I'm pretty sure I have a virus.

spacerobot

Yeah, I'm about 100 percent sure.
Yesterday I went to a shady website to download a program, and the program was a .zip.exe I actually knew better, but I didn't actually think it would be a virus. I tried running the zip.exe and sure enough it didnt work exactly as I expected, so I killed it immediately. About 10 minutes later spybot search and destroy gives me a notice that something is trying to change my registry. So of course I deny it permission. It kept asking me to give it permission so I checked the "alwyas make this decision" to deny it. That didn't work, and it kept asking me, so I just closed spybot thinking it was an error or something. No more problems the rest of the day.

This morning I waks up, check my computer and find 23 internet explorer pop ups that look like errors. They mostly look like this one:


Many of the popups tell me i should go to xpviruspro.com
Also, When I restarted my computer today, spybot S&D keeps telling me something wants to change my homepage, but of course i'm denying it. It's been trying all morning.
Also, This virus has disabled my task manager, telling me the administrator does not give me permission (i'm the admin) I've found away around the task manager problem so far. I've also found no suspicious processes.

I'm running a McAfee virus scan right now, but it hasnt found anything.

Any suggestions? I've had this computer for 6 years, an this is the first virus i've ever had.

And yes, I know I brought this on myself when I went to that shady webiste and downloaded the program.

edit: I'm also getting this popup:


I'm always clicking "no" for that popup, since it wont let me 'x' it out.

Deviant Hands

This probably isn't the first virus you've had, just the first one that pretty much compromised your entire computer.

If I were you I'd gather files I want to keep and just reformat. You wouldn't want to drive a car again after it gets stolen and recovered, just as you wouldn't want to use a machine again that was infected.

spacerobot

Yeah, perhaps i'll do that.
It'll most likely be faster to reformat than to figure out how to fix this. So frustrating.

amateurhour

easy to fix

edit: sorry, I hit tab and space accidentally.. anyway, just go into control panel, then into your services, and make sure the messenger service is disabled. This is just some adware that uses your open messenger terminal to give you annoying popups. It's just spam basically

Don't reformat!

it's a fake windows security alert, but virusscan doesn't pick it up because it's not a virus, it's a script running messenger, and that's all. Clicking yes takes you to a website where they sell you a "virus cleaner" that removes the script and costs $49.99. I get rid of this shit all the time where I work.

It's not serious, so don't worry

Deviant Hands

Such irony in your sig

Deathwing

First, as someone has already said - the best thing you could do right now is back up anything that you cannot easily reinstall or re-download, and do a full format of the drive and reinstall Windows.

Yes, it's a pain in the ass, but there's no way of knowing 100% what else has been snuck onto your machine besides the blatant problems, and I would NOT trust the machine to do anything sensitive whatsoever until you wipe it clean.

amateurhour

Deathwing wrote: »

First, as someone has already said - the best thing you could do right now is back up anything that you cannot easily reinstall or re-download, and do a full format of the drive and reinstall Windows.

Yes, it's a pain in the ass, but there's no way of knowing 100% what else has been snuck onto your machine besides the blatant problems, and I would NOT trust the machine to do anything sensitive whatsoever until you wipe it clean.

Don't reformat. This isn't a reformat level problem. Just disable messenger and it goes away, period. I removed one of these fuckers on my box two years ago, by just turning off messenger, and nothing has corrupted my hard drive, and no one has gotten my banking info.

Rankenphile

If possible, get a Windows LiveCD or a bootable USB key (if your motherboard supports booting from USB) with a virus/malware scanner and boot from that, run the scan and see if it shows anything.

spacerobot

I'll try what amateur hour said to give me time to back up my stuff. I have to clear up my extra hard drive to back up all my important documents on my C: Drive. After I figure that out i'll reformat.

Also, about my sig, the point was to be ironic.

Deathwing

amateurhour wrote: »

Don't reformat. This isn't a reformat level problem. Just disable messenger and it goes away, period. I removed one of these fuckers on my box two years ago, by just turning off messenger, and nothing has corrupted my hard drive, and no one has gotten my banking info.

Yeah, I posted before seeing his edit. If that's really all that's managed to sneak on, then maybe you can get away with not wiping it. Personally, i'd be too paranoid to trust the system without blanking it, but that's me.

Deviant Hands

amateurhour wrote: »

Deathwing wrote: »

First, as someone has already said - the best thing you could do right now is back up anything that you cannot easily reinstall or re-download, and do a full format of the drive and reinstall Windows.

Yes, it's a pain in the ass, but there's no way of knowing 100% what else has been snuck onto your machine besides the blatant problems, and I would NOT trust the machine to do anything sensitive whatsoever until you wipe it clean.

Don't reformat. This isn't a reformat level problem. Just disable messenger and it goes away, period. I removed one of these fuckers on my box two years ago, by just turning off messenger, and nothing has corrupted my hard drive, and no one has gotten my banking info.

Meh, if that lets you sleep at night go ahead.

But I surely wouldn't trust giving out credit card numbers or typing in social security or accessing multi-million dollar accounts on a machine that was previously virused.

spacerobot

Ok, now how do I disable messenger service? I'm in control panel, but theres no "services" anywhere.

amateurhour

Deathwing wrote: »

amateurhour wrote: »

Don't reformat. This isn't a reformat level problem. Just disable messenger and it goes away, period. I removed one of these fuckers on my box two years ago, by just turning off messenger, and nothing has corrupted my hard drive, and no one has gotten my banking info.

Yeah, I posted before seeing his edit. If that's really all that's managed to sneak on, then maybe you can get away with not wiping it. Personally, i'd be too paranoid to trust the system without blanking it, but that's me.

Which is understandable, but just google messenger popup virus, and it gives you all kinds of info on it. It's a credit card scam to get you to buy antivirus software. It's basically the digital equivalent of those mobsters selling fire insurance, and if you don't buy it they burn your place down.

Rankenphile

Disabling the messenger service may help, but frankly, when shit like this hits me, I'm always a lot more ocmfortable if I take a "salt the earth" approach. Back up your shit and wipe the drive clean. Start from scratch. Think of it like Spring Cleaning. A newly formatted machine always runs better, too, if you make sure to update all your drivers and stuff in the process.

Deathwing

Which is understandable, but just google messenger popup virus, and it gives you all kinds of info on it. It's a credit card scam to get you to buy antivirus software. It's basically the digital equivalent of those mobsters selling fire insurance, and if you don't buy it they burn your place down.

Oh, I know what a messenger popup is. My thinking (mostly because I was a dumbass and did it to myself once), is that you don't know what else got unloaded from that infected file that may not be as easily detectable, like a keylogger/rootkit/something else fun.

spacerobot

Ok, I just disabled messenger services. I guess we'll see if it helps any. I get paranoid about computer stuff sometimes, so i'll probably reformat in a week or so when i'm back at school. Hopefully disabling the messenger service will be a good temporary fix.

edit: it seems to be trying to change my internet explorer homepage still ( I never use IE so i dont care about that much) and I seem to be getting the occasional pop up now, but it seems to be a lot less.

edit again: yeah, i don't think it helped too much. I'll just give it a reformat.

urahonky

Sounds like the bloodhound virus, or something like it. Have you tried running spybot/adaware on it? I hate reformatting so I do that as a very last resort.

amateurhour

spacerobot wrote: »

Ok, I just disabled messenger services. I guess we'll see if it helps any. I get paranoid about computer stuff sometimes, so i'll probably reformat in a week or so when i'm back at school. Hopefully disabling the messenger service will be a good temporary fix.

edit: it seems to be trying to change my internet explorer homepage still ( I never use IE so i dont care about that much) and I seem to be getting the occasional pop up now, but it seems to be a lot less.

edit again: yeah, i don't think it helped too much. I'll just give it a reformat.

did you disable messenger, windows messenger, or msn messenger?

edit: yeah, looks like you've got something else going on, so fuck it, nuke the site from orbit, it's the only way to be sure.

Also, invest in an external drive (they're cheap now) and make a backup of your most necessary shit, then use norton ghost, and keep a backup so you don't actually have to do anything next time you format, other than click a button.

Thanatos

If you don't want to reformat (and I am of the opinion that you should):

1) Download and update Ad-Aware.
2) Update Spybot S&D.
3) Reboot into safe mode (no networking).
4) Run a full system scan with both Ad-Aware and Spybot S&D.

That should nuke all the adware. If it doesn't, I'd recommend downloading the trial of Kaspersky Anti-Virus, and scanning with that.

Kalkino

Is there a big virus wave going down at present? The other night I went to Salon.com and got a popup that tried to get me to install a spyware cleaner (it was pretty insistent)

spacerobot

Thinatos wrote: »

If you don't want to reformat (and I am of the opinion that you should):

1) Download and update Ad-Aware.
2) Update Spybot S&D.
3) Reboot into safe mode (no networking).
4) Run a full system scan with both Ad-Aware and Spybot S&D.

That should nuke all the adware. If it doesn't, I'd recommend downloading the trial of Kaspersky Anti-Virus, and scanning with that.

I'll try that next. I'm thinking I'm going to reformat though.

TetraNitroCubane

Kalkino wrote: »

Is there a big virus wave going down at present? The other night I went to Salon.com and got a popup that tried to get me to install a spyware cleaner (it was pretty insistent)

Hijacking banner-ads is popular these days. The banner ads will redirect you instantly to a compromised site that will download malware, even if you're using Opera or Firefox. And since the ads are covered via a secondary company, they get hosted on legit, safe websites without the hosts knowing. It's an unfortunately popular tactic right now, and I think the only way to avoid it is to browse sandboxed, or turn off flash entirely.

spacerobot

Spybot detected something called smitfraud. AFter some quick googling, other people that have had the same problems as me have also found smitfraud. Spybot removed it, and so far it seems so good. Hopefully it will stay good. I think i'll still get an external hard drive and reformat though.

PikaPuff

I just got something like this. I'm thinking it's ie defender. Look it up in google will find a thread stating what video codecs you need to delete. If it IS the ie defender one, it got on your computer through a fake video codec you allowed when trying to watch something.

I got rid of it really easily with HiJackThis to delete the codec, and going into the windows folder and deleting the codec and backup of that codec. I'd tell you what to do, but there's 30 different variations of it, so just find the thread about it.

edit- here's what I had, and a thread I google'd to fix it:

http://forums.spywareinfo.com/index.php?showtopic=107621

Explanation:

This one is getting installed via a FAKE codec.
Be careful when watching online videos, especially when they ask you to install a certain codec in order to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you're prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware.

Example of such FAKE codec:



Once installed, it displays fake alerts in order to download/install the fake program IE Defender or Files Secure.
The Alerts display you are infected with one of the following:

* Trojan.Zlob-X.a
* Trojan.Win32.Agent.akk
* Trojan.Win32.Obfuscated.gx
* Trojan.Win32.LinkReplacer
* Trojan.Win32.StarField
* Trojan.Win32.Startpage.fq
* Trojan.Agent
* Trojan.Win32.Gorshok.a
* Worm.Win32.Sober
* Trojan.Vundo
* Trojan.KillAV
* Trojan.Win32.Patched
* Trojan.Win32.CP4000
* Trojan Win32/Qoologic

Example Alert:



Also read here for a detailed description of this infection.

Removal:

In case you don't have HijackThis...

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.

Then in HijackThis, look if one of the following is present and check it in HijackThis:
(the CLSIDs {********-****-****-****-************} may be different in your case, but the filename is always the same)

O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll
O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll
O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll
O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll
O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll
O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll
O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll
O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll
O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: Video - {15FEB658-AACC-412E-BC13-D54CFD74A8F6} - C:\WINDOWS\stream32a.dll
O2 - BHO: Video - {D0995F82-90C7-4C78-9B4C-C1700FB8B120} - C:\WINDOWS\windivx.dll
O2 - BHO: Video - {80590BC5-F4BA-4AD1-B216-C19EE86E2A77} - C:\WINDOWS\msvideo.dll
O2 - BHO: IE plugin - {6F6D1C90-7BEE-4A15-8DAB-9C37A643FD3A} - C:\WINDOWS\pmspl.dll
O2 - BHO: FireFox Viewer - {8883BBC2-E716-4C98-B12C-BB40B4A415ED} - C:\WINDOWS\corpol.dll
O2 - BHO: Web Search - {B3E45A9B-7756-46A2-AB14-90175CD374F9} - C:\WINDOWS\websrc32.dll
O2 - BHO: IE Config Tools - {E780E148-0BAC-4654-81A4-8A649F4D4A90} - C:\WINDOWS\mscfg32.dll
O2 - BHO: PDS Viewer - {E2278F85-4584-4BEE-928C-600B38C385C1} - C:\Windows\pdswin.dll
O2 - BHO: OGG Viewer - {82FE0677-75EC-49BF-83E9-A815F68F6212} - C:\WINDOWS\oggview.dll
O2 - BHO: pwn plugin - {7E24E909-FB8A-4837-9DF7-05E7587CB26C} - C:\WINDOWS\pwnbho.dll
O2 - BHO: POS plugin - {369A87BB-07DF-4AB6-B23D-B5BF81338572} - C:\WINDOWS\poswin.dll
O2 - BHO: PLAsim plugin - {7753B2C4-8E27-4CEC-87EB-2739480D8A11} - C:\WINDOWS\poswin.dll
O2 - BHO: player addon - {4EBAA7B0-740D-4CFA-9455-5C233BB354E1} - C:\WINDOWS\oggview32.dll

Click the "Fix checked" button below.
Then reboot your computer.
After reboot, navigate to and delete one of the following file if still present (related with the entry you fixed in HijackThis):

C:\WINDOWS\system32\IR9V0_QCX.dll
C:\Windows\System32\bDivX.dll
C:\WINDOWS\system32\IntelVideoDivX.dll
C:\WINDOWS\system32\IntelVideo.dll
C:\Windows\System32\Video32.dll
C:\WINDOWS\system32\XunLeiBHO_Now.dll
C:\WINDOWS\system32\dx50codec.dll
C:\WINDOWS\system32\a3gpcodec.dll
C:\WINDOWS\system32\aDivX.dll
C:\WINDOWS\system32\mp3avi.dll
C:\WINDOWS\system32\VideoMP3.dll
C:\WINDOWS\system32\PowerVideo.dll
C:\WINDOWS\system32\sysdivx.dll
C:\WINDOWS\system32\sysvideo32.dll
C:\WINDOWS\stream32a.dll
C:\WINDOWS\windivx.dll
C:\WINDOWS\msvideo.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!
C:\WINDOWS\pmspl.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!
C:\WINDOWS\corpol.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!
C:\WINDOWS\websrc32.dll
C:\WINDOWS\mscfg32.dll
C:\WINDOWS\pdswin.dll
C:\WINDOWS\oggview.dll
C:\WINDOWS\pwnbho.dll
C:\WINDOWS\poswin.dll
C:\WINDOWS\oggview32.dll

Also look if the following files are present and delete them:

C:\Windows\System32\bDivX.dll.bak
C:\WINDOWS\system32\IR9V0_QCX.dll.bak
C:\WINDOWS\system32\IntelVideo.dll.bak
C:\WINDOWS\system32\IntelVideoDivX.dll.bak
C:\Windows\System32\Video32.dll.bak
C:\WINDOWS\system32\XunLeiBHO_Now.dll.bak
C:\WINDOWS\system32\dx50codec.dll.bak
C:\WINDOWS\system32\a3gpcodec.dll.bak
C:\WINDOWS\system32\aDivX.dll.bak
C:\WINDOWS\system32\mp3avi.dll.bak
C:\WINDOWS\system32\sysdivx.dll.bak
C:\WINDOWS\system32\VideoMP3.dll.bak
C:\WINDOWS\system32\PowerVideo.dll.bak
C:\WINDOWS\system32\sysvideo32.dll.bak
C:\WINDOWS\stream32a.dll.bak
C:\WINDOWS\windivx.dll.bak
C:\WINDOWS\msvideo.dll.bak
C:\WINDOWS\pmspl.dll.bak
C:\WINDOWS\corpol.dll.bak
C:\WINDOWS\websrc32.dll.bak
C:\WINDOWS\mscfg32.dll.bak
C:\WINDOWS\pdswin.dll.bak
C:\WINDOWS\oggview.dll.bak
C:\WINDOWS\pwnbho.dll.bak
C:\WINDOWS\poswin.dll.bak
C:\WINDOWS\oggview32.dll.bak

Normally, by default, if you fix that entry in Hijackthis and your Internet Explorer is closed while fixing in HijackThis, HijackThis will already delete that file as well. So don't worry if you can't find the file afterwards anymore - HijackThis already deleted it. But it's always a good idea to doublecheck.
Please make sure you don't delete "similar looking" files as they may be legitimate.

In case when you're in doubt or it didn't solve your problem, please start a NEW thread in the HijackThisforum with your HijackThislog.

spacerobot

I've gone a good 9 hours now with no pop ups. So I think the problem has been corrected. Thanks for the help everyone!