|
| ||
| psguard infected, need help somebody mind helping me fight this psguard bastard? |
| ||
| Re: psguard infected, need help Hi, Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, click on the "Scanner" button in the left menu, then click on the "Start" button. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan finishes, click on "Save Report". This will create a text file. Next, download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe). Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically. Copy the entire contents of the file and post it here along with Ewido log. |
| ||
| Re: psguard infected, need help Thank you for helping out. Here are the logs: Logfile of HijackThis v1.99.1 Scan saved at 13:01:37, on 28.8.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\NORMAN\Nvc\BIN\ZLH.EXE C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\sysbho.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\NORMAN\Nvc\BIN\NPFSVICE.EXE C:\Norman\NVC\BIN\Zanda.exe C:\WINDOWS\system32\slserv.exe C:\NORMAN\Nvc\BIN\NYMSE.EXE C:\NORMAN\Nvc\BIN\NIP.EXE C:\NORMAN\Nvc\BIN\npfmsg2.exe C:\NORMAN\Nvc\BIN\nvcoas.exe C:\NORMAN\Nvc\BIN\NJEEVES.EXE C:\NORMAN\Nvc\BIN\NVCSCHED.EXE C:\NORMAN\Nvc\BIN\cclaw.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O3 - Toolbar: MSN-työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\fi\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU) O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c5.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094965120464 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/def...ploader_v6.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O20 - AppInit_DLLs: sysmain.dll O21 - SSODL: MSSQLMonitor - {B58AFF20-AB0D-47D7-B179-960B6509E245} - C:\WINDOWS\System32\amstxml4.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\Nvc\BIN\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 13:00:25, 28.8.2005 + Report-Checksum: C16DD0C + Scan result: HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup [1064] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup [1304] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning [1420] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning [1684] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning [1804] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning [1672] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning [3236] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning C:\!Submit\netdc.exe -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko\Ohjelmat\Käynnistys\netdb.exe -> TrojanDownloader.Small.oc : Cleaned with backup :mozilla.6:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup :mozilla.7:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup :mozilla.8:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate09674169[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate16765412[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate23674169[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate27054709[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate34521416[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate69852103[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate96525894[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\8960875.tmp -> Trojan.Krepper.aj : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\Cookies\nicklas@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\Cookies\nicklas@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar.ku : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\temp.fr32E6 -> Spyware.AdTools : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\Temporary Internet Files\Content.IE5\HB9BT9LI\winupdate96525894[1].exe -> TrojanDropper.Small.ue : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp1E.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp1F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp20.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp21.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp22.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp23.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp25.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp27.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp28.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp29.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2A.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2C.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2D.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp31.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp32.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp36.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp38.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp39.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3A.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3B.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3C.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3D.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp44.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp45.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temp\tmpE4.tmp -> TrojanDownloader.Small.oc : Cleaned with backup C:\Documents and Settings\Nicklas\Local Settings\Temporary Internet Files\Content.IE5\CP5I1TXS\an[1].exe -> TrojanDownloader.Small.rr : Cleaned with backup C:\Documents and Settings\Nicklas\msopt.dll -> TrojanDownloader.Small.kq : Cleaned with backup C:\Documents and Settings\Nicklas\Työpöytä\musik\uninstall.exe -> TrojanDropper.Agent.hy : Cleaned with backup C:\Program Files\Internet Explorer\fshhvecx.exe -> TrojanDropper.Small.nn : Cleaned with backup C:\WINDOWS\dltime.dll -> TrojanSpy.Tofger.aw : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\on-line.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\on-line.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup C:\WINDOWS\Downloaded Program Files\videobox.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\install.exe -> TrojanDownloader.Small.aha : Cleaned with backup C:\WINDOWS\itshta.exe -> Trojan.Small.cr : Cleaned with backup C:\WINDOWS\q1214_1.exe -> TrojanDownloader.Small.kq : Cleaned with backup C:\WINDOWS\system32\6crvk7yfxuk8y.dll -> TrojanDownloader.Small.rr : Cleaned with backup C:\WINDOWS\system32\intell32.exe -> Spyware.PSGuard : Cleaned with backup C:\WINDOWS\system32\netdc.exe -> TrojanDownloader.Small.oc : Cleaned with backup C:\WINDOWS\system32\sys10000.exe -> TrojanDownloader.Domcom.a : Cleaned with backup C:\WINDOWS\system32\sys10001.exe -> TrojanDownloader.Domcom.a : Cleaned with backup C:\WINDOWS\system32\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup C:\WINDOWS\system32\wldr.dll -> TrojanDownloader.Agent.kf : Cleaned with backup C:\WINDOWS\system32\__delete_on_reboot__sysmain.dll -> Trojan.Krepper.an : Cleaned with backup C:\WINDOWS\webdlg32.cab/webdlg32.dll -> Spyware.SBSoft : Error during cleaning C:\WINDOWS\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup ::Report End |
| ||
| Re: psguard infected, need help Hi, Download and install Ad-Aware SE and CCleaner, do not run them now. Make Windows to show all files:- Go to Start > My Computer. Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98). Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit. Reboot in Safe Mode:- Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter. Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c5.cab O20 - AppInit_DLLs: sysmain.dll O21 - SSODL: MSSQLMonitor - {B58AFF20-AB0D-47D7-B179-960B6509E245} - C:\WINDOWS\System32\amstxml4.dll Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis. Delete these files:- C:\WINDOWS\System32\sysbho.exe C:\WINDOWS\System32\OLEEXT.dll C:\WINDOWS\System32\sysbho.exe C:\WINDOWS\System32\amstxml4.dll Delete this folder:- C:\Program Files\PSGuard Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filename and search for it, if you find it, right-click on it and click delete:- sysmain.dll Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning. After this, run AdAware, and click the "Start" button (in AdAware) and select the options "Perform full system scan", "Scan for neglible risk entries", and click "Next" to start the scan. When the scan is completed, remove all the things it may find. Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log. |
| ||
| Re: psguard infected, need help Ok, I did as you wrote. But there wasn't any: C:\WINDOWS\System32\OLEEXT.dll C:\Program Files\PSGuard or sysmain.dll here's the log: Logfile of HijackThis v1.99.1 Scan saved at 14:23:08, on 28.8.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\NORMAN\Nvc\BIN\ZLH.EXE C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\NORMAN\Nvc\BIN\NPFSVICE.EXE C:\Norman\NVC\BIN\Zanda.exe C:\WINDOWS\system32\slserv.exe C:\NORMAN\Nvc\BIN\NYMSE.EXE C:\NORMAN\Nvc\BIN\NIP.EXE C:\NORMAN\Nvc\BIN\npfmsg2.exe C:\WINDOWS\System32\wuauclt.exe C:\NORMAN\Nvc\BIN\NJEEVES.EXE C:\NORMAN\Nvc\BIN\nvcoas.exe C:\NORMAN\Nvc\BIN\NVCSCHED.EXE C:\HJT\HijackThis.exe C:\NORMAN\Nvc\BIN\cclaw.exe O3 - Toolbar: MSN-työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\fi\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094965120464 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/def...ploader_v6.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\Nvc\BIN\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe |
| ||
| Re: psguard infected, need help Hi, Log looks clean :D Please post back whether you are experiencing any problems or not, so that i can decide what to do next :) |
| ||
| Re: psguard infected, need help Quote:
Have'nt had any problems for a while now. Looks good so far |
| ||
| Re: psguard infected, need help Hi, To make sure that everything is clean, you can perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log file it gives after the scan, and post back the same. |
| ||
| Re: psguard infected, need help Quote:
Adware:adware/cws.searchmeup No disinfected C:\new.exe Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\guardian.dll Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\hookDLL.dll Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\r_process.dll Dialer:Dialer.NE No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\on-line.exe Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\backup.old Dialer:dialer.bb No disinfected C:\WINDOWS\system32\dktibs.exe Dialer:dialer.xc No disinfected C:\WINDOWS\system32\paydial.exe Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\webdlg32.inf Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\wininet.dll Adware:Adware/Popup.pop No disinfected C:\WINDOWS\system32\winsx.inf Adware:adware/sbsoft No disinfected C:\WINDOWS\webdlg32.cab Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.cab[webdlg32.inf] Adware:Adware/Startpage.CN No disinfected C:\WINDOWS\webdlg32.cab[webdlg32.dll] |
| ||
| Re: psguard infected, need help hmm, I started having some problems. A message tells me wininet.dll is missing when attempting certain functions and my computer reboots from time to time. Any ideas? |
| All times are GMT -4. The time now is 6:24 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC