EggXpert

hey guys. i need some help here.  i seem to have gotten some sort of virus/spyware/malware.  it is named "joke.blusod."  i have norton 360 on my computer and somehow it got through.  when i run a norton scan, it detects the item, then "fixes" the problem and states the threat is removed.  norton then prompts me to reboot my computer, which i do, and yet each time i restart, the problem remains.  i've also tried going online and getting other free scans (trendmicro, spybot, etc) but i think the virus is preventing me from reaching those sites - i can go to any website except for one related to any sort of scan or protection.  i don't know what else to do.  anyone got any advice??

Ummmm, its a screen saver, I have it, love it.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-062714-5037-99

Not sure why norton 360 would be picking up on it though, mine doesn't

well, lets see... i didn't install/download it or in any other way put it on my computer.  seeing as how norton detects it, then claims the threat is fixed, then it re-appears, i'm pretty sure that's indicative of some problem.  not to mention that since it appeared, my internet browsing has been altered and seems to be re-routing itself to websites other than where i want to go.

 update:  i seem to have located the main file for the program, and, as GmsCool stated, it seems to be a screensaver program.  however, when i delete it and all traces and related files, and empty my recycle bin, then clean up my registry and verify my start-up programs are all legit, i restart my computer only to find the program has re-installed itself.  i have no idea where to go from here.

boot into "safe mode" and run any "spy/ad-ware" removal tools you have.

Tallon41 

Ouch, figured maybe you had it, and norton was buggy with it.

Well do some malware scanning, download  Superantispyware, can get the free version and give it a shot. Direct download

You might also try AVG on it to give it a shot. Direct download  (it works along side norton 360 just fine for me)

socrplar125:

, i restart my computer only to find the program has re-installed itself.  i have no idea where to go from here.

go to "safe mode"

you may have to "show hidden files and folders" to see these in safe mode I can't remember 

go to  documents and settings\[your user profiles name]\local settings\temp      (delete EVERYTHING here)

empty recycle bin. 

goto    documents and settings\[your user profiles name]\local settings\temporary internet files\ie5content\

 delete all but 1 of the browser folders here, then empty the contents of it.  Delete any "desktop.ini" files you see here as well.

empty recycle bin.

goto  c:\windows\temp   Delete everything here

empty recycle bin

goto c:\windows\prefetch  delete everything here

empty recycle bin.

that should do it.

Tallon41
 

I too suffer from this same affliction. I have tried several things...Smitfraud in safe mode, CCleaner, RogueRemover, hijackthis scans only to still be plagued with this self replicating mutating virus. I find this joke to be unfunny to say the least. I remove, delete, etc. does anyone know what registry key this damn thing is using or have a web site soecfically dedicated to finding and killing this thing.

After every reboot I get the same message back and a new file version detected on another scan that I repeat the entire process to attempt to rid myself of this plague. I have scanned with Nortons, Avast, Avanquest only to be .....yes still plagued with another file detected on another scan with an increased incremented, yet non linear or even a multiple ther of, file number.

I and interested others as well as the originator of this blog need some serious killing and removal power here to erradicate this, very very very unfunny joke. This comedian must be terminated.

HELP!!!!!!!!!!!!!!!!!!!

open the registry.  Look at

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

scroll to the bottom if needed, or maximize the window.

look at keys

Shell = Explorer.exe
UIHost = logonui.exe
Userinit = C:\WINDOWS\system32\userinit.exe,  (please note the comma at the end)
VmApplet = rundll32 shell32,Control_RunDLL "sysdm.cpl"

viruses that are self-repairing will often change the "shell" or tack on the userinit another program after the comma 

 

next expand the "notify" folder listed below "winlogon"

crypt32chain
cryptnet
cscdll
NavLogon
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WgaLogon
wlballoon

the above are [not sorry about that !] normal.  Google any that you have that are NOT on this list, and if you find no references to legitimate programs that you've installed, then delete them, or post yours here an we can look at them.

clicking on the key will reveal the DllName or exe file that is being used to run the viruses "repair"  you can google that, as well as locate that file on your drive and remove/rename it.

don't forget to empty  c:\windows\prefetch  as this is where the system places "short-cuts" to file locations on the hard drive.  deleting the file but having an entry here could undo all.

Tallon41

 

 

in my "Winlogon" folder, i have the key Userinit = C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\oembios.exe,

is that last, bolded part a legit windows operation? or part of the virus problem?

 

 I also found a folder entitled "WRNotifier" under the "Notify" folder under "Winlogon" in the registry.  what do you think about this folder?

It seems that after I cleared out my temp files and other files/folders per tallon41's advice, the virus is gone, seeing as how i don't see it running in the "processes" tab of the task manager nor does norton still pick it up on a scan.

HOWEVER

I do seem to still be having a problem of somethign controlling my internet browsing.  I use firefox, but it's happening with IE7 as well.  If i search for something like "spybot" on yahoo, it will go to the yahoo search results page, but once i click on the link to go to the spybot website, it will redirect me to some random search site.  it also won't allow me to download anything (so far i've only tested this with spyware/AV programs).  it says the download is complete, but the downloaded file is always corrupted.  could this be related to my earlier problem with "joke.blusod"? or is it somethign separate?

 thanks for all your help thus far. i really appreciate it.  people who make this kind of s*** piss me the heck off! 

One last thing that i've noticed... this may have been there all along, but i doubt it.  when i am going to a website in my web browser(firefox) in the lower left, where it says what the browser is doing, it will say somethign like this:

 "waiting for www.yahoo.com", "transferring from www.yahoo.com", etc.

the normal stuff until this one comes up:

"waiting for analitic-checks.google.com"

that message will show in between the yahoo messages or whatever else.  it doesn't seem to me that that website or address would have anythign to do with accessing yahoo.  let me know what you guys think.

socrplar125:

in my "Winlogon" folder, i have the key Userinit = C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\oembios.exe,  

what version of XP do you have, and who made your PC  ? 

 

socrplar125:

I also found a folder entitled "WRNotifier" under the "Notify" folder under "Winlogon" in the registry.  what do you think about this folder?

This is a legitimate part of SpySweeper v 4.5 by Webroot

 Tallon41

socrplar125:

...  could this be related to my earlier problem with "joke.blusod"? or is it somethign separate?

it could be either really doesn't matter, you are still infected with adware.

Download and install  hijackthis from TrendMicro 

do a system scan and post a log file here.

Tallon41

[or you COULD, boot into "safe mode with networking" and scan with spysweeper and see if it can "clean" it now, (try and update it first.) ]

 

Thanks, Tallon41,

I just followed your instructions about removing the "joke.blusod" virus. Booting in safe mode and deleting the files you mentioned cured my machine. 

The SuperAntiVirus and Spybot programs both found the virus, but could not remove it.  The safe mode method was the only thing that worked. 

-dma22

 

dma22:

Thanks, Tallon41,

I just followed your instructions about removing the "joke.blusod" virus. Booting in safe mode and deleting the files you mentioned cured my machine. 

The SuperAntiVirus and Spybot programs both found the virus, but could not remove it.  The safe mode method was the only thing that worked. 

-dma22

cool.

keep in mind that these usually have Trojan Droppers somewhere on your disk.  You need to boot into "safe mode" and scan your entire drive with an Anti-virus program.  The two you mentioned are Anti-Spy/Ad-ware products and are not the same thing.

Tallon41

I spent quite a while attempting to get spybot, ad-aware and avg free on my computer and have finally figured out a way.  since whatever is controlling my browsing isn't allowing me to visit the websites or allowing me to download anything through the browser, i downloaded them on my work computer and forwarded them to my email on my personal computer (the infected PC).  it's worked and i am currently booting into safe mode to run multiple of the scanners and hopefully it all works out.  unfortunately, your first solution of deleting files has not seemed to cure the internet problems.  i'll let you know how it goes.  thanks.

socrplar125:

I spent quite a while attempting to get spybot, ad-aware and avg free ...

interesting as I did not recommend those items.  In fact, I stopped recommending BOTH ad-aware and spybot S&D early this year.

Super-anti spyware does a better job than both.  As for AVG, if you can still get the 7.5 version, then use it.....otherwise I recommend Avast anti-virus.

socrplar125:

i downloaded them on my work computer and forwarded them to my email on my personal computer (the infected PC). 

or you could have copied them to a flash drive, (UPS or other type.)

there is likely a LSP inserted into your TCP/IP protocol.  the hijackthis program mentioned above will confirm that or not.

Tallon41

i just got what i could when i could in terms of programs.  anyway, here's the hijackthis logfile:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:49 AM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\wmp54gsv1_1.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\MemTurbo 4\MemTurbo.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\oembios.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DIGStream] "C:\Program Files\DIGStream\digstream.exe"
O4 - HKLM\..\Run: [DIGServices] "C:\Program Files\ESPNRunTime\DIGServices.exe"   /brand=ESPN   /priority=0   /poll=24
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo 4\MemTurbo.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133230315765
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 10197 bytes