View Full Version : A new ad spyware?
Steven
October 17th, 2003, 12:33 AM
Through AOL instant messenger i got a spyware called RealPhx. Everytime i open Explorer or go to away on AIM, it puts up an ad. It says at the bottom of the ad that i can get rid of all the ads by downloading something. Is this a new spyware, because it wasnt listed as one that is detected? Also, how can i fix this?
Pieter_Arntz
October 17th, 2003, 02:24 AM
Hi Steven,
This is a recently discovered hijacker that uses mshta to hijack your startpage.
See if you can find the startup entry for av.exe, disable that and consequently delete that file.
If you are unsure how to proceed, please follow these instructions and someone will be happy to help you out:
Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.
Most of what it lists will be harmless, so do not fix anything yet.
Regards,
Pieter
spy1
October 17th, 2003, 08:33 AM
And while you're at it, get yourself a copy of HTAstop from here: http://www.simtel.net/product.php?url_fb_product_page=53731 and see if that doesn't help to prevent future infections. Pete
steven
October 17th, 2003, 09:29 AM
ok thanks, how do i disable it? i tryed deleting but it it says it was denied. Help?
steven
October 17th, 2003, 09:32 AM
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\av.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\mshta.exe
C:\av.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\av.exe
C:\WINDOWS\System32\mshta.exe
C:\av.exe
C:\WINDOWS\System32\mshta.exe
C:\av.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realphx.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Antivirus] c:\av.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.6988194444
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
ok heres the list
Pieter_Arntz
October 17th, 2003, 09:59 AM
Hi steven,
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realphx.com
O4 - HKLM\..\Run: [Antivirus] c:\av.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Then reboot and you should be able to delete
c:\av.exe
You can re-enable the IE- restrictions in Spybot S&D under Immunize.
I had you fix them so you can change your Startpage back.
As you may have noticed they offer no real protection against hijackers and are a hassle if you want to change it yourself.
Regards,
Pieter
steven
October 21st, 2003, 10:19 PM
This worked:
http://www.ncsu.edu/resnet/pages/security/realphx.php
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums