Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

psguard infected, need help

Reply
1 2

Join Date: Mar 2005
Posts: 21
Reputation: angus is an unknown quantity at this point 
Solved Threads: 0
angus angus is offline Offline
Newbie Poster

psguard infected, need help

 
0
  #1
Aug 28th, 2005
somebody mind helping me fight this psguard *******?
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: psguard infected, need help

 
0
  #2
Aug 28th, 2005
Hi,
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.


Next, download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log in the same folder where it is installed and it also opens the file automatically.
Copy the entire contents of the file and post it here along with Ewido log.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Mar 2005
Posts: 21
Reputation: angus is an unknown quantity at this point 
Solved Threads: 0
angus angus is offline Offline
Newbie Poster

Re: psguard infected, need help

 
0
  #3
Aug 28th, 2005
Thank you for helping out.

Here are the logs:




Logfile of HijackThis v1.99.1
Scan saved at 13:01:37, on 28.8.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\sysbho.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O3 - Toolbar: MSN-työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094965120464
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/def...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - AppInit_DLLs: sysmain.dll
O21 - SSODL: MSSQLMonitor - {B58AFF20-AB0D-47D7-B179-960B6509E245} - C:\WINDOWS\System32\amstxml4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:00:25, 28.8.2005
+ Report-Checksum: C16DD0C

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
[1064] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[1304] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1420] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1684] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1804] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[1672] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
[3236] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\!Submit\netdc.exe -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Järjestelmänvalvoja\Käynnistä-valikko\Ohjelmat\Käynnistys\netdb.exe -> TrojanDownloader.Small.oc : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Nicklas\Application Data\Mozilla\Firefox\Profiles\fdayhhl4.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate09674169[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate16765412[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate23674169[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate27054709[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate34521416[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate69852103[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Käynnistä-valikko\Ohjelmat\Käynnistys\winupdate96525894[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\8960875.tmp -> Trojan.Krepper.aj : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\Cookies\nicklas@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\Cookies\nicklas@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar.ku : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\temp.fr32E6 -> Spyware.AdTools : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\Temporary Internet Files\Content.IE5\HB9BT9LI\winupdate96525894[1].exe -> TrojanDropper.Small.ue : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp1E.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp1F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp20.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp21.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp22.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp23.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp25.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp27.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp28.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp29.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2A.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2C.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2D.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp2F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp31.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp32.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp36.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp38.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp39.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3A.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3B.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3C.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3D.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp3F.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp44.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmp45.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temp\tmpE4.tmp -> TrojanDownloader.Small.oc : Cleaned with backup
C:\Documents and Settings\Nicklas\Local Settings\Temporary Internet Files\Content.IE5\CP5I1TXS\an[1].exe -> TrojanDownloader.Small.rr : Cleaned with backup
C:\Documents and Settings\Nicklas\msopt.dll -> TrojanDownloader.Small.kq : Cleaned with backup
C:\Documents and Settings\Nicklas\Työpöytä\musik\uninstall.exe -> TrojanDropper.Agent.hy : Cleaned with backup
C:\Program Files\Internet Explorer\fshhvecx.exe -> TrojanDropper.Small.nn : Cleaned with backup
C:\WINDOWS\dltime.dll -> TrojanSpy.Tofger.aw : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\on-line.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\on-line.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\videobox.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\install.exe -> TrojanDownloader.Small.aha : Cleaned with backup
C:\WINDOWS\itshta.exe -> Trojan.Small.cr : Cleaned with backup
C:\WINDOWS\q1214_1.exe -> TrojanDownloader.Small.kq : Cleaned with backup
C:\WINDOWS\system32\6crvk7yfxuk8y.dll -> TrojanDownloader.Small.rr : Cleaned with backup
C:\WINDOWS\system32\intell32.exe -> Spyware.PSGuard : Cleaned with backup
C:\WINDOWS\system32\netdc.exe -> TrojanDownloader.Small.oc : Cleaned with backup
C:\WINDOWS\system32\sys10000.exe -> TrojanDownloader.Domcom.a : Cleaned with backup
C:\WINDOWS\system32\sys10001.exe -> TrojanDownloader.Domcom.a : Cleaned with backup
C:\WINDOWS\system32\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\system32\wldr.dll -> TrojanDownloader.Agent.kf : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__sysmain.dll -> Trojan.Krepper.an : Cleaned with backup
C:\WINDOWS\webdlg32.cab/webdlg32.dll -> Spyware.SBSoft : Error during cleaning
C:\WINDOWS\webdlg32.dll -> Spyware.SBSoft : Cleaned with backup


::Report End
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: psguard infected, need help

 
0
  #4
Aug 28th, 2005
Hi,

Download and install Ad-Aware SE and CCleaner, do not run them now.


Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\System32\sysbho.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c5.cab
O20 - AppInit_DLLs: sysmain.dll
O21 - SSODL: MSSQLMonitor - {B58AFF20-AB0D-47D7-B179-960B6509E245} - C:\WINDOWS\System32\amstxml4.dll

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Delete these files:-
C:\WINDOWS\System32\sysbho.exe
C:\WINDOWS\System32\OLEEXT.dll
C:\WINDOWS\System32\sysbho.exe
C:\WINDOWS\System32\amstxml4.dll

Delete this folder:-
C:\Program Files\PSGuard

Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filename and search for it, if you find it, right-click on it and click delete:-
sysmain.dll


Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

After this, run AdAware, and click the "Start" button (in AdAware) and select the options "Perform full system scan", "Scan for neglible risk entries", and click "Next" to start the scan. When the scan is completed, remove all the things it may find.


Reboot to Normal Mode. Run HijackThis again, click Do a System scan and save log, and post the fresh log.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Mar 2005
Posts: 21
Reputation: angus is an unknown quantity at this point 
Solved Threads: 0
angus angus is offline Offline
Newbie Poster

Re: psguard infected, need help

 
0
  #5
Aug 28th, 2005
Ok, I did as you wrote. But there wasn't any:

C:\WINDOWS\System32\OLEEXT.dll
C:\Program Files\PSGuard
or
sysmain.dll

here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 14:23:08, on 28.8.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\HJT\HijackThis.exe
C:\NORMAN\Nvc\BIN\cclaw.exe

O3 - Toolbar: MSN-työkalurivi - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\fi\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {131C19AA-E451-460A-B2C6-BFD0E7CDE6FE} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1395363A-8E79-441B-876D-A348C986BDA4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D8430468-D6EE-4AE7-AF51-4369E21C9F79} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094965120464
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/def...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: psguard infected, need help

 
0
  #6
Aug 28th, 2005
Hi,
Log looks clean Please post back whether you are experiencing any problems or not, so that i can decide what to do next
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Mar 2005
Posts: 21
Reputation: angus is an unknown quantity at this point 
Solved Threads: 0
angus angus is offline Offline
Newbie Poster

Re: psguard infected, need help

 
0
  #7
Aug 28th, 2005
Originally Posted by swatkat
Hi,
Log looks clean Please post back whether you are experiencing any problems or not, so that i can decide what to do next
Thanks again,

Have'nt had any problems for a while now. Looks good so far
Reply With Quote Quick reply to this message  
Join Date: Jul 2005
Posts: 642
Reputation: swatkat is an unknown quantity at this point 
Solved Threads: 50
swatkat's Avatar
swatkat swatkat is offline Offline
Small Town Boy

Re: psguard infected, need help

 
0
  #8
Aug 28th, 2005
Hi,
To make sure that everything is clean, you can perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log file it gives after the scan, and post back the same.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.
Reply With Quote Quick reply to this message  
Join Date: Mar 2005
Posts: 21
Reputation: angus is an unknown quantity at this point 
Solved Threads: 0
angus angus is offline Offline
Newbie Poster

Re: psguard infected, need help

 
0
  #9
Aug 28th, 2005
Originally Posted by swatkat
Hi,
To make sure that everything is clean, you can perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log file it gives after the scan, and post back the same.
Incident Status Location

Adware:adware/cws.searchmeup No disinfected C:\new.exe
Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\guardian.dll
Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\hookDLL.dll
Adware:Adware/LookNSearch No disinfected C:\Program Files\Internet Explorer\r_process.dll
Dialerialer.NE No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\on-line.exe
Adware:adware/spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\backup.old
Dialer:dialer.bb No disinfected C:\WINDOWS\system32\dktibs.exe
Dialer:dialer.xc No disinfected C:\WINDOWS\system32\paydial.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\webdlg32.inf
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\system32\winsx.inf
Adware:adware/sbsoft No disinfected C:\WINDOWS\webdlg32.cab
Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.cab[webdlg32.inf]
Adware:Adware/Startpage.CN No disinfected C:\WINDOWS\webdlg32.cab[webdlg32.dll]
Reply With Quote Quick reply to this message  
Join Date: Mar 2005
Posts: 21
Reputation: angus is an unknown quantity at this point 
Solved Threads: 0
angus angus is offline Offline
Newbie Poster

Re: psguard infected, need help

 
0
  #10
Aug 28th, 2005
hmm, I started having some problems. A message tells me wininet.dll is missing when attempting certain functions and my computer reboots from time to time.

Any ideas?
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC