| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 62702 | 2005-10-16 11:14:00 | Spyware headache... | russell108 (7499) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 396783 | 2005-10-16 11:14:00 | Hi , I have ad-aware , spybot and zone alarm (free version) but i still seemed to have been hi-jacked by PSGAURD or something claiming to be an antivirus program but itself seems to be spyware :badpc: System restore will not work ,i cannot change my wallpaper in fact this is my new hi-jacked wallpaper . . . spyware ( . photobucket . com/albums/y33/russell108/snap . jpg" target="_blank">i2 . photobucket . com) Also my modem makes a different noise when it dials up . . . plz help !!! |
russell108 (7499) | ||
| 396784 | 2005-10-16 11:37:00 | First things first, run an Hijackthis! scan, and post the results here. Check in your network connections folder (control panel, network connections), and ensure the only dialer is your ISP one. If there are others, delete them straight away and only plug your phone cord into the wall when dialling a connection. Otherwise you may end up with a large phone bill this month. Try the virus FAQ on this site, follow the steps there to clean your system up. HTH roddy |
roddy_boy (4115) | ||
| 396785 | 2005-10-16 12:04:00 | Thanks here is the log... Logfile of HijackThis v1.99.1 Scan saved at 13:01:54, on 16/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\mssearchnet.exe C:\WINDOWS\System32\nvctrl.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\Xhrmy.exe C:\WINDOWS\System32\kc34839002\kcc.exe C:\WINDOWS\system32\usbn.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\intell32.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hpCB2F.tmp O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c30 -w O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - Global Startup: Adobe Gamma Loader.lnk = ? O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - messenger.zone.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{BBAA967B-57FE-4293-B3D4-5D89D0B4EA19}: NameServer = 217.145.64.66 212.111.32.7 O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
russell108 (7499) | ||
| 396786 | 2005-10-16 12:22:00 | Ok there are alot of baddies in there, best bet would be to wait till the morning for Speedy Gonzales to tell you what to do... In the mean time, you say you have Zone Alarm installed? Am I correct in thinking this is only a firewall? If so, it is essential to have an antivirus program as well as firewall and spyware programs. I had a friend who was completely astounded that he got a virus, as he has Spybot and Ad-Aware on his comp. So I would strongly suggest downloading an anti-virus program, as well as doing an online scan. As I said before, the FAQ on this website regarding these things is really good. If you are confident enough, you could have a go at fixing the appropriate probs by seeing the analysis of your log here (hjt.iamnotageek.com). HTH roddy |
roddy_boy (4115) | ||
| 396787 | 2005-10-16 15:56:00 | Thanks Roddy, probably best i wait for Speedy as i dont really know what i'm doing... :waughh: |
russell108 (7499) | ||
| 396788 | 2005-10-16 17:47:00 | Hmmmm. I did a Google search on this and here's one of the links I came up with. Right on this forum. forums.pcworld.co.nz |
iguana (89) | ||
| 396789 | 2005-10-16 17:47:00 | from hard experience recently and with thanks from Mr Metla i can tell you that without exception almost anything you do WONT get rid of that EXCEPT for .........get nod32 trial verison and run it......that WILL get rid of psguard.......nothing else i tried worked and believe me i tried EVERYthing..........once you have gotten rid of it just right clik the desktop to ascertain what the wallpaper name is ......then go find it with 'search' then delete it then replace it ......all will be fine..........but use NOD32 its goddam awsome | drcspy (146) | ||
| 396790 | 2005-10-16 18:02:00 | Ok Russell. Do the scan with HJT again. Tick these, Tick fix checked. Close browsers. Then reboot. Then see what happens. C:\WINDOWS\System32\mssearchnet.exe C:\WINDOWS\System32\nvctrl.exe (also see if these 2 appear in startup, in ccleaner). If they do, delete their entries. It looks like these 2 are a virus/unknown trojan. C:\WINDOWS\Xhrmy.exe - this looks like adware - Get ccleaner. www.ccleaner download it run it, then go to tools button. See if Xhrmy.exe shows here. If it does delete the entry. C:\WINDOWS\System32\kc34839002\kcc.exe Dont know what this is, but it doesnt look nice! C:\WINDOWS\system32\usbn.exe - This is a dialler. Remove it ASAP! C:\WINDOWS\System32\intell32.exe - Do the same as Xhrmy.exe above. Remove intell32.exe from the startup entry. O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 This looks like a dialler too. O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll Oops and these 2 entries O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c30 -w If u cant see these 2 in HJT's scan, use ccleaner and delete their entries from startup. It looks like one of those diallers may have disabled regedit, so u may not be able to use regedit, until u tick the above entry, then reboot. |
Speedy Gonzales (78) | ||
| 396791 | 2005-10-16 18:04:00 | Thanks ,will try | russell108 (7499) | ||
| 396792 | 2005-10-16 18:09:00 | arrgghhh! Url for ccleaner is http://www.ccleaner.com I missed the com. |
Speedy Gonzales (78) | ||
| 1 2 3 4 5 6 | |||||