So, somehow I've been seriously infected with spyware and the like. First time ever since I've had my PC (over 10 years).

I've run AdAware and the new Microsoft program as well. The problem that remains is that my wallpaper has been disabled. I can't change it nor do I have the option to. What comes up is an HTML page telling me I have spyware and to click on it to remove the spyware. This is obviously a farce. I've found where that particular file is on my PC:

C:Windows/web

I find the file, delete it and my screen just stays white. I still can't change the wallpaper. In addition I have these six blocks on the right site of my desktop that each have a graphic and links that pop up: Gambling, Dating, Pharmacy...etc. I can't seem to find where they originate from either.

I'm not sure what my next step is here? Fresh install of XP? Do I need to go that far? I'm scared to just be online long enough to type this with the fear that I'm having passwords, account #'s etc... stolen. I have yet to open outlook express for the same reason.

Thoughts?

Thanks so much!
AraStar

So I've scanned the PC with some of the suggested. No change. I can't figure out where the program is running that is causing this **** to be on my desktop.

I just bought Norton Antivurs 2006, updated and am running a full system scan.

Seems all I have to do is find where this stupid program is running that is causing my desktop to be corrupted.

Hi there Arastar , sounds like you have a PSguard infection on there.

If you start with the "Prework" instructions (see below) and then attach the Ewido and the Hijackthis log to a post , then we'll have a go at cleaning that up.

Thanks a bunch! I'm working on that now. Just as an FYI, I've run Norton 2006 a few times and according to that, AdAware and Microsoft AntiSpyware, the computer SHOULD be clean, except for the desktop problem I'm having.

I'll post the log as soon as I finish the steps you've outlined.

Here is the Ewido Log

Attached Files

Scan report_20051210.txt.txt (54.1 KB, 1 views)

Here is the HijackThis Log. I didn't clean anything since I'm not sure what I'm looking for.

The problem that I have left that I can't seem to figure out is my desktop. I can't change my wallpaper at all. When I go into Display setting, I am unable to select anything. What I have is a blue background with a big black box in the middle that says "SPYWARE INFECTION" in red letters. Then to the right are six Boxes with graphics in them that if I roll over them, the show links to other pages for "XXX", "Gambling", "Insurence", etc. I can't seem to get rid of them or find where this is running. When I shut down the PC, it goes away and briefly shows my original wallpaper.

Thanks again for any help.

One other question. I don't have the "autosave" function for saving passwords to places like credit card sites where I pay online...etc. Should I be concerned with passwords being stolen?

Attached Files

hijackthis.log (9.2 KB, 1 views)

First off , I need you to download some programs for use later.


Please download CCleaner

Download this file and unzip it to your desktop

Download about:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Download and install Ewido Security Suite Trial from here. Run and update the program but do not scan with it yet.

Ensure hidden files and folders are set to show;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called Network Security Service.

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Then uninstall "UnSpyPC" in add/remove programs.


Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE


Open HJT and click config > misc tools > “delete an NT service”
Copy and past: NSS
Click OK.


While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present
ieui.exe
ipri.exe

Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uluir.dll/sp.html#77035
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {177CDD5E-8C7C-0B4D-8EDC-927A1BCC153B} - C:\WINDOWS\ntnb.dll (file missing)
O2 - BHO: Class - {C2B58764-C5C7-1BD4-E562-74CAC3710D50} - C:\WINDOWS\system32\javaqy32.dll (file missing)
O2 - BHO: (no name) - {DC9BE935-CD27-46E2-9A15-52879D1A81EC} - C:\WINDOWS\system32\gfob.dll (file missing)
O4 - HKLM\..\Run: [ieui.exe] C:\WINDOWS\system32\ieui.exe
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program Files\UnSpyPC\UnSpyPC.exe (file missing) (HKCU)
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Hpjnadon.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipri.exe (file missing)

Now delete the files in bold , and run ccleaner.


Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.

Now reboot,and run hijackthis again and post a fresh hjt log along with the about buster log and the Ewido log.



Also do you know that this is running on youre pc?