How do I fix VIRUS ALERT! problem?

[steveg297]

All,

I've been infected by the VIRUS ALERT! bug. I believe that I've removed the virus by running AVG. It now runs clean and my system is no longer trying to download malware. However, I still have VIRUS ALERT! in my system tray, the C: and D: drives are missing from Windows Explorer and there are several buttons on my Startup Menu that are missing.

Does anyone have any ideas on how to recover?

Thanks,

SteveG

Here is a copy of the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35: VIRUS ALERT!, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://red.clientapps.yahoo.com/cust...ch/search.html"]http://red.clientapps.yahoo.com/cust...ch/search.html[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url="http://my.netzero.net/s/sp?r=al&cf=s...000&N=PLHS&O=I"]http://my.netzero.net/s/sp?r=al&cf=s.....;N=PLHS&O=I[/url]
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {13B42F27-D7AB-48D2-B60B-DAF796DEAD28} - C:\WINDOWS\system32\cbXOFUoL.dll (file missing)
O2 - BHO: (no name) - {33DA9E3C-935E-4EC2-977D-AFE3A3B5E727} - C:\WINDOWS\system32\qoMeEUOh.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {88a2b195-7f4f-5808-ee84-9993f2fb6587} - {7856bf2f-3999-48ee-8085-f4f7591b2a88} - C:\WINDOWS\system32\jxwbmp.dll (file missing)
O2 - BHO: QXK Olive - {923C5BC4-222D-4765-8B05-1DA745853776} - C:\WINDOWS\wbxdpgfekal.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: sqvgnrpx - {6A25115D-10F0-4897-9866-A8350EEEB16A} - C:\WINDOWS\sqvgnrpx.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\tejvfwey.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
O4 - HKUS\S-1-5-21-2822928581-3459612616-898833586-1016\..\Run: [RecordNow!] (User 'Admin')
O4 - HKUS\S-1-5-21-2822928581-3459612616-898833586-1016\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Admin')
O4 - HKUS\S-1-5-21-2822928581-3459612616-898833586-1016\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Admin')
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Admin')
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Admin')
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Admin')
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Admin')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - .DEFAULT User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - [url="https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab"]https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url="http://support.gateway.com/support/p.../PCPitStop.CAB"]http://support.gateway.com/support/p.....;/PCPitStop.CAB[/url]
O16 - DPF: {1011E032-5CF3-4795-B751-3AA5E008CCA6} - [url="http://download.verizon.net/sfp/Cabs...date_1-0-0.cab"]http://download.verizon.net/sfp/Cabs...date_1-0-0.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - [url="http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab"]http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsof...?1120510998546"]http://update.microsoft.com/microsof...?1120510998546[/url]
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - [url="https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx"]https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - [url="http://us.dl1.yimg.com/download.yaho...tocomplete.cab"]http://us.dl1.yimg.com/download.yaho...tocomplete.cab[/url]
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} - [url="http://www2.verizon.net/update/msnwe...s/vzWebIns.CAB"]http://www2.verizon.net/update/msnwe...s/vzWebIns.CAB[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url="http://zone.msn.com/bingame/zuma/def...ploader_v5.cab"]http://zone.msn.com/bingame/zuma/def...ploader_v5.cab[/url]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 10892 bytes

[CoffeeFiend]

OMG. That system must be running excruciatingly slow!

AVG, Symantec AV, Zone Alarm, STOPzilla, SUPERAntiSpyware, SpamSubtract all running at the same time? That's the most I've ever seen...

Plus all the many other startup entries, like Apple's, Photoshop Album's, the Yahoo mail thing, the Acrobat tray icon thing, webshots desktop, evidence eliminator, cinema manager, 5 various processes for HP stuff, VTTimer, media player sharing stuff, tons of wireless tray icon things (Belkin's + Dell's + 3 processes for Broadcom's -- some of these likely aren't legit), plus extra toolbars (like yahoo's), QuickTime, entries for recordnow and nview, the office startup, Google updater stuff, etc. Again, I don't recall ever seen so many startup processes on any computer, ever.

However, I still have VIRUS ALERT! in my system tray, the C: and D: drives are missing from Windows Explorer and there are several buttons on my Startup Menu that are missing.

You still have some suspicious entries, like this one:

O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\tejvfwey.dll",b

but when thing start to be so bad that drives are missing and such, and that it's loaded with unnecessary processes like that too, you just might be better off reinstalling clean, and trying not to get infected like that next time.

It looks like you're an IE user, and that's where most of that nasty stuff came from (lots of BHO's namely). Ditch IE, and all that nonsense will stop for good, and then you won't need all them antispyware things and what not.

[puntoMX]

Indeed, besides that take a look at what isn´t needed:

C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=s.....;N=PLHS&O=I
O2 - BHO: (no name) - {13B42F27-D7AB-48D2-B60B-DAF796DEAD28} - C:\WINDOWS\system32\cbXOFUoL.dll (file missing)
O2 - BHO: (no name) - {33DA9E3C-935E-4EC2-977D-AFE3A3B5E727} - C:\WINDOWS\system32\qoMeEUOh.dll (file missing)
O2 - BHO: {88a2b195-7f4f-5808-ee84-9993f2fb6587} - {7856bf2f-3999-48ee-8085-f4f7591b2a88} - C:\WINDOWS\system32\jxwbmp.dll (file missing)
O2 - BHO: QXK Olive - {923C5BC4-222D-4765-8B05-1DA745853776} - C:\WINDOWS\wbxdpgfekal.dll (file missing)
O3 - Toolbar: sqvgnrpx - {6A25115D-10F0-4897-9866-A8350EEEB16A} - C:\WINDOWS\sqvgnrpx.dll (file missing)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\tejvfwey.dll",b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Admin')
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Admin')
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Admin')
O4 - S-1-5-21-2822928581-3459612616-898833586-1016 User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Admin')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - .DEFAULT User Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - (no file)

And there is more…

Norton, Superantispyware, spamsubtractor are messing up that computer too IF they are still installed. Try to de-install them.

I would backup your system and reinstall it again, this time without the HP software that came with the PC (laptop?), just use the drivers and the small programs for the extra buttons on the keyboard. Never install all those "toolbars"...

[Tarun]

You should get my program, LunarDownloader and download the Professional package. Then under the Links menu, select the PC Maintenance guide to get your computer cleaned up. Next post a HijackThis log.

[steveg297]

Hi Guys,

I posted my problem to another website at the same time as this one and I am going to continue troubleshooting with them. I'm sorry if I've wasted your time.

I did find out from my IT guy at work that part of the problem was that the virius loaded some regestry keys in HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies

Once I deleted the extraneous keys I was able to get my c: and d: drives back, My Computer, Logoff and Run command back. I still have some work to do to clean up the other registry key problems, but I may just move my data to another account. The Admin account doesn't have these issues. At least AVG got rid of the virus. I'm also working on cleaning up the extra software that I've got loaded.

Thanks for the support!

SteveG