computer ****** up
 

so i got a PM from A911GUY w/a link to a you tube knock-off site. got on the site and it fuched up my computer big time. i got a something that's working off my anti virus system and is trying to get me to buy their softwhare to fix the schiesse that they put on my computer! the stuff pops up every f'ing minute, i've tried to delete the program but when i get the delete programs it's not their! i've tried the round about way of going through the documents found the lil b@stard, and tried to delete it, but it just wasn't that simple. arr stupid f'ing computers, i hope i don't have to do a system recovery! :mad:

Try Panda Software online scanner:
http://www.pandasecurity.com/activescan/index/

What is it telling you to buy/ do you know what got you?

idk what it is but every 30 secounds something is poping.. soo annoying
WOW, when i tried to scan it with your site, IT blocked it. "the anti virus"

Do you have access to another computer? Do you feel comfortable in taking the hard drive out and connecting to another computer?

See if you can DL Hijackthis, run it, save a log file and post it here.
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Also, do you have Spybot search and destroy or Adaware installed?

Write down the message that pops up and go to a clean machine and seach Google and Norton for the fix (then do it and expect a fight). Also don't stop at the first one, they tend to download others; last one I removed for a co-worker started as 1 but ended up 27 before it was done.

Is it Winfixer (or variant)?:
http://en.wikipedia.org/wiki/WinFixer

that's it.. but mine is window's antivirus 2008, and antispyware 2008 XP. they got two up on me... both have the 4 color shields and when the fake scan pops up it says i have every virus in the book...

i got exams tomorrow, and this is something i'm not gonna worry about till tomorrow...

thanks for the replys... they help!

Turn your computer off when you are finished for the night. Don't leave it running while not trying to use fix it.

Here's a site to go to tomorrow to get some removal tools.
http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde

Did you report the spammer? No need for him to get anyone else.

When you're tired of bleeping around, Malwarebytes, the CCleaner, both free downloads.

you could also try sprinkling 'essence of macintosh' over it. That usually takes care of those things :D

Alright Mule, since I just got nailed with Winfixer - thanks those stupid political posts.:mad: I'll download ccleaner and give it a go...

http://forums.pelicanparts.com/uploa...1219271752.jpg

EDIT: Norton Corporate came up and isolated a file. Hopefully it has not fixed the problem.

Go into System Restore, and reset the OS back to the last restore point that occurred before you went to that site.

No, this for Mule. He loves his ccleaner and thinks it'll get rid of Winfixer... Stay tuned! SmileWavy

I have another screen shot, but I can't upload at the moment. I wonder why...

OK, ran ccleaner as Mule would like everyone to do and wow!!!

Still infected, no surprise here.

Might as well call in a witch doctor and burn incense. It works as well as ccleaner.

Sounds like you got hit by the recent Flash exploit, as talked about here: http://blogs.zdnet.com/security/?p=1733

The little bugger even disables Windows firewall...
http://forums.pelicanparts.com/uploa...1219277810.jpg

You can see one of the randomly named files running under TM.
http://forums.pelicanparts.com/uploa...1219277901.jpg

Malwarebytes did find winfixer... Took only 45 minutes though :rolleyes:
http://forums.pelicanparts.com/uploa...1219277992.jpg

Malwarebytes did get rid of Winfixer, but not 100%. I still have to get rid of a blank icon in my system tray. Now, had I run the Vundo fix I had posted last night, I would have been up and running with in minutes, not 45 minutes. Ccleaner still sucks and does nothing.

BTW, I started this at 3:30 and ended at about 5:10.

Did you run a hijackthis scan and dump the log before starting the cleaning? I'm kind of curious what shows up.

No, as that is not an authorized Mule tool. He fights me every time with his ccleaner, so since I got hit with the same thing as AZ_porschekid, I decided to follow Mules advice. And a waste of time it was, although if I was billing a client, I'd have made a killing.

I tired to reinfect my computer and run the appropriate Vundo/Winfixer script, but I could not. I was going to run the script.. If AZ_porschekid wants to forward the link he received, I'd be happy to reinfect my computer.

Dumb question....did I miss something here? I thought the original poster was the one with the virus problem. (AZ_porschekid) Slodave, how did it get on "your" computer?

It's viral!!!

I'm not sure. I went to a website earlier and things started to pop up. I went back after cleaning (with both FF and IE7) and could not reinfect my laptop. Since it was the same thing, I decided to play...

Very strange! Good luck and let us know how you get rid of it.

I learned a lot when mine had a directory error. Best to remove the HD, hook it up as a slave to another, move your files and do an O/S reinstall.

A914guy@aol.com is Rich Johnson in Texas. Someone is spoofing his address.

I already did... If you choose Mule's way, It'll take an hour or so and if you run ccleaner, it will do nothing except delete your history in FF and annoy you. The other program will clean Winfixer, but take an hour.

A faster way, is to follow the link I posted last night and run the VirtumundoBeGone program.

Remember, this is what I do for a living.

Here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

5:02:19 PM 8/20/2008
mbam-log-08-20-2008 (17-02-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 123225
Time elapsed: 42 minute(s), 45 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
C:\WINDOWS\system32\lphcpd2j0e597.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\blphcpd2j0e597.scr (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\svchost.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\lphcpd2j0e597 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\blphcpd2j0e597.scr (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\lphcpd2j0e597.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\phcpd2j0e597.bmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\help.txt (Stolen.Data) -> No action taken.

What the hell is that?

So if I understand you CORRECTLY, anybody capable of doing a simple download and install can fix the problem WITHOUT the ridiculous complexity of running hijack this and posting the results, then waiting for some propellerhead to interpret them and devise some mystical fix. Would that be correct? If he ran Malwarebytes & Ccleaner last night he would have been done in how long did you say?

PS: Norton is for folks that don't know any better.

And had he run VirtumundoBeGone, he would have been done in less than 10 minutes and his computer would not be screwed up from ccleaner. Again, you don't do this for a living, you spout the same lame program.

I'll say it again and again and again, ccleaner DOES NOT DO ANYTHING! In fact, it will cause more problems.

Norton corporate is a in a different category from the rest of Norton end user programs, but you would not know that. STFU!

mike it's "A911GUY"

it seems to be trying to copy microsoft, by saying Windows anti virus, even going as far as adding a fake copy of the windows firewall icon... have to say it's pretty well made, doesn't look like anything you have on yours. infact very different. almost like a ligit windows update... but way different..

i'm kinda hesitant to do a system restore, because i updated it when i first got the computer. :rolleyes: but i'll try some anti virus stuff posted, then go from their...

thanks for the replys!

One more thing, if you actually work on computers, you would have seen this before. SmileWavy

Getting a little tense there huh Bevis? Norton is STILL for fools. Did you have it off when you got your INFECTION?

I don't like Norton nor do I recommend the products, other than corporate for corporate environments. No AV program is 100% and I've seen them all infected at one time or another. For me, Panda's free online scanner has been the best. When all other programs fail, it usually will get rid of the issue.

I use corporate because it's free and never will expire.

And it still sucks in comparison to numerous FREE products. But you go Bevis.

I really can't believe you all missed it.. :rolleyes:

I'd say the source of the original problem came from the subject of this thread.

http://forums.pelicanparts.com/off-topic-discussions/425191-pelican-porn.html?highlight=pelican

Slodave helped me with a similar problem a few months back, and sent me some cool diagnositc stuff free. He knows his stuff.

Sounding intimidated there donkeyboy.

Come back when you know what youre talking about ya noob.

Let me guess, your solution is encoded in that message?