McAfee\VirusScan\McShield.exe
J:\Program Files\McAfee\MPF\MPFSrv.exe
J:\Program Files\McAfee\MSK\MskSrver.exe
J:\WINDOWS\system32\svchost.exe
J:\PROGRA~1\McAfee.com\Agent\mcagent.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
J:\Program Files\iTunes\iTunesHelper.exe
J:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
J:\WINDOWS\system32\ctfmon.exe
J:\WINDOWS\system32\rundll32.exe
J:\Program Files\iPod\bin\iPodService.exe
J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
J:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
J:\Documents and Settings\Stewart\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - !!06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - J:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!089FD14D-132B-48FC-8861-0048AE113215} - J:\Program Files\SiteAdvisor\6021\SiteAdv.dll (file missing)
O2 - BHO: flashget urlcatch - !!2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - J:\Program Files\FlashGet\jccatch.dll
O2 - BHO: McAntiPhishingBHO - !!377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - J:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - !!53707962-6f74-2d53-2644-206d7942484f} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - !!761497bb-d6f0-462c-b6eb-d4daf1d92d43} - J:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - !!7DB2D5A0-7241-4E79-B68D-6309F01C5231} - J:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - !!9030D464-4C02-4ABF-8ECC-5164760863C6} - J:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Rmn plugin - !!930247b4-16be-48d2-87dd-86d7fb314639} - ritz8.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - J:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - !!1CE4EE89-2D5C-4361-AF3B-D902AB545381} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - !!0BF43445-2F28-4351-9252-17FE6E806AA0} - J:\Program Files\SiteAdvisor\6021\SiteAdv.dll (file missing)
O3 - Toolbar: Easy-WebPrint - !!327C2873-E90D-4c37-AA9D-10AC9BABA46C} - J:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - J:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] J:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] J:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [itype] "J:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [StartCCC] "J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] J:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "J:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "J:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "J:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download All with FlashGet - J:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - J:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'j:\windows\system32\ntdll64.dll' missing
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: !!149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///J:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: !!2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: !!30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - J:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: !!4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xmaseh16.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///J:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
O23 - Service: McAfee Application Installer Cleanup (0266231216915207) (0266231216915207mcinstcleanup) - Unknown owner - J:\WINDOWS\TEMP\026623~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - J:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - J:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - J:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - J:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: Kwari.xLoader - Unknown owner - J:\Documents.exe (file missing)
O23 - Service: MBackMonitor - McAfee - J:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - J:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - j:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - J:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - j:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - J:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - J:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - J:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - J:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - J:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 10443 bytes

System

yeah that parts fine, I found out a way to fix regedit and task manager using Start -> run but I hadn't done it again before I ran the scan, just being lazy I guess!

Thanks though, I'm going to post it on a couple other forums and see what I can find out...

It's so weird, I've had a couple viruses before but this one seems way smarter than any of those.

Anyways, I'll keep hunting - thanks guys!

Browntoa

this should allow you to enable regedit

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

Browntoa

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

System

^^ thanks I'll try that just now, let you know how it goes!

Browntoa

fix these in hijackthis first

O2 - BHO: (no name) - !!089FD14D-132B-48FC-8861-0048AE113215} - J:\Program Files\SiteAdvisor\6021\SiteAdv.dll (file missing)

O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Rmn plugin - !!930247b4-16be-48d2-87dd-86d7fb314639} - ritz8.dll (file missing)

O3 - Toolbar: (no name) - !!1CE4EE89-2D5C-4361-AF3B-D902AB545381} - (no file)

O3 - Toolbar: McAfee SiteAdvisor - !!0BF43445-2F28-4351-9252-17FE6E806AA0} - J:\Program Files\SiteAdvisor\6021\SiteAdv.dll (file missing)

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O10 - Broken Internet access because of LSP provider 'j:\windows\system32\ntdll64.dll' missing

O23 - Service: McAfee Application Installer Cleanup (0266231216915207) (0266231216915207mcinstcleanup) - Unknown owner - J:\WINDOWS\TEMP\026623~1.EXE (file missing)

O23 - Service: Kwari.xLoader - Unknown owner - J:\Documents.exe (file missing)

Browntoa

then after the malwarebyteshas been run , post that log and a fresh hijackthis