Through AOL instant messenger i got a spyware called RealPhx. Everytime i open Explorer or go to away on AIM, it puts up an ad. It says at the bottom of the ad that i can get rid of all the ads by downloading something. Is this a new spyware, because it wasnt listed as one that is detected? Also, how can i fix this?
Hi Steven, This is a recently discovered hijacker that uses mshta to hijack your startpage. See if you can find the startup entry for av.exe, disable that and consequently delete that file. If you are unsure how to proceed, please follow these instructions and someone will be happy to help you out: Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log as a .txt file, and copy and paste its contents into your next post. Most of what it lists will be harmless, so do not fix anything yet. Regards, Pieter
And while you're at it, get yourself a copy of HTAstop from here: http://www.simtel.net/product.php?url_fb_product_page=53731 and see if that doesn't help to prevent future infections. Pete
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\NVATray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\av.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\System32\mshta.exe C:\av.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\mshta.exe C:\av.exe C:\WINDOWS\System32\mshta.exe C:\av.exe C:\WINDOWS\System32\mshta.exe C:\av.exe C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realphx.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Antivirus] c:\av.exe O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: AIM (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37810.6988194444 O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ok heres the list
Hi steven, Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realphx.com O4 - HKLM\..\Run: [Antivirus] c:\av.exe O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Then reboot and you should be able to delete c:\av.exe You can re-enable the IE- restrictions in Spybot S&D under Immunize. I had you fix them so you can change your Startpage back. As you may have noticed they offer no real protection against hijackers and are a hassle if you want to change it yourself. Regards, Pieter
