TechSpot

Virus - Red Circle with White X

By Cerviv
Mar 16, 2008
  1. Hi Julio and Techspot team.
    Ist time post. Profile of System Specs updated to best of my ability. I have found similar threads with generally same issue and copy pasted some verbiage:

    While online, my computer apparently downloaded some Malware without m knowledge... and now there is a little red circle with a white X in my tray of icons on the lower right. it displays this message:
    "You computer is infected!"
    "Windows has detected spyware infection!"
    "It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.
    Click here to protect you computer from spyware!"

    Plus the infamous Red screen or White screen that are just jpegs that can be closed.

    I have followed the Preliminary steps 1 - 14 as best I can. I stopped to ask about the directions: Step 14 - "rehide your protected OS files". I do not understand what to do.

    I wnated to confirm before running HJT and posting the 3 logs.

    However, so far so good with not seeing the Red Circle with White X flashing in the taskbar.

    Thanks for the help
    Cerviv
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Go to windows explorer, Tools>Folder Options>View>Hidden Files and Folders and Do not show hidden files and folders
     
  3. Cerviv

    Cerviv TS Rookie Topic Starter

    Easy enough. I failed to mention that I have McAfee Software (which I just re-purchased yesterday). Odd that I have an issue now.

    I left the software running. Nothing really seemed to be an issue going through the Steps 1 - 14.

    Should I start over? Or just post the logs?
     
  4. kritius

    kritius TS Guru Posts: 2,084

    post the logs for now and we'll see what theyre like.
     
  5. Cerviv

    Cerviv TS Rookie Topic Starter

    Logs attached

    For step 11 - I do not think there was anything found, and Ican not find any log I saved.

    Anyway, here are 4 logs ,since Step 14 said don't attached with "ignored" so I went back and took care of the "digstream" file intially the AVG recommended to "ignore", so I saved 2 logs.

    Hope this is what you need to see.

    Looking over the HJ log I still think there are items that I do not need>

    Thanks again.

    Cerviv
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Go to Start > Run and copy/paste or type: taskmgr
    • Under the Processes tab find the following tasks or processes:
      ViewpointService.exe
      ViewMgr.exe
    • Highlight and click "End Process".
    • Exit Task Manager.
    Click on Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder

    --------------------------------------------------------------------------------------------------------

    Do you recognise these entries as being from your own ISP?

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

    If you do not then boot into safe mode and run HJT again, do a system scan only and place a check next to the following entries,
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O23 - Service: DVRMSFileWatcherService - Unknown owner - c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe (file missing)


    Reboot into normal mode and disable spybot S&D's resident protection by opening it and going to advanced and resident protection and unchecking the teatimer box.

    Run HJT again and select do a system scan and save a logfile, post the log back here.

    This thread is for the use of Cerviv only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    @ kritius Those Addresses = Wareout infection, do this before fixing bad Hijackthis entries

    Disable Teatimer
    • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
    • Open Spybot S&D
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot


    You may want to print these instructions because you will be asked to reboot during the fix

    Step 1: Download and Run FixWarout
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    Attach the contents of the logfile C:\fixwareout\report.txt

    Step 2 obviously is to remove the Hijackthis entries
     
  8. kritius

    kritius TS Guru Posts: 2,084

    @ Blind dragon

    Thanks very much!

    @ Cerviv

    Please follow Blind Dragons instructions.
     
  9. Cerviv

    Cerviv TS Rookie Topic Starter

    FixWarout report

    Sorry for the delay guys.

    I wasn't sure if I was supposed to go to Step 2 already or post this 1st. I took the safe route.
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Do you use OpenDNS? Before we remove the 017 entries?

    You can go ahead and do this for now:

    Launch Hijackthis and select Open the Misc Tools section, Then click Delete an NT service, In the box that pops up type:
    DVRMSFileWatcherService

    Then click Main menu in the middle at the bottom and select Do a System Scan only Put a check mark next to the following:

    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
    O21 - SSODL: ComponentSrv - {6152d8ee-e882-4755-b0d7-a3e747ec48ec} - C:\WINDOWS\Installer\{6152d8ee-e882-4755-b0d7-a3e747ec48ec}\ComponentSrv.dll (file missing)
    O21 - SSODL: zip - {b1898d04-fd18-4d1e-a10d-48a38e40ed16} - C:\WINDOWS\Installer\{b1898d04-fd18-4d1e-a10d-48a38e40ed16}\zip.dll (file missing)
    O21 - SSODL: SysSrv - {4e557d6e-7f93-4f9d-860b-53b845d4d282} - C:\WINDOWS\Installer\{4e557d6e-7f93-4f9d-860b-53b845d4d282}\SysSrv.dll (file missing)
     
  11. Cerviv

    Cerviv TS Rookie Topic Starter

    I do not use OpenDNS. I do not even know what it is or atleast the abbreviation.

    I tried putting in DVRMSFileWatcherService, but the HJ window says;
    "The service 'DVRMSFileWatcherService" is enabled and/or running. Disbale it first, using HiJackThis itself (from the scan results) or the Services.msc window."

    I am not sure I understand the directions.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Go to Start -> Control Panel -> Administrative Tools -> double click Services

    Stop the DVRMSFileWatcherService
    service from running by right-click it and choose Stop. Right click it again and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.
     
  13. Cerviv

    Cerviv TS Rookie Topic Starter

    It was on Automatice, but I have it Disabled now.

    looks like the HJT allows me to delete now.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Lets hold off on the 017 entries for now. I do think it is the result of the infection, but have asked about it to some experts. I have seen a lot of infected computers connected to OpenDNS without the users consent. Should have an answer by tomorrow.

    For now you can update your Java

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    After removing the entries and updating Java attach a new log
     
  15. Cerviv

    Cerviv TS Rookie Topic Starter

    New HJT Log

    OK Java updated.

    Here is new HJT log after checking an deleting files. However, I just noticed todyas list did not match yesterdays. They both had 4 items. I thought they were the same. Sorry I didn't not read thuroughly. Hopefully no issues. I also thought you meant the first line 17 item.

    I assume I need to go back and clear out the 3 line 21s
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Only the lines listed above, then when you attach the new log we will look to make sure everything else it ok.

    About the 017 entries that you have:
    The entries are perfectly legitimate and belongs to Freedom Networks LLC. They are used by Spybot to replace bad DNS adressess. That way there is no risk that the OP will loose their Internet connection. When dealing with a DNS Hijacker and the user runs Spybot S&D, it replaces these entries with OpenDNS.
    Also see here for more info: http://forums.spybot.info/showthread.php?t=14547

    There was no Hijackthis attached to your last reply ;)
     
  17. Cerviv

    Cerviv TS Rookie Topic Starter

    HJT Log

    Sorry - I thought I did attached, but I think I have lost ability to attach .log files.
    In the attachment screen I have red x at .dmp and .log

    I resaved as text.
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O21 - SSODL: ComponentSrv - {6152d8ee-e882-4755-b0d7-a3e747ec48ec} - C:\WINDOWS\Installer\{6152d8ee-e882-4755-b0d7-a3e747ec48ec}\ComponentSrv.dll (file missing)
    O21 - SSODL: zip - {b1898d04-fd18-4d1e-a10d-48a38e40ed16} - C:\WINDOWS\Installer\{b1898d04-fd18-4d1e-a10d-48a38e40ed16}\zip.dll (file missing)
    O21 - SSODL: SysSrv - {4e557d6e-7f93-4f9d-860b-53b845d4d282} - C:\WINDOWS\Installer\{4e557d6e-7f93-4f9d-860b-53b845d4d282}\SysSrv.dll (file missing)


    Select Fix Checked

    Close Hijackthis

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
     
  19. Cerviv

    Cerviv TS Rookie Topic Starter

    New HJT log

    Sorry for the delay again. Busy at work and party Friday night - MGM Grand Detroit - nice place.

    Anyway new HJT Log

    Have a Happy Easter
     
  20. Cerviv

    Cerviv TS Rookie Topic Starter

    Just checking in. There was no response to my last post with new HJT Log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...