| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 92774 | 2008-08-22 15:53:00 | Hijacked and blocked from most spyware support sites. | Tensai (14108) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 699389 | 2008-08-22 15:53:00 | Sorry for the test topic, but whatever is on my computer isn't letting me post on forums as well it seems . . . just resets my connection everytime . I tried to get this through so many times, you wouldn't believe it . . . got surprised the test topic actually got posted, was sort of a desperate attempt . Once again, excuses . What I did before my computer got 'hit' I was on a (previously) trusted torrent site, tried to download a torrent, got redirected to one of those sites that needed you to wait a few seconds before the download link appears, clicked on it and suddenly my computer became slow as hell . . . before I realized something popped up calling itself "windows xp virus scanner" and telling me to click install . Of course I ignored it, but the computer was so slow I decided to just hit the reset button . The problems Once I got back into windows, the desktop has a Warning! Spyware detected on your computer! install an antivirus or spyware remover to clean your computer block . Then further down it shows two detected files: "Warning! win32/adware . virtumonde detected on your computer" and "Warning! win32/privacyremover . m64 detected on your computer" It looks like the interface of an antivirus program, but it's imprinted in my desktop, so I guess sort of a wallpaper rather than something real . The rest of the desktop is now white . Also, popups appeared and when I idle for a while, I get this (luckily, it turns out it's only a screensaver): a blue screen with the following warning: "A problem has been detected and windows will restart to prevent damage to your computer" . The screen then turns black and proceeds to show the exact same rebooting screens as when you reboot Windows XP . I went on to reboot in safe mode and scan the computer with avg spyware 7 . 5 . After deletion of 110 tracking cookies, I booted back into windows to download the latest version of spybot for another scan . . . unfortunately, all its sites seem down and when I tried to install the older version I still had on my computer, it couldn't connect to the site for the install??? An awful lot of other sites I usually go to for problem solving seem to not connect as well, they just give me an "unable to connect" page immediately . It doesn't even try to connect, as if normally happens when you're working offline or your internet is down . Can't enter any site I googled with "antispyware" in its link name either and can not enter hijackthis . nl either . Whatever is on my computer couldn't possibly have a list of wellknown spyware removal sites which it blocks you from entering them could it??? |
Tensai (14108) | ||
| 699390 | 2008-08-22 15:56:00 | A hijackthis log with v. 2.0.2 There's probably a newer version out now, but I can't go to hijackthis sites it seems to download it so I hope this can do: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:22:46, on 22/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\lphcr6dj0er99.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\SpywareBlaster\spywareblaster.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\oembios.exe, O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [OutpostFeedBack] |
Tensai (14108) | ||
| 699391 | 2008-08-22 15:59:00 | C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s O4 - HKLM\..\Run: [lphcr6dj0er99] C:\WINDOWS\system32\lphcr6dj0er99.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PowerWord 2002.lnk = C:\Program my\Kingsoft\XDict\XDICT.EXE O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing) O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing) O9 - Extra button: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe O9 - Extra 'Tools' menuitem: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - www.kaspersky.com O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - www.ca.com O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - cid-f97d314b4a8411d1.spaces.live.com O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - support.f-secure.com O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - ps.itv.mop.com O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 8691 bytes |
Tensai (14108) | ||
| 699392 | 2008-08-22 16:00:00 | Hope someone can help me with this... thanks in advance. EDIT: I also just used atf cleaner, selected everything and emptied. |
Tensai (14108) | ||
| 699393 | 2008-08-22 18:50:00 | Run hijackthis again (you've got the latest version), tick these then tick fix checked Close browsers Disable system restore C:\WINDOWS\system32\lphcr6dj0er99.exe <-- delete this file, this file will be the main problem Uninstall Symantec Internet Security, its rubbish O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [lphcr6dj0er99] C:\WINDOWS\system32\lphcr6dj0er99.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing) O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing) O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - ps.itv.mop.com Then reboot. Then get Malwarebytes and trojan remover in my sig below, install, and update both. Then click on scan. Then select all options under the utilities menu in trojan remover. If you cant get to the trojan remover site, Here's the direct link to the file (www.simplysup1.com) Uninstall AVG and Install Avast Home (www.avast.com) |
Speedy Gonzales (78) | ||
| 699394 | 2008-08-22 21:59:00 | I was on a (previously) trusted torrent site, tried to download a torrent, got redirected to one of those sites Tut, tut. No such thing as trusted torrents. For one thing, never mind the torrent site itself, where do you think all these files come from? Someone elses infested PC most likely. And second you should have all your anti-spyware already installed, not try to get them after the infections have occurred. Apart from what Speedy has said, make sure you have at least 2 antispyware programs installed, update them at least once a fortnight and scan at least twice a week. Spybot Spyware Terminator Superantispyware are 3 of the better free ones. |
pctek (84) | ||
| 699395 | 2008-08-22 22:05:00 | Run hijackthis again (you've got the latest version), tick these then tick fix checked Close browsers Disable system restore C:\WINDOWS\system32\lphcr6dj0er99.exe <-- delete this file, this file will be the main problem Uninstall Symantec Internet Security, its rubbish O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [lphcr6dj0er99] C:\WINDOWS\system32\lphcr6dj0er99.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing) O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing) O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - ps.itv.mop.com Then reboot. Then get Malwarebytes and trojan remover in my sig below, install, and update both. Then click on scan. Then select all options under the utilities menu in trojan remover. If you cant get to the trojan remover site, Here's the direct link to the file (www.simplysup1.com) Uninstall AVG and Install Avast Home (www.avast.com) Thanks for the reply and your help. Before I do anything, I see you have taken out a few lines from my hijackthis log. What do you want me to do with that? And removing the file you're telling me: is it as simple as going to that particular directory and delete it? Or is your explenation and advice on downloading and running the programs you mentioned further down meant to tell me how to get rid of that file? I should have included into the post that I am no computer expert, nor do I deal with this stuff regularly... so basically, I need to be told what to do to the point :( |
Tensai (14108) | ||
| 699396 | 2008-08-22 22:11:00 | You tick the entries I posted, then tick fix checked. Like what I said in the post NO, dont delete the folders, you'll make things worse Go to control panel / add or remove programs, find the entry then uninstall the program The files / links I gave will scan your system to see if there's anything nasty on it. And Avast is better than AVG as an Anti virus program And if the my computer icon is on the desktop / right mouse on it / properties. Go to the system restore tab FIRST, and tick turn off system restore |
Speedy Gonzales (78) | ||
| 699397 | 2008-08-22 22:42:00 | I have just: -uninstalled symantec from the add-remove -disabled system restore -closed browsers -ran hjt, checked the lines you told me to, fixed them -rebooted The desktop has turned from white to blue, with that fake warning thing still imprinted in it. Internet speed seems to be back though. I could not delete the file you told me to, says it's in use. What now? |
Tensai (14108) | ||
| 699398 | 2008-08-22 22:45:00 | Never mind, after the reboot, I tried again. That file is gone now. Should I reboot to check if the desktop is back to normal yet? | Tensai (14108) | ||
| 1 2 3 | |||||