swingnat
2006-09-02, 20:32
Hi
So I'll try to make this as short as possible, but want to give the most info I can in case anyone has any ideas ...
The other day, I stupidly (and I know better) got a virus through IM. As soon as I clicked I knew it was bad and did everything I could to stop bad things from happening, including shutting down the computer as quickly as possible. Somehow I think I managed to damage whatever it the "virus" was, because apparently it sends itself to everyone on your IM list and I could see it trying to do that, but I kept getting error messages.
http://photos1.blogger.com/blogger/7909/1034/1600/virus.gif
A little relieved that people on my IM list weren't getting it, I set out to remove whatever it was on my computer ...
I ran my norton antivirus scan and came up empty. But, on its own, it kept popping up with a threat, which I would "fix" ... again and again ... same threat. This is what norton stated in my reports:
Source: Manual Scanner
Risk category: Adware
Overall Risk Impact: High
Performance: Low
Privacy: Medium
Removal: High
Stealth: High
Click for more information about this risk : Adware.DollarRevenue
Action taken: Removed
Description: Affected areas:
22 Registry keys:
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
Seeing that Internet Explorer seemed to be part of the problem, I uninstalled it. I prefer to use firefox anyway ...
Also, executables would pop up that I kept closing like this:
http://photos1.blogger.com/blogger/7909/1034/1600/virus%202.gif
A friend suggested I do a system restore ... didn't work ... I tried several restore points and it just won't let me.
Next ... looking around for whatever I could find I stumbled upon these files:
http://photos1.blogger.com/blogger/7909/1034/1600/virus%203.gif
I deleted them, and they have not popped back up.
So now at this point, the executables are no longer popping up nor the error messages (of the virus attempting to do whatever). And the risk that kept popping up from norton no longer does ...
Something bad is still lurking on my computer though ...
Norton antivirus can't seem to find it.
So I downloaded spybot. :) It's been about a year since I've used it but remembered how awesome it was. So I ran a check. It found 151 "bad things" on my computer. I thought "oh goody!" :)
I "fixed" all these problems and ran the check again. It found 10 files. I fixed them and ran the check again. Same items keep popping up.
http://photos1.blogger.com/blogger/7909/1034/1600/virus%204.png
I searched for info on 1 of them and found this thread and followed the directions suggested for fixing the problem. http://forums.spybot.info/showthread.php?p=40005
In the meantime, the only "visible" leftover of the virus or whatever is that it keeps turning something off and I have to keep "fixing" it:
http://photos1.blogger.com/blogger/7909/1034/1600/virus%205.gif
So here is the info from my latest scan with spybot:
--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Windows Security Center.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0
Windows Security Center.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
Windows Security Center.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1
Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Windows Security Center.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
Windows Security Center.SP2Update: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)
Any suggestions on my next plan of action? Please help!
So I'll try to make this as short as possible, but want to give the most info I can in case anyone has any ideas ...
The other day, I stupidly (and I know better) got a virus through IM. As soon as I clicked I knew it was bad and did everything I could to stop bad things from happening, including shutting down the computer as quickly as possible. Somehow I think I managed to damage whatever it the "virus" was, because apparently it sends itself to everyone on your IM list and I could see it trying to do that, but I kept getting error messages.
http://photos1.blogger.com/blogger/7909/1034/1600/virus.gif
A little relieved that people on my IM list weren't getting it, I set out to remove whatever it was on my computer ...
I ran my norton antivirus scan and came up empty. But, on its own, it kept popping up with a threat, which I would "fix" ... again and again ... same threat. This is what norton stated in my reports:
Source: Manual Scanner
Risk category: Adware
Overall Risk Impact: High
Performance: Low
Privacy: Medium
Removal: High
Stealth: High
Click for more information about this risk : Adware.DollarRevenue
Action taken: Removed
Description: Affected areas:
22 Registry keys:
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Search Bar - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Default_Search_URL - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Start Page - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-501\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
HKEY_USERS\S-1-5-21-756475607-473816799-1569671798-1006\Software\Microsoft\Internet Explorer\Main\Search Page - Repaired
Seeing that Internet Explorer seemed to be part of the problem, I uninstalled it. I prefer to use firefox anyway ...
Also, executables would pop up that I kept closing like this:
http://photos1.blogger.com/blogger/7909/1034/1600/virus%202.gif
A friend suggested I do a system restore ... didn't work ... I tried several restore points and it just won't let me.
Next ... looking around for whatever I could find I stumbled upon these files:
http://photos1.blogger.com/blogger/7909/1034/1600/virus%203.gif
I deleted them, and they have not popped back up.
So now at this point, the executables are no longer popping up nor the error messages (of the virus attempting to do whatever). And the risk that kept popping up from norton no longer does ...
Something bad is still lurking on my computer though ...
Norton antivirus can't seem to find it.
So I downloaded spybot. :) It's been about a year since I've used it but remembered how awesome it was. So I ran a check. It found 151 "bad things" on my computer. I thought "oh goody!" :)
I "fixed" all these problems and ran the check again. It found 10 files. I fixed them and ran the check again. Same items keep popping up.
http://photos1.blogger.com/blogger/7909/1034/1600/virus%204.png
I searched for info on 1 of them and found this thread and followed the directions suggested for fixing the problem. http://forums.spybot.info/showthread.php?p=40005
In the meantime, the only "visible" leftover of the virus or whatever is that it keeps turning something off and I have to keep "fixing" it:
http://photos1.blogger.com/blogger/7909/1034/1600/virus%205.gif
So here is the info from my latest scan with spybot:
--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Windows Security Center.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0
Windows Security Center.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
Windows Security Center.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1
Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Windows Security Center.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
Windows Security Center.SP2Update: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)
Any suggestions on my next plan of action? Please help!