Inactive Two computers infected in a computer lab setup.

[Inactive] Two computers infected in a computer lab setup.

I have two computers that I am trying to clean at a Boys and Girls club I am volunteering at. Computer A is infected with "AntiVirus Scan" rogue and Computer B with "Good Memory" rogue. The virus is only active/infected on the standard "member" account on just that computer, and when I log in with staff or admin accounts, virus scans pick up nothing.
I cant run much of anything from the member account.
Computer A: Cant run anything, always the usual "______.exe is infected and cannot be run." Everything on IE is blocked except for the random sponsored websites (Viagra, and the rogue's purchase site)

Computer B: Most apps can be run, but the virus seems to have blocked user access to the C drive, which makes everything very hard. I have been running things out of a network drive because that is all I can access. Just ran DDC (Gmer and MBAM both could not run because of permissions) and soon after saving the logs, the computer was force reset by the virus. Next post will have DDS logs for B.

I am not completely sure how the network is set up here, as the current "tech guy" is not exactly the best with computers. I am only here on a volunteer basis, and I am doing the best to fix these, but I am only slightly experienced.

 

DDS (Ver_10-12-12.02) - NTFSx86
Run by dbimember at 14:18:41.57 on Wed 01/12/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.393 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\sMucQTngLLRteNH.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\v7XPaFXPtT.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\WINDOWS\Explorer.EXE
U:\Antivirus\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Denver Broncos Boys & Girls Club
uStart Page = hxxp://BroncosSvr08
uDefault_Page_URL = hxxp://BroncosSvr08
uSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyServer = BRONCOSSVR08:8080
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [sMucQTngLLRteNH.exe] c:\documents and settings\all users\application data\sMucQTngLLRteNH.exe
uRun: [Phopeyabegu] rundll32.exe "c:\documents and settings\dbimember\local settings\application data\radisda.dll ",Startup
uRun: [Wciruyeze] rundll32.exe "c:\documents and settings\dbimember\local settings\application data\otujimon.dll ",Startup
uRun: [v7XPaFXPtT] c:\documents and settings\all users\application data\v7XPaFXPtT.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft firewall client 2004\FwcMgmt.exe
uPolicies-explorer: NoToolbarCustomize = 1 (0x1)
uPolicies-explorer: NoBandCustomize = 1 (0x1)
uPolicies-explorer: NoNetConnectDisconnect = 1 (0x1)
uPolicies-explorer: NoManageMyComputerVerb = 1 (0x1)
uPolicies-explorer: NoHardwareTab = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoFind = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoChangeStartMenu = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: NoTrayContextMenu = 1 (0x1)
uPolicies-explorer: NoDesktop = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoCloseDragDropBands = 1 (0x1)
uPolicies-explorer: NoMovingBands = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: NoDeletePrinter = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisableLocalMachineRunOnce = 1 (0x1)
uPolicies-explorer: DisableLocalMachineRun = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = msimn.exe
uPolicies-disallowrun: 2 = nmain.exe
uPolicies-disallowrun: 3 = outlook.exe
uPolicies-system: NoDispCPL = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableLockWorkstation = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
uPolicies-system: HideLogonScripts = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\microsoft firewall client 2004\FwcWsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241799770160
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243018427281
DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} - hxxp://trax.nfocus.com/AppSupport/arview2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - \\broncossvr08\users\APPLIC~1\Mozilla\Firefox\Profiles\5z9t16tc.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://start.facemoods.com/?a=ppcb2
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/?a=ppcb2&s={searchTerms}&f=4&hl={language}&src=chrm
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 FwcAgent;Firewall Client Agent;c:\program files\microsoft firewall client 2004\FwcAgent.exe [2006-12-9 128832]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\naveng.sys [2010-11-29 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\navex15.sys [2010-11-29 1371184]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1003344]

=============== Created Last 30 ================

2011-01-12 00:56:46 0 ----a-w- c:\docume~1\dbimem~1\locals~1\applic~1\Xyiduwuyanacuro.bin
2011-01-12 00:56:45 -------- d-----w- c:\docume~1\dbimem~1\locals~1\applic~1\{53EAB1F5-7E8B-4158-A966-18EEE8EA1A6A}
2011-01-12 00:41:04 381440 ----a-w- c:\docume~1\alluse~1\applic~1\v7XPaFXPtT.exe
2011-01-12 00:41:03 424960 ----a-w- c:\docume~1\alluse~1\applic~1\wXeJApPlJASySOI.dll
2011-01-12 00:41:01 474624 ----a-w- c:\docume~1\alluse~1\applic~1\sMucQTngLLRteNH.exe
2010-12-15 00:48:38 -------- d-----w- c:\docume~1\dbimem~1\locals~1\applic~1\WMTools Downloaded Files

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 14:19:32.15 ===============

 

Fixed, deleted the member folder on the C drive from an admin account and it repaired itself.

 

Haha, I went through and manually deleted all the virus files from the admin account on computer B before I was told about the folder deletion method. Time wasted