[mikemarc]

Help..my desktop turned black with a warning message saying "Your computer might be infected with spyware or adware"...Strange homepages, popups, loss of important data, and unstable functioning are the sure signs that you are infected...Click here to get the latest spyware removal software."

I cant change my desktop back, either. When i go to control panel, display, the only tabs i have are screensaver and settings

Also, next to my clock, there is a red exclamation point. When i put my mouse over it, it says, "Your computer is infected"..when i click on it it takes me to PSGUARD.COM homepage.

This is 1) very annoying, and 2) very frightening. I dont know what this is doing to my computer or what this means. I run Windows XP. Any help will be appreciated.

I was told by a friend to run hijack this, and post it on this forum....

my log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:00 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\DIGStream\digstream.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\intell32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
c:\program files\mcafee.com\shared\mghtml.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsear...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsear...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hp9A70.tmp (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vmcleaner] gxlib.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nteh.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Any help will be appreciated. Thank you.

[Advertisements]

Hi mikemark, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'

• Go to Start > Run and type in Services.msc then click OK
  
• Click the Extended tab.
  
• Scroll down until you find the service.
  ===>Remote Procedure Call (RPC) Helper
  
• Click once on the service to highlight it.
  
• Click Stop
  
• Right-Click on the service.
  
• Click on 'Properties'
  
• Select the 'General' tab
  
• Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  
• From the drop-down menu, click on 'Disabled'
  
• Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste 11Fßä#·ºÄÖ`I in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\nteh.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

[Trevuren]

Hi mikemark, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'

• Go to Start > Run and type in Services.msc then click OK
  
• Click the Extended tab.
  
• Scroll down until you find the service.
  ===>Remote Procedure Call (RPC) Helper
  
• Click once on the service to highlight it.
  
• Click Stop
  
• Right-Click on the service.
  
• Click on 'Properties'
  
• Select the 'General' tab
  
• Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  
• From the drop-down menu, click on 'Disabled'
  
• Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste 11Fßä#·ºÄÖ`I in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\nteh.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

[mikemarc]

There is no EXTENDED tab...there is no RPC Helper...there is an RPC, and an RPC Locator, but there is no RPC Helper....

[mikemarc]

sorry..found the extended tab you were talking about..but there is still no RPC Helper

[mikemarc]

It's 1 AM..i have to go to bed..work tomorrow...ill work on it in the morning. thank you.

[Trevuren]

1. Try to find the entry with Remote Procedure Call, and if that doesn't work

2. Look for the entry that has this somewhere: 11Fßä#·ºÄÖ`I

3. If you still can't find it, please do as follows:

Download and run Getservices.zip

By Grinler,  Note: You must run this program as a user with Administrator privaleges.

Usage Instructions:

To use this script, download Getservices.zip from the link below and extract the zip file to your C: drive. Once it is extracted th ere will be a directory on your C: drive called getservice. Inside the C:\getservice directory will be a file called getservice.bat . Simply double-click on the getservice.bat file and when it is completed a notepad will open with a lot of information. You can then copy the entire contents of that notepad into this thread

Trevuren

[Trevuren]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

[Trevuren]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.