Virus - Red Circle with White X

[Cerviv]

Hi Julio and Techspot team.
Ist time post. Profile of System Specs updated to best of my ability. I have found similar threads with generally same issue and copy pasted some verbiage:

While online, my computer apparently downloaded some Malware without m knowledge... and now there is a little red circle with a white X in my tray of icons on the lower right. it displays this message:
"You computer is infected!"
"Windows has detected spyware infection!"
"It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.
Click here to protect you computer from spyware!"

Plus the infamous Red screen or White screen that are just jpegs that can be closed.

I have followed the Preliminary steps 1 - 14 as best I can. I stopped to ask about the directions: Step 14 - "rehide your protected OS files". I do not understand what to do.

I wnated to confirm before running HJT and posting the 3 logs.

However, so far so good with not seeing the Red Circle with White X flashing in the taskbar.

Thanks for the help
Cerviv

 

[kritius]

Go to windows explorer, Tools>Folder Options>View>Hidden Files and Folders and Do not show hidden files and folders

 

[Cerviv]

Easy enough. I failed to mention that I have McAfee Software (which I just re-purchased yesterday). Odd that I have an issue now.

I left the software running. Nothing really seemed to be an issue going through the Steps 1 - 14.

Should I start over? Or just post the logs?

 

[kritius]

post the logs for now and we'll see what theyre like.

 

[Cerviv]

Logs attached

For step 11 - I do not think there was anything found, and Ican not find any log I saved.

Anyway, here are 4 logs ,since Step 14 said don't attached with "ignored" so I went back and took care of the "digstream" file intially the AVG recommended to "ignore", so I saved 2 logs.

Hope this is what you need to see.

Looking over the HJ log I still think there are items that I do not need>

Thanks again.

Cerviv

 

[kritius]

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

--------------------------------------------------------------------------------------------------------

Do you recognise these entries as being from your own ISP?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

If you do not then boot into safe mode and run HJT again, do a system scan only and place a check next to the following entries,
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: DVRMSFileWatcherService - Unknown owner - c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe (file missing)

Reboot into normal mode and disable spybot S&D's resident protection by opening it and going to advanced and resident protection and unchecking the teatimer box.

Run HJT again and select do a system scan and save a logfile, post the log back here.

This thread is for the use of Cerviv only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Blind Dragon]

@ kritius Those Addresses = Wareout infection, do this before fixing bad Hijackthis entries

Disable Teatimer

• Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
• Open Spybot S&D
• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

You may want to print these instructions because you will be asked to reboot during the fix

Step 1: Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Attach the contents of the logfile C:\fixwareout\report.txt

Step 2 obviously is to remove the Hijackthis entries

 

[kritius]

@ Blind dragon

Thanks very much!

@ Cerviv

Please follow Blind Dragons instructions.

 

[Cerviv]

FixWarout report

Sorry for the delay guys.

I wasn't sure if I was supposed to go to Step 2 already or post this 1st. I took the safe route.

 

[Blind Dragon]

Do you use OpenDNS? Before we remove the 017 entries?

You can go ahead and do this for now:

Launch Hijackthis and select Open the Misc Tools section, Then click Delete an NT service, In the box that pops up type:
DVRMSFileWatcherService

Then click Main menu in the middle at the bottom and select Do a System Scan only Put a check mark next to the following:

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O21 - SSODL: ComponentSrv - {6152d8ee-e882-4755-b0d7-a3e747ec48ec} - C:\WINDOWS\Installer\{6152d8ee-e882-4755-b0d7-a3e747ec48ec}\ComponentSrv.dll (file missing)
O21 - SSODL: zip - {b1898d04-fd18-4d1e-a10d-48a38e40ed16} - C:\WINDOWS\Installer\{b1898d04-fd18-4d1e-a10d-48a38e40ed16}\zip.dll (file missing)
O21 - SSODL: SysSrv - {4e557d6e-7f93-4f9d-860b-53b845d4d282} - C:\WINDOWS\Installer\{4e557d6e-7f93-4f9d-860b-53b845d4d282}\SysSrv.dll (file missing)

 

[Cerviv]

I do not use OpenDNS. I do not even know what it is or atleast the abbreviation.

I tried putting in DVRMSFileWatcherService, but the HJ window says;
"The service 'DVRMSFileWatcherService" is enabled and/or running. Disbale it first, using HiJackThis itself (from the scan results) or the Services.msc window."

I am not sure I understand the directions.

 

[Blind Dragon]

Go to Start -> Control Panel -> Administrative Tools -> double click Services

Stop the DVRMSFileWatcherService
service from running by right-click it and choose Stop. Right click it again and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.

 

[Cerviv]

It was on Automatice, but I have it Disabled now.

looks like the HJT allows me to delete now.

 

[Blind Dragon]

Lets hold off on the 017 entries for now. I do think it is the result of the infection, but have asked about it to some experts. I have seen a lot of infected computers connected to OpenDNS without the users consent. Should have an answer by tomorrow.

For now you can update your Java

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

After removing the entries and updating Java attach a new log

 

[Cerviv]

New HJT Log

OK Java updated.

Here is new HJT log after checking an deleting files. However, I just noticed todyas list did not match yesterdays. They both had 4 items. I thought they were the same. Sorry I didn't not read thuroughly. Hopefully no issues. I also thought you meant the first line 17 item.

I assume I need to go back and clear out the 3 line 21s

 

[Blind Dragon]

Only the lines listed above, then when you attach the new log we will look to make sure everything else it ok.

About the 017 entries that you have:
The entries are perfectly legitimate and belongs to Freedom Networks LLC. They are used by Spybot to replace bad DNS adressess. That way there is no risk that the OP will loose their Internet connection. When dealing with a DNS Hijacker and the user runs Spybot S&D, it replaces these entries with OpenDNS.
Also see here for more info: http://forums.spybot.info/showthread.php?t=14547

There was no Hijackthis attached to your last reply

 

[Cerviv]

HJT Log

Sorry - I thought I did attached, but I think I have lost ability to attach .log files.
In the attachment screen I have red x at .dmp and .log

I resaved as text.

 

[Blind Dragon]

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O21 - SSODL: ComponentSrv - {6152d8ee-e882-4755-b0d7-a3e747ec48ec} - C:\WINDOWS\Installer\{6152d8ee-e882-4755-b0d7-a3e747ec48ec}\ComponentSrv.dll (file missing)
O21 - SSODL: zip - {b1898d04-fd18-4d1e-a10d-48a38e40ed16} - C:\WINDOWS\Installer\{b1898d04-fd18-4d1e-a10d-48a38e40ed16}\zip.dll (file missing)
O21 - SSODL: SysSrv - {4e557d6e-7f93-4f9d-860b-53b845d4d282} - C:\WINDOWS\Installer\{4e557d6e-7f93-4f9d-860b-53b845d4d282}\SysSrv.dll (file missing)

Select Fix Checked

Close Hijackthis

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log

 

[Cerviv]

New HJT log

Sorry for the delay again. Busy at work and party Friday night - MGM Grand Detroit - nice place.

Anyway new HJT Log

Have a Happy Easter

 

[Cerviv]

Just checking in. There was no response to my last post with new HJT Log.