! Protect Your Data SCUM

[shin_nihon_kikaku]

I was just browsing around the edonkey website, and all of a sudden my desktop turned all black (where the wallpaper should be) and a shortcut icon appeared in the top left (looks like an eye) and is called "! Protect Your Data" This shortcut goes to "http://213.159.117.130/?affid=NAT-13". I've never clicked it but I thought it may be important to know where it goes.

 

There is also a clickable link on the desktop which reads (this goes to - "file:///C:/WINDOWS/desktop.html#") My desktop isn't really the desktop anymore, but just a big weblink.

WARNING!

YOU'RE IN DANGER!

 

 

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

 

Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!

 

 

SECURE YOURSELF RIGHT NOW!

 

Removal instructions

 

Does anyone know what the hell this is and how I can get rid of it? I have tried scanning my PC with SpybotS&D and AdAware but they don't find anything.

 

Please help, thanks.

Edited November 3, 2004 by shin_nihon_kikaku

[Agozer]

Have you ran antivirus?

[Gryph]

I suggest you get HijackThis! since that will look into everything that is running on your PC. Once you run that, paste the report here.

[shin_nihon_kikaku]

Right here it is:

 

Logfile of HijackThis v1.98.2

Scan saved at 19:51:16, on 03/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINDOWS\System32\dslagent.exe

C:\windows\system32\taskmgn.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\ABC\abc.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Downloads\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gloses.net/?ref=2381

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://gloses.net/search/?ref=2381

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.easysearch.cc/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.easysearch.cc

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://gloses.net/search/?ref=2381

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easysearch.cc/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [kxxzylnzsdvh] C:\WINDOWS\System32\tgifqlc.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [Windows Task Manager] C:\windows\system32\taskmgn.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroNETTrayIcon] C:\Program Files\Ahead\NeroNET\NNServiceCtrl.exe

O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe

O4 - HKLM\..\Run: [Games toolbar] rundll32.exe "C:\PROGRA~1\Games\tbGame.dll" DllShowTB

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - Startup: PowerReg Scheduler V3.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\OFFICE~1\Office10\EXCEL.EXE/3000

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10515ea41ad8ced99405/...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095450468765

O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BFC70675-D032-40F8-B419-5BE46F6CE957}: NameServer = 194.74.65.68 194.72.9.34

O19 - User stylesheet:  (file missing)

 

This is the log that HijackThis created. I have far too many processes running on my PC. I've already got rid of lots of unwanted processes by I still have tons.

[Daeval]

Wow, you got 0wned good.

 

You might try something like.... this:

http://www.google.com/search?hl=en&lr=&q=%...%22&btnG=Search

[shin_nihon_kikaku]

It seems as though a lot of people think that it may be just a web ad, but it covers the whole desktop, creates a new web shortcut (makes me think it MUST be a program that installed) and cannot be gotten rid of by ALT-F4, CTRL+ALT+DEL or anything else.

 

I got my desktop back by re-applying a visual style in StyleXP. But I still think the program/spyware still remains somewhere on my hard-drive.

 

Any more help anyone?

 

BTW Daeval, I already tried googling the words, but I just found smart ass geeks telling other people with the same problem that it is just an advert that is easily got rid of by ALT-F4 or something. But they don't understand the problem. They just like to think they know everything about PCs without research on new viruses/spyware.

 

Thanks anyway.

[Daeval]

It sounds like it hijacked your desktop using active desktop. Did you try this?:

 

Go to Control Panel -> Display -> Desktop. Click on the Customize Desktop button. Then select Web and uncheck (or delete) the webpage Security. Click OK and it's done.

 

Or this for the "program"?:

http://www.smart-security.info/removal.html

 

(Both from the second link from google)

 

You might also get a port watcher and see if you notice any signs of a trojan. There's a few good freeware / demoware ones out there that should do the trick, but I can't remember any names. Just to keep an eye on things and make sure nothing is left on your system. Although judging by the type of attack, it was probably an activeX hack or something. Might consider switching to FireFox if you haven't already.

Edited November 4, 2004 by Daeval

[shin_nihon_kikaku]

I have switched to Firefox, and since then I have had more Spyware and stuff than ever. I have used IE ever since I first got my computer, and recently started using Firefox instead. I like the tab browsing and Firefox search features, but the spware has become much worse.

[Gryph]

I have switched to Firefox, and since then I have had more Spyware and stuff than ever. I have used IE ever since I first got my computer, and recently started using Firefox instead. I like the tab browsing and Firefox search features, but the spware has become much worse.

<{POST_SNAPBACK}>

 

That's the first time I've ever heard that. Well if Firefox is giving you problems, then get Maxathon (the new name of MyIE2). It has tabbed browsing and a crap load of features.

[Jiggs]

Another bonus to Maxthon is that you can disable ActiveX, Java, or even images. When it wa MyIE2, you could disable/enable something on one tab only, which was cool as hell.

[Daeval]

Another bonus to Maxthon is that you can disable ActiveX, Java, or even images. When it wa MyIE2, you could disable/enable something on one tab only, which was cool as hell.

<{POST_SNAPBACK}>

 

ActiveX is disabled by default in Firefox (not sure if you even have the option to turn it on though.. Not that anybody respectable uses it. ). You can also disable Java and/or JavaScript, or even disable specific "features" of java, such as the ability to hide the status bar or resize windows. Images can be disabled too, and you can choose whether to disable them altogether, disable only those from certain sites (like advertizers), or disable any image loaded from outside the site you're visiting. You'd practically have to try to get spyware/adware with FireFox.