HELP ME (virus)

Pages: 1

Index »
Community »
Tech »
HELP ME (virus)

2008-08-18 22:21:15

Jimbo145: Resident Pimp; +15|6536|Upstate Noo Yawk

Some how I got a virus or something...

What is happening is the background has been changed and has a box that says "WARNING! Spyware detected on your computer!" in the middle. You cant change the background in any way.

I tryed to do a system restore but there were no dates
I did a Spybot S&D scan and it found a few things but didnt solve the problem
I ran a Norton Antivirus and it found nothing

i ran a Hijack This! search and these are the results:

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:06 AM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\NORTON~2\NORTON~1\navw32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lphc9adj0etb9] C:\WINDOWS\system32\lphc9adj0etb9.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7586 bytes

If anyone knows what it means please post!

2008-08-18 22:24:11

AussieReaper: ( ͡° ͜ʖ ͡°); +5,761|6420|what

Restart in safe mode and try running all your scans again. Make sure you select to do a thorough scan though, a quick scan can miss plenty.

2008-08-18 22:25:39

Wallpaper: ☺; +303|6261|The pool

Norton is terrible. Try Avast! or AVG Free and do thorough scans

My flickr

2008-08-18 22:31:23

Jimbo145: Resident Pimp; +15|6536|Upstate Noo Yawk

TheAussieReaper wrote:
Restart in safe mode and try running all your scans again. Make sure you select to do a thorough scan though, a quick scan can miss plenty.

Thanks for the quick replies..

im trying the above now

2008-08-19 01:09:32

Cheez: Herman is a warmaphrodite; +1,027|6706|King Of The Islands

Run this (direct link ftw).

My state was founded by Batman. Your opinion is invalid.

2008-08-19 01:38:19

Defiance: Member; +438|6938

I'm no old hand with HijackThis, but this just doesn't look any good.

O4 - HKLM\..\Run: [lphc9adj0etb9] C:\WINDOWS\system32\lphc9adj0etb9.exe

2008-08-19 02:36:30

']['error.V2: Om nom nom nom; +48|6080

ok, I've took a look at it and it seems you have running allot of junk on your PC.

1- two or more antivirus scanners running at the same time isn't good for your PC, they can play up against eachother. Remove mcaffee or norton.
2- What's up with all the yahoo crap? are you sure you want it on your PC. It isn't spyware or something, but it sure carries some extra load for your computer to handle.
3- Now for the virus, I can't really figure out which virus it is, but the "no name" shit is always suspicious, what kind of software wants to be hidden without a name? Virusses and spyware! Also "lphc9adj0etb9.exe" isn't associated with any program at all, and google can't seem to identify the process either. I'm about 90% sure it belongs to the virus.

Now delete these with hijack:

Code:

O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [lphc9adj0etb9] C:\WINDOWS\system32\lphc9adj0etb9.exe

ok, now update your antivirus and spybot and reboot in safe mode WITHOUT network connections. Then run a FULL scan with your antivirus and spybot. Hope this helps.

Last edited by ']['error.V2 (2008-08-19 02:39:26)

2008-08-19 07:23:09

Trotskygrad: бля; +354|6266|Vortex Ring State

You have a Zune? O_o

and the suspicious process (lphc9adj0etb9.exe) probably is a derivative of a password cracker... lphc --> l0pht crack?

2008-08-19 14:07:31

Jimbo145: Resident Pimp; +15|6536|Upstate Noo Yawk

Something I did worked

Everything that was suspicious is gone

2008-08-19 14:12:16

weerdfoo1: Banned; +26|6431|California

Jimbo145 wrote:
Something I did worked

Everything that was suspicious is gone

Well, then it's probably too late for this but I had a similar problem once with the background changing.

I used the system restore that Windows has and I restored it back to a point when I knew my computer was clean and it worked perfectly afterwards.

2008-08-19 15:24:26

']['error.V2: Om nom nom nom; +48|6080

nice to hear you got it fixed

2008-09-28 08:48:02

God Save the Queen: Banned; +628|6610|tropical regions of london

who here knows how to fix my computer?

2008-09-28 08:50:04

Freezer7Pro: I don't come here a lot anymore.; +1,447|6464|Winland

God Save the Queen wrote:
who here knows how to fix my computer?

EE is that way ->

The idea of any hi-fi system is to reproduce the source material as faithfully as possible, and to deliberately add distortion to everything you hear (due to amplifier deficiencies) because it sounds 'nice' is simply not high fidelity. If that is what you want to hear then there is no problem with that, but by adding so much additional material (by way of harmonics and intermodulation) you have a tailored sound system, not a hi-fi. - Rod Elliot, ESP

2008-09-28 08:55:40

God Save the Queen: Banned; +628|6610|tropical regions of london

is that where they can fix my computer?

2008-09-28 16:26:54

Afroman.exe: Banned; +25|5962|Adelaide, Australia

That virus is most likely the Anti virus 2008 or vista antivirus08 or something along those lines, what i have found is the best method to remove these things is running MalwareBytes AntiMalware this program works so good and will remove 90% of the virus...I would probably only use ComboFix as a last resort as it sometimes deletes legit software and they state that 1/100 machines tested dont make it out alive. Once you scan with malware i would also manually search the registry for any keys that have the string of j0e, braviax or buritos in it and are about 12 or 13 characters long. If you search through your registry and find any of them delete em. Also if your scans wont fix the problem of your desktop and screensaver tabs coming back then there is a manual key that you can flick from a 1 to a 0 and will fix this.

Pages: 1

Index »
Community »
Tech »
HELP ME (virus)

Board footer

Jump to

BF2S Forums HELP ME (virus)

Code:

TheAussieReaper wrote:

Code:

Jimbo145 wrote:

God Save the Queen wrote:

Board footer