Windows Odd virus-like activity

  • Battont
  • Newbie
  • Newbie
  • Battont
  • Posts: 9

Post 3+ Months Ago

My Win 2000 machine recently got hit with a virus. (my son downloaded a file to the desktop with the icon "TAG" and the name searchus.exe. He launched it and we started getting tons of popups through IE)
After much cleanup I have one remaining problem. On bootup, when I hit Ctrl-Alt-Del to login, it pops up a blank window with an "OK" button at the bottom. If you don't click OK you can't get the login screen. Seems like its forcing me to launch a program (virus) before login. I can't seem to find or kill whatever it is. Can anybody help?
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6254
  • Loc: Seattle, WA

Post 3+ Months Ago

Follow these directions and post a HijackThis log here so we can take a look.
  • Battont
  • Newbie
  • Newbie
  • Battont
  • Posts: 9

Post 3+ Months Ago

I ran Housecall last night. Took a LONG time. I just let it run all night. It found several viruses. When I clicked Remove Infections (or whatever that button said) it popped up a window warning that some files are marked for deletion, not just disinfection. I clicked OK and all I got was right back to the previous screen. I clicked Remove Infections again and the scenario repeated itself. Housecall never actually cleaned or deleted any files. Had to go to work so I left. Will try more tonight. I wrote down the files it found and noted that the firewall I recently installed caught a downloader virus trying to download a file around midnight. The firewall denied and deleted it as it should have. At least something's going right.
Oh yeah, I recently deleted Active-X and Java when going through the machine looking for sources of the issue. Had to reinstall Java to run Housecall.
  • shatter2day
  • Graduate
  • Graduate
  • User avatar
  • Posts: 185
  • Loc: N.Y.

Post 3+ Months Ago

Uhm name of hijackthis log? or virus? You may be going in the right direction with housecall, but without some specifics I'm not sure anyone here can help much
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6254
  • Loc: Seattle, WA

Post 3+ Months Ago

We can probably get a decent amount of things cleaned up if you post a HJT log.
  • Battont
  • Newbie
  • Newbie
  • Battont
  • Posts: 9

Post 3+ Months Ago

I'm working on a HJT log. First I'm trying to follow the directions originally sent to me, which include things like "run Housecall, run AdAware...", etc. Housecall takes a very long time to run, and I generally let it run before I go to bed and finish it in the morning. Last night I had success running it and deleted the viruses it found. Ran AdAware and fixed issues. Ran Spybot and at the end (after it found issues) it said I needed to register and pay 19.99 to actually remove the issues. Haven't done that yet as I've already spent noticable money on similar programs which have also fixed issues they found. Still have the phantom window pop up before the login screen though. Sigh.
  • deathblade
  • Proficient
  • Proficient
  • User avatar
  • Posts: 419
  • Loc: u.k

Post 3+ Months Ago

so next post a hijackthis log for us to look at it will only take a few mins max
  • Battont
  • Newbie
  • Newbie
  • Battont
  • Posts: 9

Post 3+ Months Ago

OK here's the HJT log.: (I'm guessing there's an issue with SMSS.EXE)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:52 PM, on 1/15/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.happynews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {0954FFBE-1FEE-48DF-A596-802BE24C2E86} - (no file)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {C52D1B11-0DA6-40F1-BC1D-BD6054A2726A} - (no file)
O2 - BHO: (no name) - {c777f359-07ff-4775-be08-01118a3ad200} - (no file)
O2 - BHO: (no name) - {EF99C205-F050-475A-88BE-4D591E1B6D14} - (no file)
O2 - BHO: (no name) - {FC8FDC50-9D94-4FD2-A404-D1B5D124CCD5} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O24 - Desktop Component 1: Telegraph | Opinion | Victory leaves Hamas with a dilemma - http://www.telegraph.co.uk/opinion/main ... /ixop.html
O24 - Desktop Component 2: Telegraph | Opinion | Victory leaves Hamas with a dilemma - http://www.telegraph.co.uk/opinion/main ... /ixop.html

--
End of file - 6809 bytes
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6254
  • Loc: Seattle, WA

Post 3+ Months Ago

Reboot into safe mode (hold down F8 as the computer is booting up) and fix the following entries using HijackThis:
Quote:
O2 - BHO: 0 - {0954FFBE-1FEE-48DF-A596-802BE24C2E86} - (no file)

O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - (no file)

O2 - BHO: (no name) - {C52D1B11-0DA6-40F1-BC1D-BD6054A2726A} - (no file)

O2 - BHO: (no name) - {c777f359-07ff-4775-be08-01118a3ad200} - (no file)

O2 - BHO: (no name) - {EF99C205-F050-475A-88BE-4D591E1B6D14} - (no file)

O2 - BHO: (no name) - {FC8FDC50-9D94-4FD2-A404-D1B5D124CCD5} - (no file)

O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

If you don't know what telegraph.co.uk is, then fix the following:
Quote:
O24 - Desktop Component 1: Telegraph | Opinion | Victory leaves Hamas with a dilemma - http://www.telegraph.co.uk/opinion/main ... 006/01/27/ do2702.xml&sSheet=/opinion/2006/01/27/ixop.html

O24 - Desktop Component 2: Telegraph | Opinion | Victory leaves Hamas with a dilemma - http://www.telegraph.co.uk/opinion/main ... 006/01/27/ do2702.xml&sSheet=/opinion/2006/01/27/ixop.html

None of those look dangerous except for the one I bolded, which is most likely malware.
  • Battont
  • Newbie
  • Newbie
  • Battont
  • Posts: 9

Post 3+ Months Ago

The Bolded line - Spywarebot.exe - is a spyware killer I installed recently. But I'll remove it for now.
Also, I thought the telegraph.co.uk was odd. Not a clue. I'll kill that too.
I'll let you know how it goes. Thanks.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6810
  • Loc: Martinsburg, WV

Post 3+ Months Ago

http://www.spywarewarrior.com/rogue_anti-spyware.htm
  • Battont
  • Newbie
  • Newbie
  • Battont
  • Posts: 9

Post 3+ Months Ago

Still having the problem. The machine got unplugged yesterday, and when I brought it back up, it had active desktop turned on with a note to turn it off if desired. Could have been caused by the crash, or could have been something else. I've never used active desktop on this machine.
I noticed something n the control panel too. Systems Management Server. And a "Download monitor" icon, and a "Run advertised programs" icon. SMS may have been in the machine all along, but I don't think so. I certainly have no reason to ever use it. Also the "download monitor" and "run advertised programs" controls I don't ever recall seeing before.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6254
  • Loc: Seattle, WA

Post 3+ Months Ago

Run HJT again and post a fresh log.

Post Information

  • Total Posts in this topic: 13 posts
  • Users browsing this forum: No registered users and 42 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.