Looking for help with a virus from you smart people

[ams14]

I'm obviously new here, this is a great looking forum though, so thanks for that!

I have a virus, the symptoms are

1.  When I start up Explorer, it locks up for a couple of minutes, then eventualy it comes online and everything is fine.

2.  I can't get to my task manager through any of the means mentioned here.

3.  Mcafee firewall is working fine (and current) but the virus scan seems to be disabled.

I carefully read and worked through the guide to getting started, however I have a few exceptions, as listed below

Also, I have windows 2000.

Steps 1 and 2 went fine.

Step 3, I ran SuperAntiSpyware, however only the c:\ drive was selected (as it said in the instructions), not my additional drive.

Step 4, I ran Malwarebytes on both my drives.

I then thought I made a mistake by not running step 3 on both drives, so I went back and re-ran a superantispyware scan on both drives. (that's why there are 2 logs, I included them both).

Step 5, I then went to update my Java, but the site recommended JRE 6, update 5 (not 6 as specified in the instructions).  I tried to download 6 anyway, but got an error.  so I currently have 5.

My question:  I thought I would check before I went on to step 6, since I didn't follow the previous steps exactly.  Should I run step 6 and report back?

Thank you, sorry if this is confusing.

-andy

[recovering space - attachment deleted by admin]

[Broni]

Go ahead with step 6.

[ams14]

Step 6: HijackThis Results

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:33 PM, on 4/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: CD-MENU.LNK = D:\MENU.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.jeffco.k12.co.us
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-ca/4,0,0,90/mcinsctl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://access.ball.com/vdesk/terminal/urTermProxy.cab#version=5500,0,60116,2328
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://access.ball.com/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://access.ball.com/vdesk/terminal/urxhost.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uchsc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uchsc.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 7357 bytes

[Broni]

Not much there...

*** You need to update your Java:
http://java.sun.com/javase/downloads/index.jsp
Java Runtime Environment (JRE) 6 Update 6
Uninstall all previous versions of Java through Add\Remove.

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll (file missing)
- *O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
- *O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
- *O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
- *O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

4. Click on Fix checked button.

5. Restart your computer.

After restart...

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

6. Let me know, how your computer is doing.

[ams14]

Thanks so much for helping me and for the quick response!

I got Jave 6 update 6 installed, and ran ccleaner.

How do I turn off system restore in windows 2000?  Sorry for the dumb question.  The directions for XP and Vista don't jive... I don't have a System Restore tab under properties.

[Broni]

Sorry for that. Windows 2000 doesn't come with System Restore, but I have some recommendations for you in that matter...

1. Install Recovery Console, if it's not installed, yet.
How to install - http://support.microsoft.com/?kbid=216417
How to use it - http://support.microsoft.com/?kbid=229716

2. Install Erunt, which works like XP\Vista System Restore (or even better). I use it on all of my Windows versions.
download- http://www.larshederer.homepage.t-online.de/erunt/
manual - http://pcug.org.au/boesen/ERUNT/ERUNT.htm

How is your computer doing, anyway.

Did you go through all other steps?

[ams14]

so I believe I've done everything so far.

I installed the recovery console.

I installed and ran Erunt

I then installed threatfire.

Unfortunately, both the original symptoms are still unchanged. 

With Threatfire running, Explorer won't open at all (I click on the icon and nothing happens).  so I disabled that, and was able to open explorer again.

I'm now getting a message at startup that Mcafee Active Shield is missing some components and not running.  I should probably track down those disks and reload that?

thanks for all the help!

[Broni]

Yeah, you may try to reinstall McAfee, but before you do so, go Start>Run, type in:
services.msc
Click OK.
Services window will open.
Go through the list, and make sure all McAfee services are set to Automatic

[ams14]

Thanks Broni, for the help.  Still tracking down the Mcafee disks and I'll try the re-install.  I'm leaving on vacation tomorrow for a week so I'll go for round 2 with this thing when I get back.

[Broni]

No problem.
Have a nice trip

[ams14]

Hi!  Back from a nice week in Hawaii, hopefully I can get my computer running so I can look at my pictures.

So I re-installed Mcaffee (On-access virus scan).  I went ahead and ran that.  So now I'm still having the original symptoms.  Any other ideas?

thanks!

[Broni]

McAfee works now?
Internet Explorer has a hiccup at startup, then works fine? What version?
Task Manager doesn't open at all? How do you try to open it?

[ams14]

Yep, Mcafee appears to be working now.

Those are the symptoms. 

Internet Explorer 6.0.2800.1106     SP1

Task Manager: 
When I do <ctrl> <alt> , the task manager button is disabled.
When I do <ctrl> <shift> <esc>, a window pops up that says task manager has been disabled by the administrator.  Same story when I click 'start', 'run', 'taskmgr


>

[Broni]

For Task Manager problem, get Remove Restrictions Tool: http://www.raymond.cc/blog/archives/2007/06/28/restore-task-manager-regedit-and-folder-options-disabled-by-virus/

Upgrade IE to version 7.

[ams14]

I downloaded and ran RRT.  I then rebooted and got this box:

Windows - Driver Entry Point Not Found

The \SystemRoot\system32\drivers\TfFsMon.sys device driver could not locate the entry point IoGetDeviceAttachmentBaseRef in driver ntoskrnl.exe

The good news is it looks like task Manager is finally working again... YAY!!!  I will upgrate explorer next.

thanks!!!