Desktop Virus!! Please Help!

rjain · #1 (**permalink**) 09-07-2005, 01:34 AM

hi
ive got this notice on my desktop saying:

WARNING!
'your in danger....' and it goes on to explain that my pc is infected with spyware etc. it provides a link down the bottom which directs me to a spyware program site. Also, every so often i get an alert on the bottom right of my pc telling me my computer is 'infected'.. this also is a link to a spyware program site.

I have had a alot of pop-ups on my PC and when this started i switched to netscape (it is much smoother and no pop-ups). nevertheless, my desktop will not change back to normal.

Also, when my computer starts up, a blue screen comes up saying : 'Fatal error'
Error caused by Trojan.Spy.HTML.Smitfraud.C
>Scan your PC with any available antivirus/spyware program to fix the problem'.

i think this screen is part of the virus that has infected my pc..
i have scanned my pc with norton antivirus and it removes watever it can but still says 'ur pc is still infected with viruses''.

what steps should i take to remove this virus from my computer??

my logfile is :
Logfile of HijackThis v1.99.1
Scan saved at 10:30:25 AM, on 9/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\msole32.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\intmon.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Trend Micro\Tmas\tmas.exe
D:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE
D:\WINDOWS\System32\shnlog.exe
D:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
D:\Documents and Settings\Rohan Jain\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - D:\WINDOWS\System32\hp7775.tmp
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

i have scanned stuff with hijack this.. and i removed all the backup files :S.... ooops.. and also i went to the service packs/critical updates for windows xp to download that and it doesnt work on my pc. Is there an alternative software?? and wat do i do about my desktop?

Shayliz · #2 (**permalink**) 09-07-2005, 02:01 AM

It's seems that you have the Troj/Puper-A Trojan & Fakespy-B Trojan.

D:\WINDOWS\System32\msole32.exe - Fakespy-B Trojan
D:\WINDOWS\System32\intmon.exe & D:\WINDOWS\System32\shnlog.exe - Troj/Puper-A Trojan

Select these in Hijack this to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/

Run SpyBot Search and Destroy & Ad-Aware: http://www.isecurity.org.uk/downloads/spybotsd13.exe
http://www.lavasoft.de/support/download

Spybot- Search And Destroy- Spybot S&D will remove the majority of spyware from your system. It is an excellent program with a large database of spyware. Download Spybot S&D by clicking Spybot- Search And Destroy in red writing above or click
here. Run the file you downloaded and install Spybot Search And Destroy. Once installed follow these instructions:

1. Go to Start>Programs>Spybot- Search and Destory and click Spybot- S&D
2. When the Program has loaded, you need to update its database first so in the left hand panel click Update. Then click Search For Updates at the top.
3. If any updates are found click Download Updates and allow Spybot to download the updates. If you have trouble updating change the mirror using the button next to Search For Updates.
4. Now you need to Scan with Spybot. Click Search And Destroy in the Left hand panel and then click Check For Problems at the top.
5. Spybot will begin scanning your system. When the scan is finished ensure that there is a checkmark next to all the problems and click "Fix Selected Problems" at the top. This will remove the Spyware from your system.

Ad-aware- Ad-aware is another program for detecting and removing spyware. It is important to have both Ad-aware and Spybot- S&D installed because if one misses a piece of spyware then it is likely the other will detect it. To download Ad-aware, click the link above or click here. Run the file you downloaded and install Ad-aware. Once installed follow these instructions:

1. Go to Start>Programs>Lavasoft Ad-aware SE Personal and click Ad-aware SE Personal
2. When the Program has loaded, you need to update its database first so at the bottom click "Check For Updates" next to the Start button. Click Connect to check for updates. If Ad-aware detects any, it will confirm that you want to download it. Click Ok and it will download and install the update.
3. Click Finish when it has updated. Now we need to Scan and remove Spyware. Click Start at the bottom. Then click "Perform Smart System Scan" and then click Next.
4. Ad-aware will then scan your system for Spyware. When it has finished it will tell you how many objects it has found. Simply click Next and it will list everything it has found.
5. Put a checkmark next to all entries (or right click one entry and click "Select All Objects"). Then click Next. Ad-aware will confirm that you want to remove the selected entries, simply click Ok and Ad-aware will remove the entries.

HJThis · #3 (**permalink**) 09-07-2005, 08:05 AM

Hello,rjain & Welcome

Please hold on that info the first thing i need for you to do
is move HijackThis from the Desktop & place in a folder in
D:\Drive like so D:\HJT This way if something gos wrong
we have a place for a backup.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

D:\wp.exe
D:\wp.bmp
D:\bsw.exe
D:\Windows\sites.ini
D:\Windows\popuper.exe
D:\Windows\System32\wldr.dll
D:\Windows\System32\helper.exe
D:\Windows\System32\intmon.exe
D:\Windows\System32\shnlog.exe
D:\Windows\System32\intmonp.exe
D:\Windows\System32\msmsgs.exe
D:\Windows\system32\msole32.exe
D:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

D:\Program Files\Search Maid
D:\Program Files\Virtual Maid
D:\Windows\System32\Log Files
D:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - D:\WINDOWS\System32\hp7775.tmp

Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

Then open it and select the items you wish to clean up.

In the Windows Tab:

I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

HGD