Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virus and my log

Started by bigshot , May 23 2005 11:15 PM

  • Please log in to reply

#1
bigshot
Posted 23 May 2005 - 11:15 PM

bigshot

    New Member

  • Member
  • Pip
  • 5 posts
i recently got some virus, havent found anyone whos had the same problems, and this is the second time ive gotten this, basicly i dunno what caused it, but after a reboot it put a blue background over the top of mine with a red center where it says windows error. Ive done scans with adaware, spybot search and destroy, avg anti-virus, and dr. web, each found something, but i still have problems. First of all when i right click my xp desktop and go to properties, desktop tab, in the bottom left where it says "background" mine is greyed out and disabled, so i cant get rid of this crap background which is actually somehow put on top of my desktop. If someone knows how to enable this or experienced similar problems tell me. Also heres another problem, in any browser half the links on any webpage take me to some search site called www.clicksearchclick.com which is really annoying, so somehow this virus has penetrated any type of browser. Like i said ive ran a bunch of virus scans and they dont actually fix problems such as this, cos there may not be any virus left but settings have been tapmered with by a virus and they've been set like this permanently. (msn is removed emailaddress - Metallica if you have msn and have any suggestions add me, as i may forget to check the forums).
  • 0

Advertisements

#2
Kristy
Posted 23 May 2005 - 11:39 PM

Kristy

    Visiting Consultant

  • Member
  • PipPipPipPip
  • 1,099 posts
Hi bigshot,

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and post your log as a new topic in the Hijack This forum. It will get a better response there from the people most qualified to analyze logs.

Most of what Hijack This lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

~Kristy
  • 0

#3
bigshot
Posted 24 May 2005 - 03:27 AM

bigshot

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
heres my last log, the details of the virus i have posted in the windows forum.
Ive been reading up, it sounds like its either the smitfraud virus of the clicksearchclick (which does popup) virus.
Logfile of HijackThis v1.99.1
Scan saved at 9:26:33 p.m., on 24/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Daemon Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\IMsecure\IMsecure.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PhantomDC-0.301-1.18a\DC++\DCPlusPlus.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winlogon] C:\windows\winlogon.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Msn Configuration Loader] msngms.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downlo...net32_EN_XP.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47542566-DECB-4139-B568-3E54BFE408BC}: NameServer = 210.55.12.1,210.55.12.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{47542566-DECB-4139-B568-3E54BFE408BC}: NameServer = 210.55.12.1,210.55.12.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{47542566-DECB-4139-B568-3E54BFE408BC}: NameServer = 210.55.12.1,210.55.12.2
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - Winlogon Notify: csrs - csrs.dll (file missing)
O21 - SSODL: System - {580EF8C0-FFC4-45CC-AEF2-F8EA3DC455E6} - vr_sys.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1.0\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web Ltd - C:\Program Files\DrWeb\SpiderNT.exe
  • 0

#4
Metallica
Posted 24 May 2005 - 03:44 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts

O4 - HKLM\..\Run: [winlogon] C:\windows\winlogon.exe

O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Msn Configuration Loader] msngms.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe

O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downlo...net32_EN_XP.cab

O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O20 - Winlogon Notify: csrs - csrs.dll (file missing)
O21 - SSODL: System - {580EF8C0-FFC4-45CC-AEF2-F8EA3DC455E6} - vr_sys.dll (file missing)

Reboot, upgrade XP and IE to SP1 and post a new HijackThis log.

Regards,
  • 0

#5
bigshot
Posted 24 May 2005 - 02:21 PM

bigshot

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
i think i either have sp1, or if not cant be bothered installing it. But thanks for the help.
  • 0

#6
bigshot
Posted 24 May 2005 - 02:31 PM

bigshot

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
heres the hijack this log after ive done what u suggested (except sp1)

Logfile of HijackThis v1.99.1
Scan saved at 8:29:37 a.m., on 25/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Daemon Tools\daemon.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\IMsecure\IMsecure.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AVGANT~1.0\avgamsvr.exe
C:\PROGRA~1\AVGANT~1.0\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47542566-DECB-4139-B568-3E54BFE408BC}: NameServer = 210.55.12.1,210.55.12.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{47542566-DECB-4139-B568-3E54BFE408BC}: NameServer = 210.55.12.1,210.55.12.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{47542566-DECB-4139-B568-3E54BFE408BC}: NameServer = 210.55.12.1,210.55.12.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGANT~1.0\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web Ltd - C:\Program Files\DrWeb\SpiderNT.exe
  • 0

#7
bigshot
Posted 24 May 2005 - 02:33 PM

bigshot

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
oops that last log included the trusted zone (forgot to install that inf file) but i have now, so ignore those.
  • 0

#8
Metallica
Posted 24 May 2005 - 02:39 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I still see one virus, I think.

Do an online virusscan for example here: http://housecall.trendmicro.com/

Let me know what the problem with SP1 is.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP