got this message in my desktop




Warning: ur computer might be infected by a spyware or a adware..



by the way, if u thought its a pop up..its not...it got hold of my desktop..literally....it became my screensaver...pls pls help...

Hi dennis_ian, welcome to SAF

Before going deeply on that, please run updated versions of AdAware SE and Spybot S&D (one at a time) and clean all. You can download them on the links below.

After that, it will not hurt if you run a housecall online virus check.

Then, please post a HijackThis log here, as someone will help you cleaning anything left.

Spybot - http://www.safer-networking.org/en/mirrors/index.html
AdAware - http://www.download.com/3000-2144-10045910.html
Housecall - http://housecall.trendmicro.com/

HijackThis - http://www.suggestafix.com/index.php?act=S...ST&f=15&t=16053

Chris

hi ironbender..thanks for the fast reply... ( = am new to suggestafix and this hijackthis thing.. iam still trying to learn this thing...ill try ur suggestion though. thanks a lot...


anyway, is that u in ur avatar??? ( =

Yep, it's me... scary isn't ?

QUOTE

am new to suggestafix and this hijackthis thing.. iam still trying to learn this thing

No problems... the link I provided will guide you, be cool

First, run the other programs, as they may clean a lot of things. If the problem persists, read carefully the HijackThis pinned topic, run it (do not clean anything yet, just post the log here), and someone skilled on it will come to help you

Chris

QUOTE

Yep, it's me... scary isn't

no ur not...( =

am about to ask you what keeps u busy or what do you do for a living..but i guess its a different thing now so ill leave that thing hanging... (=


anyway, am still trying hjt...( =

I am currently unemployed just repairing some computers or making and updating some websites

u need not to be employed in any small or big company as long as in ur the computer business. you could make out of a living just repairing computers nowadays...its just as the same rate as the doctor would ask you if ur having a check up...( =

Yes, I know that

Have you checked your system for malware/viruses as I suggested ?

There's a lot of money to be had in going it alone in the computer industry, but having to work out all my tax affairs scares me off as you make one slight mistake and they jump on you like a rattlesnake

Dennis_ian, have you run those scans as suggested by Chris? Once you have, and we see your HijackThis log, we can work on any remaining problems to get you clear of this.

Please don't worry about this being unfamiliar territory: we always try to give concise, clear instructions to help people as this can be quite a minefield. At any stage, if there is something you don't understand or need clarifying please just post back and we'll do our best to rephrase our replies to make it as easy as possible for you.

hi angoid...good day ironbender...is this the one you are looking for???



Logfile of HijackThis v1.99.1
Scan saved at 9:30:56 PM, on 8/31/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\SPEEDD~1\nopdb.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\intell32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4DDE400-1077-4E07-8D7B-6AB226A01D08}: NameServer = 210.23.235.34 210.23.234.65
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe









pls help..what am i gonna do??? ) =

Just noticed that you have PSGuard (SmithFraud) installed. Do not try to remove it yet, wait for more skilled advice.

QUOTE

These infections change your desktop to say an alert which acts as a goad to use the antispyware software it installs (usually Security iGuard) and disables the screens that allow you to change your desktop

Chris

hi cris, unfortunately i already uninstalled my psguard thinkin that it is the one that caused the change of my desktop. it has a free version but requires me to download the pro version. i didnt download it, instead i purchased Bullet Proof Soft spyware. but it aint doin nothing so i uninstalled it again.... do i have to install it again??? ) =

QUOTE

do i have to install it again???

No, don't do that. There is no problems about uninstalling it, just wondering if your HJT log is actual, I mean, after you uninstalled it. If you uninstalled it after posting HJT log, you'll need to post a fresh log.

Chris

Hi dennis_ian

I'm not seeing either SP1, or SP2 in your log. It's a must to have one or the other on your computer to help keep your computer clean.

Hi dennis_ian...an unpatched XP system is very dangerous, especially if you use file-sharing.

If we fix your current infections, there will be more on your system within a very short time.

Can you go to the Windows Update site and install all available updates?

thanks cris.... good day LF from MC.. i feel great with you guys giving some advise and suggestions.... you really are a big help. you dont know how much i appreciate the time your giving just checking my problems...

hi HKEd. ill try updating my windows...ill keep u posted after...thanks a lot... i mean thank you is not enough with you guys... ( =

Let's see if we can clean it before you install the updates.

Open the Task Manager (right-click on the taskbar at the bottom of the screen and select it from the menu). Click on the Processes tab and click on this:

C:\WINDOWS\System32\intell32.exe

Click on 'End Process' and OK.

Run a HijackThis scan and put checks in the boxes next to these lines:

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [vmcleaner] gxlib.exe

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Close all open windows except HijackThis and click on 'Fix checked'.

Reboot and make all files and folders visible as per these instructions:

QUOTE

* Click Start.     * Open My Computer.     * Select the Tools menu and click Folder Options.     * Select the View Tab.     * Under the Hidden files and folders heading select Show hidden files and folders.     * Uncheck the Hide protected operating system files (recommended) option.     * Click Yes to confirm.     * Click OK.

Search for these files (in bold text) and delete them:

gxlib.exe

C:\WINDOWS\System32\intell32.exe

Run HijackThis again and generate a new log. Post that and let us know if there was any problem deleting the file(s).

sorry bout my question but i would just want to make it clear..when u say Reboot, is it the same with Restarting my computer??? sorry...

Yes...rebooting is the term we use for restarting the computer.

hi HKed..i got to delete all the files you suggests that i delete and i have done the things u instructed..but i still cant change my desktop background. when i tried to see my display properties, there are only two tabs??? is there any chance i could get them back??? the tabs i lost??? anyway heres my new log..( =


Logfile of HijackThis v1.99.1
Scan saved at 9:22:04 PM, on 9/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\SPEEDD~1\nopdb.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe

Is that the full log? Please repost and make sure all the contents are included.

To solve the display problem and replace a file that may have been removed by this infection, download SmitRem.exe from here. Save it to the desktop and click on it. You will see a new folder on the desktop called smitRem. Open that and click on RunThis.bat. Follow the instructions on the screen and reboot when prompted. Is Display back to normal?

YOU GUYS ARE THE GREATEST!!! HKEd..i finally got my desktop back..gees...iam so overwhelmed with you guys with the help you have given...to tell you the truth even my mom got amazed with what you have done, not to mention i have save a lot..... ( =

thank you thank you thank you...and thank you....


heres my new log.....



Logfile of HijackThis v1.99.1
Scan saved at 8:29:17 PM, on 9/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\SPEEDD~1\nopdb.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125635885228
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe





HKEd, i noticed that the intell32.exe is trying to get back on my system. is there anyway i can prevent it from totally invading again???

QUOTE (dennis_ian @ Sep 2 2005, 08:19 PM)

HKEd, i noticed that the intell32.exe is trying to get back on my system. is there anyway i can prevent it from totally invading again???

You mean Pc-Cillin's firewall is reporting it's attempting to install? If so, can you set the firewall to block it and not notify you?

If there's a file on your computer that's attempting to communicate with the outside world, that's a different story. Let us know which it is.

Your log is clean. Get those Windows updates installed, then we'll have you install a couple of freeware programs to increase protection.

am trying the updatemy windows, but right now, iam just seeing a failure of download notice... anyway, iam still trying.

the intel32.exe actually reappeared but i deleted it with the same procedure you have given..now its gone again..my concern is that it might appear again.... anyway, ill try downloading the update.