PDA

View Full Version : Spyware headache...



russell108
17-10-2005, 12:14 AM
Hi ,

I have ad-aware , spybot and zone alarm (free version)

but i still seemed to have been hi-jacked by PSGAURD or something claiming to be an antivirus program but itself seems to be spyware :badpc:

System restore will not work ,i cannot change my wallpaper in fact this is my new hi-jacked wallpaper...spyware (http://i2.photobucket.com/albums/y33/russell108/snap.jpg)


Also my modem makes a different noise when it dials up...

plz help !!!

roddy_boy
17-10-2005, 12:37 AM
First things first, run an Hijackthis! scan, and post the results here. Check in your network connections folder (control panel, network connections), and ensure the only dialer is your ISP one. If there are others, delete them straight away and only plug your phone cord into the wall when dialling a connection. Otherwise you may end up with a large phone bill this month. Try the virus FAQ on this site, follow the steps there to clean your system up.
HTH
roddy

russell108
17-10-2005, 01:04 AM
Thanks here is the log...

Logfile of HijackThis v1.99.1
Scan saved at 13:01:54, on 16/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\System32\kc34839002\kcc.exe
C:\WINDOWS\system32\usbn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\intell32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hpCB2F.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c30 -w
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBAA967B-57FE-4293-B3D4-5D89D0B4EA19}: NameServer = 217.145.64.66 212.111.32.7
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

roddy_boy
17-10-2005, 01:22 AM
Ok there are alot of baddies in there, best bet would be to wait till the morning for Speedy Gonzales to tell you what to do...
In the mean time, you say you have Zone Alarm installed? Am I correct in thinking this is only a firewall? If so, it is essential to have an antivirus program as well as firewall and spyware programs. I had a friend who was completely astounded that he got a virus, as he has Spybot and Ad-Aware on his comp. So I would strongly suggest downloading an anti-virus program, as well as doing an online scan. As I said before, the FAQ on this website regarding these things is really good.

If you are confident enough, you could have a go at fixing the appropriate probs by seeing the analysis of your log here (http://hjt.iamnotageek.com/parse.php?log=119750).
HTH
roddy

russell108
17-10-2005, 04:56 AM
Thanks Roddy,

probably best i wait for Speedy as i dont really know what i'm doing... :waughh:

iguana
17-10-2005, 06:47 AM
Hmmmm. I did a Google search on this and here's one of the links I came up with. Right on this forum.
http://forums.pcworld.co.nz/archive/index.php/t-60478.html

drcspy
17-10-2005, 06:47 AM
from hard experience recently and with thanks from Mr Metla i can tell you that without exception almost anything you do WONT get rid of that EXCEPT for .........get nod32 trial verison and run it......that WILL get rid of psguard.......nothing else i tried worked and believe me i tried EVERYthing..........once you have gotten rid of it just right clik the desktop to ascertain what the wallpaper name is ......then go find it with 'search' then delete it then replace it ......all will be fine..........but use NOD32 its goddam awsome

Speedy Gonzales
17-10-2005, 07:02 AM
Ok Russell. Do the scan with HJT again. Tick these, Tick fix checked. Close browsers. Then reboot. Then see what happens.

C:\WINDOWS\System32\mssearchnet.exe

C:\WINDOWS\System32\nvctrl.exe (also see if these 2 appear in startup, in ccleaner). If they do, delete their entries.

It looks like these 2 are a virus/unknown trojan.

C:\WINDOWS\Xhrmy.exe - this looks like adware -

Get ccleaner. http://www.ccleaner download it run it, then go to tools/startup button. See if Xhrmy.exe shows here. If it does delete the entry.

C:\WINDOWS\System32\kc34839002\kcc.exe

Dont know what this is, but it doesnt look nice!

C:\WINDOWS\system32\usbn.exe - This is a dialler. Remove it ASAP!

C:\WINDOWS\System32\intell32.exe - Do the same as Xhrmy.exe above. Remove intell32.exe from the startup entry.

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe

O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

This looks like a dialler too.

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll (file missing)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll

Oops and these 2 entries

O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c30 -w

If u cant see these 2 in HJT's scan, use ccleaner and delete their entries from startup.

It looks like one of those diallers may have disabled regedit, so u may not be able to use regedit, until u tick the above entry, then reboot.

russell108
17-10-2005, 07:04 AM
Thanks ,will try

Speedy Gonzales
17-10-2005, 07:09 AM
arrgghhh!

Url for ccleaner is http://www.ccleaner.com

I missed the com.

drcspy
17-10-2005, 07:26 AM
betcha you end up using nod32 theres just nothign else that will work.........I've been there i know........oh btw.........dump IE and install firefox.......

russell108
17-10-2005, 07:31 AM
Couldnt find these

C:\WINDOWS\System32\mssearchnet.exe

C:\WINDOWS\System32\nvctrl.ex


downloading ccleaner...asap (56k connection)

btw kcc.exe is just a wee app i use for auto disconnecting from the net when my time is up ;)


but the log file now looks like this...


Logfile of HijackThis v1.99.1
Scan saved at 19:29:21, on 16/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\kc34839002\kcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\intell32.exe
C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hp7A50.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBAA967B-57FE-4293-B3D4-5D89D0B4EA19}: NameServer = 217.145.64.66 212.111.32.7
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Speedy Gonzales
17-10-2005, 07:41 AM
OK. It looks a bit cleaner. Ok leave kcc there, now that we know what it is !

Tick these entries. Close browser/s. Reboot. Then post another log. Might be a good idea to disable system restore this time. Before u do the following, then enable it again after.

C:\WINDOWS\System32\intell32.exe

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe

(Use ccleaner to remove this entry from the startup tab, if ticking it in HJT doesnt work).

O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hp7A50.tmp

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll

See if C:\WINDOWS\System32\mssearchnet.exe

C:\WINDOWS\System32\nvctrl.ex

Are running in task manager... If they are kill them.

russell108
17-10-2005, 08:27 AM
Sorry but where is task manager located ?

latest log...

Logfile of HijackThis v1.99.1
Scan saved at 20:13:12, on 16/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\kc34839002\kcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hp79D3.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Steph_C
17-10-2005, 08:34 AM
I'm sorry but I don't have an answer to your spyware question, I actually feel a little bit dumb but I don't know how to post a question of my own. I'm super computer illiterate. How do I post my own question without replying to someone else's?

Speedy Gonzales
17-10-2005, 08:39 AM
Press Ctrl-Alt-Del for task manager.

Everything looks OK besides these 3.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

C:\WINDOWS\System32\mssearchnet.exe

C:\WINDOWS\System32\nvctrl.exe


Try booting into safe mode (Press down F8 after you reboot).

Then search for the 2 files above, if found delete them.

And run HJT again (in safe mode).

See if this O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 appears in the log.

If it does tick it and tick fix checked. Then reboot again. Then post another log here.

And try getting this http://www.simplysup.com/tremover/

http://dl.filekicker.com/send/file/167872-Y3TW/trjsetup.exe

This is only a 30 day trial, but may find something. Once u get this, install it, run it and click on scan.

Then under the utilities menu, select the 3rd/4th/5th/6th/7th option.

drcspy
17-10-2005, 08:40 AM
http://pressf1.pcworld.co.nz/newthread.php?do=newthread&f=4

go here steph

mark c
17-10-2005, 09:00 AM
Other ways to access Task Manager in XP are Control+Shift+Escape or by right-clicking on a blank space in the taskbar,

Speedy Gonzales
17-10-2005, 09:05 AM
Another thing

C:\WINDOWS\System32\mssearchnet.exe

C:\WINDOWS\System32\nvctrl.exe

Maybe hidden.

Run My computer. Go to tools menu / folder options / view.

Select Show hidden files and folders. Then see if these files are on the hdd, if they are, then delete them.

bartsdadhomer
17-10-2005, 09:10 AM
ewido will remove it
http://www.ewido.net/en/
Make sure you update the definitions after installing

russell108
17-10-2005, 09:40 AM
Another thing

C:\WINDOWS\System32\mssearchnet.exe

C:\WINDOWS\System32\nvctrl.exe

Maybe hidden.

Run My computer. Go to tools menu / folder options / view.

Select Show hidden files and folders. Then see if these files are on the hdd, if they are, then delete them.



Tried to delete them but access was denied...

Speedy Gonzales
17-10-2005, 09:53 AM
Tried to delete them but access was denied...

See if theyre running in task manager, if they are end their process. Then delete. If this doesnt work, boot into safe mode, and then delete them.

mark c
17-10-2005, 09:54 AM
Did you try doing it in Safe Mode?

russell108
17-10-2005, 11:16 AM
Ok deleted them in safe mode..

Used ewido which identified over 3000 infected files ! all deleted..

used NOD32 not sure about winint.ddl file keeps identifying it as bad..

Firefox is ok but Explorer has this as its homepage....snap2 (http://i2.photobucket.com/albums/y33/russell108/snap2.jpg)

Modem sounds different when dialing up too..

latest log...

Logfile of HijackThis v1.99.1
Scan saved at 23:00:42, on 16/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\kc34839002\kcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Russell\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hp78F8.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DUNCO11] C:\WINDOWS\System32\kc34839002\kcc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBAA967B-57FE-4293-B3D4-5D89D0B4EA19}: NameServer = 217.145.64.66 212.111.32.7
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

russell108
17-10-2005, 11:32 AM
Tried to delete WININET.DLL in safe mode but access was denied :confused:

drcspy
17-10-2005, 11:35 AM
use SFC /SCANNOW to replace it

bartsdadhomer
17-10-2005, 11:37 AM
you don't want to delete it or you won't have any internet wininet.dll is a module that contains Internet-related functions used by Windows applications

download from here and replace the existing one
http://www.dll-files.com/dllindex/dll-files.shtml?wininet

also have you turned off system restore rebooted ant turned it back on again
clears any nasties that might be lurking in there

you can use spybots advanced mode to change the ie homepage and lock it
check your hosts file as well for unusual entries and add spybots blocked list

Speedy Gonzales
17-10-2005, 11:38 AM
That looks a bit better. Just have to figure out how to fix this..

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Go to start/run. Type regedit. Can you get into the registry?

Did you get trojan remover??

Ah that pic u posted is a fake.....As shown here, Its a phishing scam. It has nothing to do with XP's security center.

DON'T click on anything on that page.

http://channels.lockergnome.com/windows/archives/20050914_fake_windows_w32sinnakaa_alert_actually_f ront_for_spyware.phtml

http://www.informationweek.com/story/showArticle.jhtml?articleID=170703072

Take a snapshot of add/remove programs, and paste it in a gfx program and post it where u just posted that fake site/page.

drcspy
17-10-2005, 11:44 AM
ah trojan remover wont touch psguard i've tried...........ewido or nod32 is it !!!
and you can replace wininet.dll from msconfig.....

Speedy Gonzales
17-10-2005, 11:46 AM
No, but it might be reset everything back to normal.

russell108
17-10-2005, 09:44 PM
The file O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 keeps reappearing...

Here is the startup (http://i2.photobucket.com/albums/y33/russell108/startup.jpg)snapshot

Also the dial up box never looked like this (http://i2.photobucket.com/albums/y33/russell108/dialup.jpg) before..

Speedy Gonzales
17-10-2005, 09:50 PM
Startup pic looks fine. Post a pic of add/remove programs

Control Panel / add or remove programs.. Hmm what does your dialup usually look like?? The username and # ?

russell108
17-10-2005, 10:19 PM
The dial up box was similar but definately different...

Explorer homepage seems ok now

here are the add remove snaps

top[/url

[url=http://i2.photobucket.com/albums/y33/russell108/addremove2.jpg]middle (http://i2.photobucket.com/albums/y33/russell108/addremovetop.jpg)

bottom (http://i2.photobucket.com/albums/y33/russell108/addremovebott.jpg)

Speedy Gonzales
17-10-2005, 10:25 PM
This guy

http://www.tech-forums.net/showthread.php?threadid=41567

Had the same entry that wont go away.

Do this Russell

Taken from the above url

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol
icies\System, DisableRegedit=1

Restart to Safe Mode

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Reboot

Empty the Recycle Bin

Did you run ccleaner and click on run cleaner?

bartsdadhomer
17-10-2005, 10:34 PM
The file O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 keeps reappearing...


snap

russell108
17-10-2005, 10:36 PM
here are the new !! add remove snaps

top (http://i2.photobucket.com/albums/y33/russell108/addremovetop.jpg)

middle (http://i2.photobucket.com/albums/y33/russell108/addremove2.jpg)

bottom (http://i2.photobucket.com/albums/y33/russell108/addremovebott.jpg)

Speedy Gonzales
17-10-2005, 10:39 PM
snap

lol. Great minds think alike :D

Speedy Gonzales
17-10-2005, 10:46 PM
Russell, what does that kcc.exe belong to?? dialup countdown, or connection controller??

It sounds like it belongs to one of these programs.

Ah ha uninstall my searchbar from add/remove programs

Everything else looks fine besides connection controller. If u dunno what this is.

And umm, I think it might be a good idea to update XP.. if u use OE or IE often.....

russell108
18-10-2005, 01:39 AM
Kcc.exe is a connection controller

Tried uninstalling mysearch bar but there was a .dll or module missing...however
it seemed to delete manually ok

How do i replace the WININET.DLL file ? i have the replacement ready

Do i need broadband to update XP ?

russell108
18-10-2005, 02:11 AM
Just noticed i cant get any sound now....where wil it end ! ! ! :badpc:

Rob99
18-10-2005, 03:10 AM
How do i replace the WININET.DLL file ? i have the replacement ready
You could try just putting it in the correct directory probally "C:\WINDOWS\system32", if that dosent work do this:
Start - Run - CMD
in the command window type regsvr32 wininet.dll

russell108
18-10-2005, 03:49 AM
Tried regsvr32 wininet.dll but server entry point was not found (whatever that means) and the file could not be registered...

Speedy i did as you said but the damn thing is still there...

Sound is ok now at least...

drcspy
18-10-2005, 06:21 AM
How do i replace the WININET.DLL file ? i have the replacement ready


try safe mode..........

Speedy Gonzales
18-10-2005, 09:34 AM
Tried regsvr32 wininet.dll but server entry point was not found (whatever that means) and the file could not be registered...

Speedy i did as you said but the damn thing is still there...

Sound is ok now at least...

Use ccleaner. Run ccleaner. Go to tools/startup button, find my search bar, highlight it delete the entry.

Then go to C: \ Program files. See if My search bar folder is there, if it is delete it. Then go back to ccleaner. Click on issues. Then scan for issues.

Then click on fix selected issues. Then No. Then fix all selected issues. Then OK. Then close.

DO u mean this entry is still there??

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Can you get into the registry or not?? Start/run and type regedit

russell108
18-10-2005, 08:46 PM
Sorry yes i can get into the registry after deleting

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 with HJT it always reappears after a reboot even after i did what you recommended from the other thread...i'll try it again

Mysearchbar is gone i think the only thing apart from the above is the WININET.DLL file...how can i replace it ? i've tried safe mode which didnt let me..

Speedy Gonzales
18-10-2005, 09:50 PM
Follow this link CAREFULLY Russell!

http://forums.mcafeehelp.com/viewtopic.php?p=252803

Make sure to download that smitfraud.reg file, and deldomains.inf file, and follow the rest of this URL.

It looks like this smitfraud.reg file changes the affected entries, back to the original settings, in the registry.

See if this file, is still on the system OLEADM.DLL.

This is part of this hijacker.

zqwerty
18-10-2005, 09:55 PM
On my Win2K OS WININET.dll is found in WINNT\System32, be aware that this .dll is updated in various Internet Explorer SP1 updates, yours will be SP2 presumably. Copy and paste to the folder as far as I am aware. I have done this with other .dll's but not this one.

russell108
20-10-2005, 12:54 AM
Ok currently carrying out above instructions...

Is there a free firewall/antivirus prog you can recommened ?

Do i need broadband/cable to download windows service pack update ?(i only have 56k connection)

Also Everest home edition suggested this...

Suggestion Only 1 CPU installed, you should change to uniprocessor HAL.

Can you tell me what this means ?
Is it to enable HT technology ?

Thanks

Russell

Speedy Gonzales
20-10-2005, 09:00 AM
Umm Zonealarm maybe ok for the time being.

No, u dont need broadband, for SP1 or SP2. But it helps, as it'll take ages to get either!

You can order the SP1 or 2 CD from Microsoft. Either from the MS site, or give them a ring. Thats if they answer phones.

Have u got a P4 533 fsb system with a 3.0 ghz CPU?

Or a P4 800 fsb system with a 2.4+ ghz CPU?? If you have either, then you can enable HT in the BIOS. BUT this is usually done BEFORE you install XP.

If you haven't got either of the above, you can't use HT. It isnt available.

Are you in NZ Russ??? If so, where?

I could burn a copy of SP2, for u, if u like.

russell108
20-10-2005, 08:52 PM
Hi speedy,

thanks for all your help by the way...unfortunately i'm about as far away from NZ as you can get !! Scotland ! Thanks anyways tho..

Yeah my processor is a 3GHZ pentium so i think it has HT

The Wininet.dll file seems to be sorted now ,all i have to sort out now is
this damn thing -

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 with HJT !!!

Speedy Gonzales
20-10-2005, 09:08 PM
No worries Russ . Is a bit far to post :D

Umm yup, your CPU will definitely support HT, if its a P4 CPU.

The option to enable/disable HT will be in the BIOS.

BUT, it MAY or MAY not work, if XP is already installed.

It would have to be reformatted, or a repair install may work. (I think u need XP Pro for this)?

If u can get into the registry, see if this entry

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 actually exists.

Because that entry (Pol icies\System) doesnt exist in XP SP2.

Notice Pol icies (this should be ONE word, not spaced). And the System
bit after Pol icies doesnt exist either (well in XP SP2).

It maybe a fake entry (If its in the registry).

I would say, IF u can get into the registry now (this entry would have locked you out, of task manager and the registry).

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1, everything should be fine.

As anything related to has now been deleted.

We'll soon find out if u install SP2, as it may reboot continuously. If SP2 installs fine and the system works fine later. Thats the end of this post!

russell108
21-10-2005, 02:41 AM
Seems like a catch 22....i can only get into the registry by running HJT and deleting.....HKCU\Software\Microsoft\Windows\Curre ntVersion\Pol icies\System, DisableRegedit=1

then the offending entry is no longer there when i search the registry...

supersam
18-03-2006, 07:18 PM
Contact me at sumitdas76@gmail.com.

I'll guide you thru the troubleshooting steps.

Sam.