Strange switch users virus?

howardmeis · 12-31-2005, 01:29 AM

I think I've got a virus. >.< Panda was off, don't ask why (WC3). Here's what happened. I was reading an ebook, and chatting on AIM, and doing my normal stuff, when All of a sudden my music starts getting jumpy. I thought it was the CD, but then it leveled out and my main monitor lost everything on it, and was just the background. Then the other monitor went to the switch users page. I know it seems as though I just pressed the windows key and then L and S or something, but down by where it usualy says "Shut down" it said "Turn off, it's Pimp." Anyone got any clue what this is?

XCreepingDeathX · 12-31-2005, 01:42 AM

You definitely have some sort of trojan. If I were you, I'd retstart in safe made and scan everything. Good Luck.

OFF TOPIC: It's not possible to send trojans directly through Starcraft or Warcraft right?

howardmeis · 12-31-2005, 01:49 AM

It's not possible to send them through games. I'm scareed to restart because the birus was telling me to. I'm scanning with every scanner I got. If i got nothing, I'm not restarting till I get my new processor at least, cuz then I got a small chance of recovery by using my new computer.

P.S.
I don't think it's a real virus/trojan, since it didn't really do anything dangerous. I tihnk it's a prank one of my friends or something is playing on me. After all, if it was a virus it'd simply shut down my computer right? lol.

Meta Knight · 12-31-2005, 01:58 AM

yea dont shut down do online virus scans and everything and check your running processes and get hijack this and post your log!

howardmeis · 12-31-2005, 02:03 AM

I ended a few processes earlier that looked suspicious. I'm running panda now, no problems. I tihnk I'm safe and that someone was playing a joke or some ****. And i'll get hijack this and post the log in a bit.

Here's the log.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 8:06:06 PM, on 12/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\SRVLOAD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\System32\SNDVOL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\apvxdwin.exe
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2\bin\javaw.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\IFACE.EXE
C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\avciman.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.641\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.firefox.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131719016132
O17 - HKLM\System\CCS\Services\Tcpip\..\{F209CBBF-A467-443A-AAA8-682DE7CB34D5}: NameServer = 68.94.156.1,68.94.157.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - PANDA SOFTWARE - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe

Meta Knight · 12-31-2005, 02:06 AM

yea thats the reason i uninstalled panda becuase its firewall was wack and didnt forward ports right! Zonealarm!! wo0t! =)

howardmeis · 12-31-2005, 02:09 AM

I stick with panda, I just turn it off when playing WC. WC only. lol. SC works fine, so does halo, and so does lineage. Idk. Hijack log posted btw.

Meta Knight · 12-31-2005, 02:19 AM

remove this O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

howardmeis · 12-31-2005, 02:42 AM

Removed that. I'd like to say it's fixed, but there were no real symptoms, that's why I thought it to be a joke.

JLTucker · 12-31-2005, 03:35 AM

Why do you have iTunes running?

howardmeis · 12-31-2005, 03:42 AM

I don't.......................

JLTucker · 12-31-2005, 03:46 AM

My bad.

12-31-2005, 01:29 AM	#1 (permalink)
howardmeis Weiße Kraft Senior Member Messiah Join Date: Apr 2005 Location: Chicago. ^.^ Posts: 8,143	Strange switch users virus? I think I've got a virus. >.< Panda was off, don't ask why (WC3). Here's what happened. I was reading an ebook, and chatting on AIM, and doing my normal stuff, when All of a sudden my music starts getting jumpy. I thought it was the CD, but then it leveled out and my main monitor lost everything on it, and was just the background. Then the other monitor went to the switch users page. I know it seems as though I just pressed the windows key and then L and S or something, but down by where it usualy says "Shut down" it said "Turn off, it's Pimp." Anyone got any clue what this is? __________________ I AM HOWARD. I MAKE YOUTUBE VIDEOS. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.
$howardmeis 15 0FF11\|\\|3$

12-31-2005, 01:42 AM	#2 (permalink)
XCreepingDeathX Ite, Maledicti, in Ignem Aeternum Senior Member Enlightened Join Date: Oct 2005 Location: Cincinnati, Ohio Posts: 3,185	You definitely have some sort of trojan. If I were you, I'd retstart in safe made and scan everything. Good Luck. OFF TOPIC: It's not possible to send trojans directly through Starcraft or Warcraft right? __________________ Its Fear Tastes Better Than Its limbs.
$XCreepingDeathX 15 0FF11\|\\|3$

12-31-2005, 01:49 AM	#3 (permalink)
howardmeis Weiße Kraft Senior Member Messiah Join Date: Apr 2005 Location: Chicago. ^.^ Posts: 8,143	It's not possible to send them through games. I'm scareed to restart because the birus was telling me to. I'm scanning with every scanner I got. If i got nothing, I'm not restarting till I get my new processor at least, cuz then I got a small chance of recovery by using my new computer. P.S. I don't think it's a real virus/trojan, since it didn't really do anything dangerous. I tihnk it's a prank one of my friends or something is playing on me. After all, if it was a virus it'd simply shut down my computer right? lol. __________________ I AM HOWARD. I MAKE YOUTUBE VIDEOS. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.
$howardmeis 15 0FF11\|\\|3$

12-31-2005, 01:58 AM	#4 (permalink)
Meta Knight Premium Brawler Account Senior Member Gold Member Blessed Join Date: Dec 2004 Location: DreamLand Posts: 1,999	yea dont shut down do online virus scans and everything and check your running processes and get hijack this and post your log! __________________ **** You Skin Boy akazukin spelled backwards is degausser
$Meta Knight 15 0FF11\|\\|3$

12-31-2005, 02:06 AM	#6 (permalink)
Meta Knight Premium Brawler Account Senior Member Gold Member Blessed Join Date: Dec 2004 Location: DreamLand Posts: 1,999	yea thats the reason i uninstalled panda becuase its firewall was wack and didnt forward ports right! Zonealarm!! wo0t! =) __________________ **** You Skin Boy akazukin spelled backwards is degausser
$Meta Knight 15 0FF11\|\\|3$

Remove advertisements
BWHacks Advertisement	Sponsored links

12-31-2005, 02:09 AM	#7 (permalink)
howardmeis Weiße Kraft Senior Member Messiah Join Date: Apr 2005 Location: Chicago. ^.^ Posts: 8,143	I stick with panda, I just turn it off when playing WC. WC only. lol. SC works fine, so does halo, and so does lineage. Idk. Hijack log posted btw. __________________ I AM HOWARD. I MAKE YOUTUBE VIDEOS. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.
$howardmeis 15 0FF11\|\\|3$

12-31-2005, 02:19 AM	#8 (permalink)
Meta Knight Premium Brawler Account Senior Member Gold Member Blessed Join Date: Dec 2004 Location: DreamLand Posts: 1,999	remove this O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) __________________ **** You Skin Boy akazukin spelled backwards is degausser
$Meta Knight 15 0FF11\|\\|3$

12-31-2005, 02:42 AM	#9 (permalink)
howardmeis Weiße Kraft Senior Member Messiah Join Date: Apr 2005 Location: Chicago. ^.^ Posts: 8,143	Removed that. I'd like to say it's fixed, but there were no real symptoms, that's why I thought it to be a joke. __________________ I AM HOWARD. I MAKE YOUTUBE VIDEOS. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.
$howardmeis 15 0FF11\|\\|3$

12-31-2005, 03:35 AM	#10 (permalink)
JLTucker Pissing on Religion Senior Member Gold Member Inquisitor Join Date: Nov 2004 Posts: 4,459	Why do you have iTunes running? __________________
$JLTucker 15 0FF11\|\\|3$

12-31-2005, 03:42 AM	#11 (permalink)
howardmeis Weiße Kraft Senior Member Messiah Join Date: Apr 2005 Location: Chicago. ^.^ Posts: 8,143	I don't....................... __________________ I AM HOWARD. I MAKE YOUTUBE VIDEOS. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.
$howardmeis 15 0FF11\|\\|3$

12-31-2005, 03:46 AM	#12 (permalink)
JLTucker Pissing on Religion Senior Member Gold Member Inquisitor Join Date: Nov 2004 Posts: 4,459	My bad. __________________
$JLTucker 15 0FF11\|\\|3$