So I have a virus on my work computer

And my IT people probably havent rolled out of bed yet.

 

Any tips on getting rid of this myself? Here's the scoop:

I started up my computer today and after a bout 5 minutes it had a box pop up that said something to the effect of "files damaged computer restarting" and it restarted.

 

Then, a rather suspicious looking windows security center warning came up telling me to Download something.. Which of course I didn't, but, it's still here somewhere. I ran my Virus scanner a few times and it's picked up 1 infected file, but even after re-scanning and re-starting, it's still coming up as soon as I start up windows. I'll show you if you want to see it.

 

As im typing this, i have 11 of those red shields that "are" from Windows Security center, each one trying to get me to DL something.

 

 

You have virus protection, then? You can try to update it - hopefully that will work.

 

If it does, do this:

Reboot, and right after the initial BIOS Splash Screen (usually the manufacturer, like Dell or Gateway, whatever you have), but before Windows starts to load, start tapping on the F8 key. If it works, you'll get an advancd Boot options screen (if Windows loads, you missed it, so try again). On the advanced Boot options screen, one of your choices will be Safe Mode - boot into that. When you're in Safe Mode (which will look like you have a video card from 1990), run your virsu scan again - hopefully that will help. It's a good place to start at least, and probably what your IT dudes will/would do.

 

Good luck!

Alright, posting from another terminal. I did all that and it's running the virus scanner now.

 

What I thought was weird though, is that the virus that pops up everytime I reboot, still popped up in Safe Mode asking me "YOUR COMPUTER MAY BE AT RISK DOWNLOAD THIS FILE" .. I didn't think viruses could work in safe mode.

It all depends on what a virus needs to be loaded, a lot of viruses need an internet connection and the default safe mode does not load the network stack or network drivers.

 

Your symptoms sound a lot more like spyware than a virus. If you have it try running a scale with adaware or spybot search and destroy. You can download them for free if you do not have either of them.

if this is still going on:

 

windows security center has a fit if youre running norton's antivirus, but doesn't ask you to download fixes via the little bubbles.

 

are you running XP? Vista?

what antivirus software? lemme knowwwwwwwwwww

 

anyway to get a screenshot?

what programs are running in task manager?

Edited April 9, 2008 by Ryee

If the previous stuff doesn't work: find a program called Hijack This. It's small, download it, reboot your machine into safe mode, and run the program. Post the scan results here. "Do a systemscan and save a log file" It will save the scan results to the hijack this folder wherever you ran the program from. Just look for "hijackthis.log"

Edited April 9, 2008 by Shadrende

If you can't find it.... /attached

HijackThis.zip

I think Gar is right, it sounds more like Spyware.

 

The virus scan came back clean in Safemode, I just DL'd / installed Adaware and it's running now. Found like 144 so far but you know how that goes.

 

Ryee we're on XP here, and the AV is Symantic, or however it's spelled.

 

I'll try and get a SS .. just have to do real work inbetween troubleshooing this =P

i agree with sherd a sherd, whenever you get time (if adaware doesnt resolve it), post your hijack this log.

Symantec corporate AV is pretty air tight, I'd see if they (your IT dept) have a current subscription license/new version etc etc. But post the HijackThis log it should show whats on your computer.

F0 and 013 are evilzzzzzzz lawlawl

Adaware is stuck on "Deleting INfections... Please wait" for over 5 mins now. I think I BROKE IT!

Logfile of HijackThis v1.99.1

Scan saved at 12:26:45 PM, on 4/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181602161093

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fanmats.com

O17 - HKLM\Software\..\Telephony: DomainName = fanmats.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fanmats.com

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: usdamooj - C:\WINDOWS\SYSTEM32\usdamooj.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

 

K there it is. SOmeone tell me what this program just did. =-D

it basically dumps everything your computer has running, including services, startups, and browser helper objects. Is there anything more to your log? seems short..

Nopers thats it.

http://img101.imageshack.us/img101/7676/virusak8.png

 

Thats what pops up every time I start up. I click no, it says are you sure, then i just close it.

 

Then it'll start doing random balloon pop ups by the clock saying stuff like "OMG THIS IS BUSTED DL THIS THING TO FIX IT" Type stuff.

FYI I just did a system restore, it seems to have fixed it =)

make sure all your apps work after doing that sometimes it will hose registry entries in the process. But yeah

O20 - Winlogon Notify: usdamooj - C:\WINDOWS\SYSTEM32\usdamooj.dll

 

congratulations, this was most likely the culprit.

i checked a couple process databases, and none of them have entries for usdamooj.dll.

 

Don't know where the associated program was, but I'm glad system restore fixed it.

man i need a new job, reading this whole thread was borderline understandable to me =/

Ben when I come out for summer we need a day to teach you. I will make your brain ASPLODE xD

AHHHHHHHH *pop*

Oh you computer nerds. As for me, I don't touch the things.