• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Yet another wallpaper virus i can't get rid of

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

sup3rcarrx8

Member
Joined
Jun 23, 2003
Location
Folding in California
Hey guys. So it seems like this virus likes to infect alot of my friend's computers or relatives computers in some sneaky way and i need to get rid of the wallpaper virus thing and any other malware on it. But this time it won't let me run spybot or any other programs, let alone go into safe mode or whatever. However, i was able to run Hijackthis for some reason and saved a log. Any help would be much appreciated. ^^

Here's a image of how the virus looks like for anyone who's never seen this sort of thing before...




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:35 AM, on 8/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\FAH\FAH504-Console.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\FAH\FahCore_78.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Documents and Settings\Peter\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-21-1177238915-1972579041-839522115-1005\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" (User 'LogMeInRemoteUser')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214644490669
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: [email protected]:+Program Files+FAH+FAH504-Console.exe - Stanford University - C:\Program Files\FAH\FAH504-Console.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 7915 bytes
 
OP
sup3rcarrx8

sup3rcarrx8

Member
Joined
Jun 23, 2003
Location
Folding in California
The winhelper.dll entries are dangerous and so is winupdate.exe

Just tried to delete the winhelper.dll entries but Hijackthis said it couldn't and it said i would need Lspfix, which did not work. It also told me to use spybot s&d which i can't use because of the virus. Any suggestions?
 

benbaked

Folding/SETI/Rosetta Team Member
Joined
Oct 20, 2005
Location
WA
Is that you logged into the system via LogMeIn, or is that somebody else? :eek:

Backup and fdisk/format/reinstall is probably the best way to fix this. I googled the name of that virus and found this removal tool. I'm not sure if that tool is legit, it looks legit at first glance. I guess if the system is already compromised things can't get too much worse. :p
 

Metallica

Member
Joined
Jan 11, 2007
What they all said.

Trying to remove an infection is usually in vain, as it always seems to come back, or cannot be removed fully :(

About 90% of the computers we work on at work, end up getting the "data back up/reinstall windows" .. only way we can guarantee our work =p
 

nzaneb

Senior Member
Joined
Nov 3, 2008
I've personally used SmitFraudFix and it was a pleasant experience.
 

madhatter256

Special Member
Joined
Jul 5, 2008
Location
CFL
What they all said.

Trying to remove an infection is usually in vain, as it always seems to come back, or cannot be removed fully :(

About 90% of the computers we work on at work, end up getting the "data back up/reinstall windows" .. only way we can guarantee our work =p

I had 4 PCs in the past 2 weeks with this issue. All of them had Limewire lol, but I'm not saying that's where they always come from.

Anyway, we try a cocktail of fixes (smitfraud, avira, manual registry removal), but even when it looks like we removed it, it ends up corrupting a critical windows system file or we get an NT shut down message and it ends up coming back. We just end up backing up/reinstalling windows.

1hour labor backing up/reinstalling compared to 3-4hours actual work fixing it via a surgical method. It depends on the customer.
 
OP
sup3rcarrx8

sup3rcarrx8

Member
Joined
Jun 23, 2003
Location
Folding in California
Yeah before i took the job, i did mention that i always have the reformat plan as last resort if i couldn't get the viruses out. He preferred that i did not reformat since he's a DJ and has some important mixes he needs for his job at a radio station. I just finished installing malwarebytes and even superanti-spyware but neither will even run when i click on it. And when i restart the computer sometimes, it just hangs on a black screen with the cursor in the middle until i shut it down manually with the button and wait like 30 seconds and turn it back on.
 

Metallica

Member
Joined
Jan 11, 2007
I had 4 PCs in the past 2 weeks with this issue. All of them had Limewire lol, but I'm not saying that's where they always come from.

Anyway, we try a cocktail of fixes (smitfraud, avira, manual registry removal), but even when it looks like we removed it, it ends up corrupting a critical windows system file or we get an NT shut down message and it ends up coming back. We just end up backing up/reinstalling windows.

1hour labor backing up/reinstalling compared to 3-4hours actual work fixing it via a surgical method. It depends on the customer.

I get like 4 a day! haha

We had so many problems trying to remove them, with the customer coming back a few days later, cause something resurfaced. We just recomend reformatting and tell them "we can ATTEMPT to remove the infection WITH NO GUARANTEE that it will not resurface. You're call" .. they usually go with the reformat :)
 

Rattle

Member
Joined
May 12, 2005
Location
Home... again
dude seriously not to be a penis but with all this time you already wasted you could have done 3 fresh installs... if your friend is a serious "DJ" he needs to learn to back his valuable crap up off of the OS disk.
 
OP
sup3rcarrx8

sup3rcarrx8

Member
Joined
Jun 23, 2003
Location
Folding in California
yeah well even the best of us are usually too lazy to backup our own data, even myself. On the other hand, i ran the smitfraud fix and it's finally gone. I also searched up almost every entry in the HijackThis log and solved the case. I'll be running some more scans from Spybot S&D, Malware Bytes, and possibly super anti-spyware after this. Thanks for the help from those who actually contributed to this situation. Time to spend this upcoming paycheck on some expensive California gas for my cars. yum.
 

Rider200

Member
Joined
Jun 3, 2008
Location
Arizona
Hey sup3rcarrx8,

BartPE has a couple of AV and AT programs as part of the build. You can add more when you make the CD.

I would suggest you not use the infected computer to make the BartPE boot disk, don't want to infect it.

I cleaned this virus with AVG 8 from my laptop a couple of weeks ago.

When all else fails reinstall, make an Image of the install before surffing or using your pen drive on other computers. An image will save you the time it takes to install and get you system back up to speed if you do a lot of tweaking of the OS.

Good luck!