Topic: invaded by a virus

[gusgije]

Greetings,
This computer HP sr570F f with le1640 processor 2.7 gh  wit h 2g ram running vista home basic got a virus that basically said "this site is infected and download ed a program" When it said this site was infected, I suspected a real problem.  I am afraid it affected the other computers on the network.  I ran your sequence on all of them, but there are still some things not right.  1. with this unit on the network, it will not hold the business operating system.  The network has to be set up each time. 2.  when scrolling,m the computer says where it will stop not you.  It seeks out a point and returns no matter where you stop the scroll.  (this has transferred to 2 other units. 

I attach the various logs and await your review.

Thanks,
Gus

[Kevin]

Hi Gus, you only attached the Malwarebytes' log. Did you run a HijackThis scan also? Please post that log here as well. Do the following also:

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

[gusgije]

I'll try again

[gusgije]

I can't get more than one attachment per reply?
Gus

[gusgije]

Geez, something is really messed up with either me or the computer.  The attachements that went thru were after 3-4 failed attempts.  The mouse seems to have a mind of its own.  I will pick another up later and see how it works.
Thanks for ypur patience.
Gus

[Kevin]

Regarding the two issues you mentioned in your first post:

1. So you lose your network connection each time you restart the computer?

2. I'm not sure what this second problem is about stopping you and the scrolling.

It doesn't look like much was found and removed. I assume the two issues above are still occurring? I still see some remnants of Norton remaining though which we can remove now...

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
Norton Internet Security
Folder::
c:\program files\Norton Internet Security\
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

[gusgije]

Thanks for the reply.  In answer to your questions.  After the virus entered, I ran all of the programs in your spyware section but by mistake left it connected to the network.  When I rebooted, the network stopped working.  I reestablished it by shutting everything down and restart.  That worked, but the next morning, the network was down again.  I disconnected this unit and have had no problems since.  I will try again today.
Regarding the mouse.  I believe it was a hardware failure.  The mouse would not scroll reliably, and would return to a spot in the text that was not where I left it.  I replaced the mouse and the problem is solved.
I attach the log from combofix with the info you gave. 
I read some info on the combofix site and I believe the virus was one of the "pcsecure or defender" viruses perhaps the sequence in your spy section got it.
Thanks again for your help.

[gusgije]

I think it is now a good time to try and eliminate extraneous surfing on the computers.  We do need access to numerous sites, but not personal email and other potentially harmful sites.  Is it possible to allow only specific Internet sites to be viewed on the network? If so how is it done?  My idea is to have the network computers be restricted to only those sites used frequently for our business.( a small engine repair shop) and not be permitted to just browse. All of the computers, except one, now are set up for standard user service, not administrator.  (Concerning the lone exception.  I have been unable to establish a standard user that will come up on the sign in screen.  I establish a user, but when I log off and try to sign on, it does not appear.  Only the administrator is available.) We have a hodgepodge of operating systems, 3 are on Vista, 1 on windows 7 and one on xp pro.  They seem to communicate well but each takes a slightly differrent approach to make changes.
For all other search projects, another computer, not networked, would be used to search for the required information.  That would at least eliminate contamination of the entire network.l  Any guidance you can offer will be appreciated.l
Thanks
Gus

[Kevin]

What do you mean that you disconnected that first computer and no problems since? Is it causing the other computers to lose connections also? I don't see anything else that stands out on the log. If this computer still has problems, do the following:

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    

I recommend using Microsoft ISA Server if you have a Windows server running in your network. It will allow you to filter websites and even block all websites except those you allow. It is not free though and you will need to have Windows Server 2003 running.

A free alternative is Untangle:

http://www.untangle.com/

It has other features that you can install but it doesn't have as much advanced features and ease of use/setup like Microsoft ISA Server. Untangle does work on Windows XP SP3 or higher (Vista and probably 7) but only 32-bit versions for now.

I assume you have the friendly welcome screen where they click on the username to login and not the manual method where they type in the username? Usually it's the other way around where the administrator account will not show up. The user icon should be displayed on the welcome screen. Is this happening to all the stations including the XP Pro one? Any special software installed on these station?