Think I've got a virus - Little bit stuck

System

loaner wrote: »

have you tried system restore? Is j: a flash drive? These could be the after effects of a cleaned up infection, ie. the files have gone, but the registry damage is still there.

Yeah went to try system restore the other day but no matter what date I select, after restart I just get the message that Windows couldn't be restored to an earlier date. I hope it's just that they were corrupt and not an effect of the virus but I doubt that anyway.

J: is the hard drive where windows is installed, we've got 2 hard drives. C: was replaced a couple years ago so we re-installed on J: instead

Browntoa: I tried to fix the problems you highlighted in HijackThis and most worked apart from the 010 Broken Internet Access so I downloaded LSPFix and managed to get the browsers loading pages again so that's half the battle I suppose, now just to find out where this virus is hiding!

I'll post the new logs soon

Browntoa

if Malwarebytes doe not do the trick I have another bit of software up my sleeve

System

Hey again.

As mentioned previously,internet still working and I thought I had sorted the Task Manager and regedit being disabled every time I start Windows but after completing the MalwareBytes scan and restarting it's re-enabled itself!!

The new log for HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45:27, on 29/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\Ati2evxx.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\system32\Ati2evxx.exe
J:\WINDOWS\system32\spoolsv.exe
J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
J:\Program Files\Bonjour\mDNSResponder.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\McAfee\MBK\MBackMonitor.exe
J:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
j:\program files\common files\mcafee\mna\mcnasvc.exe
j:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
J:\Program Files\McAfee\VirusScan\McShield.exe
J:\Program Files\McAfee\MPF\MPFSrv.exe
J:\Program Files\McAfee\MSK\MskSrver.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\McAfee.com\Agent\mcagent.exe
J:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
J:\Program Files\iTunes\iTunesHelper.exe
J:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
J:\WINDOWS\system32\ctfmon.exe
J:\WINDOWS\system32\rundll32.exe
J:\Program Files\iPod\bin\iPodService.exe
J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
J:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
J:\Documents and Settings\Stewart\Desktop\HijackThis.exe
J:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
J:\WINDOWS\system32\NOTEPAD.EXE
J:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - !!06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - J:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - !!2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - J:\Program Files\FlashGet\jccatch.dll
O2 - BHO: McAntiPhishingBHO - !!377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - J:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - !!53707962-6f74-2d53-2644-206d7942484f} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - !!761497bb-d6f0-462c-b6eb-d4daf1d92d43} - J:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - !!7DB2D5A0-7241-4E79-B68D-6309F01C5231} - J:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - !!9030D464-4C02-4ABF-8ECC-5164760863C6} - J:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - J:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Easy-WebPrint - !!327C2873-E90D-4c37-AA9D-10AC9BABA46C} - J:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - J:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [mcagent_exe] J:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] J:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [itype] "J:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [StartCCC] "J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MBkLogOnHook] J:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "J:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "J:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "J:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] J:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = J:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - J:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - J:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: !!149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///J:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: !!2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: !!30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - J:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: !!4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://xmaseh16.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///J:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -
O23 - Service: Adobe LM Service - Adobe Systems - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - J:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - J:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - J:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - J:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - J:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - j:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - J:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - j:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - J:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - J:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - J:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - J:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - J:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 9937 bytes




ANd for MalwareBytes:

Malwarebytes' Anti-Malware 1.23
Database version: 1000
Windows 5.1.2600 Service Pack 2

21:37:17 29/07/2008
mbam-log-7-29-2008 (21-37-17).txt

Scan type: Quick Scan
Objects scanned: 79735
Time elapsed: 34 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\!!00ebb3b3-dead-4440-b1f8-b09dddb89ef3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9a7b3b6-1f8a-4cf9-a20c-bdf427dbdb4a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
J:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
J:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
J:\WINDOWS\system32\drivers\23a6f484.sys.XXX (Rootkit.KernelBot) -> Quarantined and deleted successfully.
J:\Documents and Settings\Fraser\Local Settings\Temporary Internet Files\Content.IE5\76B8KE28\iocgtkbfk[1].htm.XXX (Rootkit.Agent) -> Quarantined and deleted successfully.
J:\Documents and Settings\Fraser\Local Settings\Temporary Internet Files\Content.IE5\H37T2R9G\setup[1].exe.XXX (Rogue.Installer) -> Quarantined and deleted successfully.
J:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
J:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
J:\WINDOWS\system32\xd.txt (Malware.Trace) -> Quarantined and deleted successfully.
J:\WINDOWS\Downloaded Program Files\puren-gb.dll (Trojan.Agent) -> Quarantined and deleted successfully.




Just wish I could find out why all of a sudden Windows is disabling these things every time it boots... At least the internet's up an running now, that's something!

Thanks again for all everyones input and help :T

Browntoa

download ComboFix, download it here: combofix.exe

• Important Notes:
  • you MUST save & later run this to from your Desktop. Do not run it yet!!!!!!
  • If you are running Kaspersky antivirus, it may popup warnings about combofix.exe and catchme.exe being infected as Heur.Invader. These are false indications. You must tell Kaspersky to Skip or Ignore these and let ComboFix run. McAfee may also interfere with ComboFix

• Now right click on the combofix.exe icon on your Desktop and select rename. Rename it to combo-fix.exe This may help ComboFix to run where certain malware attempts to block the original file name from running.
• Now click Start, select Run.. and Copy and Paste the below exactly as written into the Run box and then click the OK button

"%userprofile%\desktop\combo-fix.exe" /killall

• When you you do this properly the Run dialog form should look like the below ( click to enlarge the image ):

combo-fix.jpg

• Now ComboFix will begin to run. When it runs it will do the below inorder to most effectively perform its job:
  • It will terminate some running processes.
  • It will set your clock to a 24 hour setting (will be restored to normal when finished running properly)
  • It will disconnect your PC from the internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • If malware is found, ComboFix will reboot your PC automatically when finished with the scan. When you PC restarts and after you log back in, ComboFix will finish running and create a log. Do not interrupt this process.
• Notes:
  
  • Do not mouseclick combofix's window while it is running. That may cause it to stall.
  • Do not attempt to use the internet or run anything else while it is running as you will most likely interfere with what it needs to do.
• When finished, it will produce a log ( C:\combofix.txt ) for you. You will need to attach this log to your next message.

http://forums.majorgeeks.com/showthread.php?t=152072

Browntoa

also fix these

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - J:\Program Files\FlashGet\FlashGet.exe


O16 - DPF: !!149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [URL="file:///J:/Program%20Files/Risk/Images/stg_drm.ocx"]file:///J:/Program%20Files/Risk/Images/stg_drm.ocx[/URL]

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///J:/Program%20Files/Risk/Images/armhelper.ocx