Ive got a virus and nothing is picking it up

[askanthea]

Okies- - ive ran Avast 4.8 freehome superantispyware and malware malbytes, nothing - it basically will copy itself onto a memory stick and infect another computer this way, either locks out or changes the administrator rights to the c: d: e: f: etc drives.  drives can still be accessed from say mydocuments or mymusic, but from from my computer. heres the hijackthis log.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 15:19:49, on 08/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - c:\Program Files\BT\ISecP\App\popupbho01.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BT Internet Security Pack Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - c:\Program Files\BT\ISecP\App\popupbho01.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [O2Start] C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe /s
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/bt/wbiw/bin/wizard.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178101894968
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BT Internet Security Pack System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\BT\ISecP\App\syssvcnt.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 7551 bytes


Cheers if you can help

andy

[computerfreaker]

1 Download OTL to your Desktop
2 Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
3 Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
c:\windows\system32\*.dll /lockedfiles
c:\windows\system32\drivers\*.sys /lockedfiles
%systemroot%\*. /mp /s
CREATERESTOREPOINT

4 Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply as an attachment.

[askanthea]

heres the OTL

[askanthea]

and heres the extras  -couldnt paste too big!! lol

[askanthea]

Im by no means an expert, but i cannt see anything abnormal?
Andy xx

[askanthea]

i cleaned the usb stick by repartitioning with a linuxliveCD (puppy) so thats done  - i can always inflect a clean stick and then zip ups its contents and post it to everyone? or is that a bad idea? lol xx  Andy

[spg SCOTT]

Hi Andy,

OTL is a specialist tool that very few here can read, one being essexboy. When he is online he should be able to take a look and see if there is anything that needs attention

http://forum.avast.com/index.php?topic=53253.0

-Scott-

[cakedoer2]

Your firewall doesn't seem to be active, but so far I everything else seems to be... OK, in my eyes. I'm not as experienced as essexboy, but you should delete all of the toolbars and useless programs you have there. You also seem to have installed IE7.. I think. You have IE8 but IE7 also seems to be there.

EDIT: Also, there is already a SP3 for XP - it has many stability and security updates, as well as overall improvements and increased speed. Here is a linky - http://www.microsoft.com/downloads/details.aspx?FamilyId=68C48DAD-BC34-40BE-8D85-6BB4F56F5110&displaylang=en.

[Pondus]

i cleaned the usb stick by repartitioning with a linuxliveCD (puppy) so thats done  - i can always inflect a clean stick and then zip ups its contents and post it to everyone? or is that a bad idea? lol xx  Andy

Panda USB and AutoRun Vaccine
http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

[essexboy]

Your USB drives are carrying the infection, after this run MBAM

Run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

Code: [Select]

:OTL
O33 - MountPoints2\{eb529c06-f8d5-11db-9c8a-806d6172696f}\Shell\AutoRun\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\{eb529c06-f8d5-11db-9c8a-806d6172696f}\Shell\explore\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\{eb529c06-f8d5-11db-9c8a-806d6172696f}\Shell\open\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\{eb529c07-f8d5-11db-9c8a-806d6172696f}\Shell\AutoRun\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\{eb529c07-f8d5-11db-9c8a-806d6172696f}\Shell\explore\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\{eb529c07-f8d5-11db-9c8a-806d6172696f}\Shell\open\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\C\Shell\AutoRun\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\C\Shell\explore\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\C\Shell\open\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\D\Shell\AutoRun\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\D\Shell\explore\command - "" = usbConfig\DoNotDelete.exe
O33 - MountPoints2\D\Shell\open\command - "" = usbConfig\DoNotDelete.exe

:Commands
[purity]
[emptytemp]


• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

THEN

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

[askanthea]

Ive now noticed, it might have done it before , but the first time you click internet explorer on the desktop its doesnt associate anything with it and asked if i want to delete the shortcut, close this and click it again and internet explorer opens? very odd, but here are the log files - still says from within my computer c: access denied. d: access denied - the origional hdd icons are replaces with generic yello folder icons - as before. ;-(

as someone mentioned the autorun.inf - on the c:drive hes what its says

#################################################
[autorun
;?\mW
:jmp0
;wá?mL??Ý??
open=usbConfig\DoNotDelete.exe
;Ê??ëx?ÝI??ñ?ò?àIà?
:jmp4
;ò?n???ä
icon=%SystemRoot%\system32\SHELL32.dll,4
;f
action=Open folder to view files using Windows Explorer
;u
shell\\\\\open\\\\command=usbConfig\DoNotDelete.exe
;?JR'?Ò
shell\\\\\explore\\\\command=usbConfig\DoNotDelete.exe
;ÍMNn???å??
useautoplay=1
;
:GOTO NULL

Logattached.

Andy
xx

[askanthea]

I renamed the autorun.inf files on c: and d: and rebooted, PRESTO, no problemo - everything opens as ususal, even internet explorer did too? but im going to reboot a couple of times and keep checking things? ohh mbam.exe did find a fake tojan after the last search which wasnt there before??? - cos i ran it then did that you advised, updated it and ran it again, after the update it found a fake, rebooted, renamed the autorun.inf's and rebooted again, then looks like im back to normal - thats chaps and thanks to the chap who said about the PANTAUSB proggy, whilst i didnt use it, i gave me the pointer to thinking that the hdd didnt need the autorun.inf.

Now have a posted rogue script above?? in which case a moderator might wanna delete it - to stop someone nicking it, putting it on a memory stick and spreading it again???

just a thought?

Andy - Cheers Essexboy - people tell me I'm a star, but i guess i just dont shine as bright as you? :-) www.andytheclown.co.uk xx