| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 62702 | 2005-10-16 11:14:00 | Spyware headache... | russell108 (7499) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 396803 | 2005-10-16 20:40:00 | Another thing C:\WINDOWS\System32\mssearchnet . exe C:\WINDOWS\System32\nvctrl . exe Maybe hidden . Run My computer . Go to tools menu / folder options / view . Select Show hidden files and folders . Then see if these files are on the hdd, if they are, then delete them . Tried to delete them but access was denied . . . |
russell108 (7499) | ||
| 396804 | 2005-10-16 20:53:00 | Tried to delete them but access was denied... See if theyre running in task manager, if they are end their process. Then delete. If this doesnt work, boot into safe mode, and then delete them. |
Speedy Gonzales (78) | ||
| 396805 | 2005-10-16 20:54:00 | Did you try doing it in Safe Mode? | mark c (247) | ||
| 396806 | 2005-10-16 22:16:00 | Ok deleted them in safe mode.. Used ewido which identified over 3000 infected files ! all deleted.. used NOD32 not sure about winint.ddl file keeps identifying it as bad.. Firefox is ok but Explorer has this as its homepage....snap2 (i2.photobucket.com) Modem sounds different when dialing up too.. latest log... Logfile of HijackThis v1.99.1 Scan saved at 23:00:42, on 16/10/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\kc34839002\kcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hp78F8.tmp O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - Global Startup: Adobe Gamma Loader.lnk = ? O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - messenger.zone.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{BBAA967B-57FE-4293-B3D4-5D89D0B4EA19}: NameServer = 217.145.64.66 212.111.32.7 O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
russell108 (7499) | ||
| 396807 | 2005-10-16 22:32:00 | Tried to delete WININET.DLL in safe mode but access was denied :confused: | russell108 (7499) | ||
| 396808 | 2005-10-16 22:35:00 | use SFC /SCANNOW to replace it | drcspy (146) | ||
| 396809 | 2005-10-16 22:37:00 | you don't want to delete it or you won't have any internet wininet.dll is a module that contains Internet-related functions used by Windows applications download from here and replace the existing one www.dll-files.com also have you turned off system restore rebooted ant turned it back on again clears any nasties that might be lurking in there you can use spybots advanced mode to change the ie homepage and lock it check your hosts file as well for unusual entries and add spybots blocked list |
bartsdadhomer (80) | ||
| 396810 | 2005-10-16 22:38:00 | That looks a bit better. Just have to figure out how to fix this.. O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 Go to start/run. Type regedit. Can you get into the registry? Did you get trojan remover?? Ah that pic u posted is a fake.....As shown here, Its a phishing scam. It has nothing to do with XP's security center. DON'T click on anything on that page. channels.lockergnome.com ront_for_spyware.phtml www.informationweek.com Take a snapshot of add/remove programs, and paste it in a gfx program and post it where u just posted that fake site/page. |
Speedy Gonzales (78) | ||
| 396811 | 2005-10-16 22:44:00 | ah trojan remover wont touch psguard i've tried...........ewido or nod32 is it !!! and you can replace wininet.dll from msconfig..... |
drcspy (146) | ||
| 396812 | 2005-10-16 22:46:00 | No, but it might be reset everything back to normal. | Speedy Gonzales (78) | ||
| 1 2 3 4 5 6 | |||||