 I Think Its Malware |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Jun 25 2008, 12:57 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 4 Joined: 25-June 08 Member No.: 218,540  |
"I'm not sure if i recently downloaded something or visisted a website but my desktop screen turned bright blue and had the message "Warning Spyware Detected On Your Computer" centered in the middle. I tried to reset my desktop background through the properties menu, but it didn't display the tab necessary to do this. At this point I didn't notice any other strange things happening." I straight away scanned with AVG 8.0 free edition and it picked up things that i healed/deleted, but now everytime i start my pc i get a message saying "can't find script file c:\documents and settings\tomp\local settings\temp\.ttf.tmp.vbs". I see that the guy who origionally made this topic had a problem with a file "c:\windows\system32\blphcetqj0e191.scr". Mine is similar, AVG keeps asking if i want to allow "C:\WINDOWS\system32\lphc1kkj0ep3c.exe". "lphc1kkj0ep3c.exe" also appears as an item on the "process list" on windows task manager. It's called "lphc1kkj0ep3c.exe" and is using my account, tomp to run, with a memory use of 1,780k. This is worrying me now as my computer is performing slowish, and also it restarts every 15 minutes if i dont click/type, because when the big blue screen pops up, if i dont press ESC, my pc restarts. Please help!! Im not sure if i should do what was oon the other topic or if there is another problem however exactly the same thing has happened to me and him so i guess i have the same problem. Thanks to the kind person who has spent time to read this and is hopefully replying now, Tom 
This post has been edited by Orange Blossom: Jun 25 2008, 08:59 PM
Reason for edit: Move to more appropriate forum. ~ OB
|
 |
 
|
|
Jun 26 2008, 12:57 PM
Post
#2
|
|
 Forum Regular Group: Members Posts: 326 Joined: 13-December 06 From: The Netherlands Member No.: 100,987 |
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1 alternate download link 2
|
|
|
|
|
Jul 6 2008, 09:48 AM
Post
#3
|
|
|
New Member Group: Members Posts: 4 Joined: 25-June 08 Member No.: 218,540 |
hey sorry i took a while to reply
CODE Malwarebytes' Anti-Malware 1.19
Database version: 927 Windows 5.1.2600 Service Pack 2 15:35:59 06/07/2008 mbam-log-7-6-2008 (15-35-59).txt Scan type: Quick Scan Objects scanned: 40757 Time elapsed: 9 minute(s), 18 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 18 Memory Processes Infected: C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMDM PMSP Service (Backdoor.Knocker) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\blphc1kkj0ep3c.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\tomp\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. |
|
|
|
|
Jul 6 2008, 11:18 AM
Post
#4
|
|
|
Forum Regular Group: Members Posts: 326 Joined: 13-December 06 From: The Netherlands Member No.: 100,987 |
Hi,
Run MBAM again, and post the results in your next reply. Do you still have problems? |
|
|
|
|
Jul 6 2008, 12:04 PM
Post
#5
|
|
|
New Member Group: Members Posts: 4 Joined: 25-June 08 Member No.: 218,540 |
Malwarebytes' Anti-Malware 1.19
Database version: 927 Windows 5.1.2600 Service Pack 2 18:03:57 06/07/2008 mbam-log-7-6-2008 (18-03-56).txt Scan type: Quick Scan Objects scanned: 41243 Time elapsed: 17 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Everything is running fine thank you very much!! :D How can i repay u? 
|
|
|
|
|
Jul 6 2008, 12:53 PM
Post
#6
|
|
|
Forum Regular Group: Members Posts: 326 Joined: 13-December 06 From: The Netherlands Member No.: 100,987 |
Hi,
That's good to hear. Everything looks clean again. Repay? You can repay me with a 'thanks'.  Do this: 1. Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is:
3. Read this page To prevent yourself against re-infection. This post has been edited by superbird: Jul 6 2008, 12:53 PM |
|
|
|
|
Jul 6 2008, 04:02 PM
Post
#7
|
|
|
New Member Group: Members Posts: 4 Joined: 25-June 08 Member No.: 218,540 |
Everything has been done now, seems to work fine.
Thank you very much for your help Farewell my friend.
|
|
|
|
|
Jul 7 2008, 02:56 AM
Post
#8
|
|
|
Forum Regular Group: Members Posts: 326 Joined: 13-December 06 From: The Netherlands Member No.: 100,987 |
You're welcome.
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 7th September 2008 - 01:22 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.