[interbeing]

yeah there is still no tabs on my display properties except for settings and screen saver, i think that it has something to do with the orer.exe, because when i would run killbox and it would say that the file is deleted, my background picture would go back to what it was before the infected spyware screen overtook that with the psguard link, and then within 10 seconds it would give the active desktop recovery background and then instantly go back to the same screen with the "your computer is infected with spyware or adware, and have the psguard link again"

so hopefully someone can figure it out
thanks
darren

[Advertisements]

You had a PSGuard infection that you tried to remove yourself?

You have the screen warning and I noticed a few files that could be PSGuard related left on your system. It is very important for us to know if you did or not.

Trevuren

[Trevuren]

You had a PSGuard infection that you tried to remove yourself?

You have the screen warning and I noticed a few files that could be PSGuard related left on your system. It is very important for us to know if you did or not.

Trevuren

[interbeing]

yeah i said that when we first started and i gave you my hijack this log and it is part of my topic ps guard problems........... definitely
i ran adaware and all those avg before i came to this website and yes i tried deleting psguard from add/remove programs or wherever i do not really remember seems how i have done so much other stuff since then
but yeah it is a psguard problem, and that orer.exe i think is somehow attached to it
sorry for the miscommunication
darren

[Trevuren]

Do you have a ZIP file utility and if you do, do you know how to ZIp files and email them?

Trevuren

[Trevuren]

My mistake. I just re-read the thread and you did mention the warning screen and PSGuard link in your opening comments.

You will be getting one of the marters working with us on this.



Trevuren

[interbeing]

yes i have winrar 3.42 for zipping files and im sure i can email them
did you need me to email something?

[Trevuren]

1. Pleae Zip up the contents of the following folder: C:\Program Files\mtes

2. I will be asking you to email these to the address of an expert who will take it apart to find out what is going on.

3. I will provide you with the email address via PM for security reasons.

4. Once sent, please advise me as soon as possible so I can tell the expert to watch for it.



Trevuren

[Trevuren]

1. My PM is sent with the required info.

2. Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/

Start it and paste in orer.exe, wait for it to complete the search, click ok at the prompt.

Then when wordpad opens, copy that back here please (You must copy/paste into the reply)


Trevuren

[interbeing]

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "orer.exe" 7/28/2005 12:20:23 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\explorer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\explorer.exe,16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Briefcase\shell\open\command]
@="explorer.exe %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7020"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7021"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7001"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7022"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7023"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7003"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7024"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7004"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7025"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7005"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\DefaultIcon]
@="C:\\WINDOWS\\explorer.exe,-103"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\AllDevices\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\AllDevices\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Camera\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Camera\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\CameraContainerItems\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\CameraContainerItems\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Scanner\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Scanner\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Publishing Folder\shell\explore\command]
@="explorer.exe /e,/idlist,%I,%L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Publishing Folder\shell\open\command]
@="explorer.exe /idlist,%I,%L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHCmdFile\shell\open\command]
@="explorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\International]
"explorer.exe"="6.0.2600.0-6.0.9999.9999"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;mplay32.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\MyComp]
"Bitmap"="%SystemRoot%\\explorer.exe,100"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Esni"="C:\\Program Files\\mtes\\orer.exe"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Google\NavClient\1.1\History]
"orer.exe virus"=hex:2d,e0,e6,42

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Google\NavClient\1.1\History]
"orer.exe"=hex:8d,e0,e6,42

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7024"="Internet"

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7025"="E-mail"

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7021"="&Help and Support"

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7020"="&Search"

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7023"="&Run..."

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\Explorer.EXE"="Windows Explorer"

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7004"="Opens your Internet browser."

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7000"="Opens a window where you can pick search options and work with search results."

"C:\\Documents and Settings\\darren\\Local Settings\\Temporary Internet Files\\Content.IE5\\ODUVO5EF\\CleanUp40[1].exe"="CleanUp40[1]"
"@explorer.exe,-7005"="Opens your e-mail program so you can send or read a message."

"C:\\Documents and Settings\\darren\\Local Settings\\Temporary Internet Files\\Content.IE5\\Q9STCDWF\\KillBox[1].exe"="Process & File Killer"
"@explorer.exe,-7001"="Opens a central location for Help topics, tutorials, troubleshooting, and other support services."

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Esni"="C:\\Program Files\\mtes\\orer.exe"

[Trevuren]

Thanks for all the input, much appreciated.

Inasmuch as you also apparently have an incomplete removal of PSGuard on your hands, let's see if we can get rid of all the infection this time.

Pleae send me a fresh HJT log and I will prepare the fix accordingly.


Thanks,

Trevuren

[interbeing]

Logfile of HijackThis v1.99.1
Scan saved at 5:41:27 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\mtes\orer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

[Trevuren]

Finally here.

Please print out or copy this page to Notepad for we will be doing all the work in Safe Mode. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


1. REBOOT your system into Safe Mode.

2. Launch Notepad, and copy/paste the text in the codebox below into the new document. Save it to your desktop as Trevfix.reg and as "AllFiles" as file type.

REGEDIT4

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Google\NavClient\1.1\History]
"orer.exe virus"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Esni"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Esni"=-

3. Locate Trevfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

4. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

5. Now click on Sart>>Run and copy/paste the following lines in the command window, one line at a time, and click ENTER after each one:


attrib -r -h -s C:\Progra~1\mtes\*.*

del /q C:\Progra~1\mtes\*.*

rmdir C:\Progra~1\mtes


6. Now Run EWIDO and save its log so you can post it in your next reply

7. REBOOT into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review along with your Ewido log.

Regards,

Trevuren

[interbeing]

trevuran
when i try to open the trevfix.reg file on my desktop i hit ok to add the files to the registry and it gives me the following error

cannot import c:\ ..........trevfix.reg to the registry, you can only import with files that are in binary code from the registry editor

or something along those lines

[Trevuren]

Please rename your Trevfix.reg to Trevfix.old and Copy/Paste the content of the resulting Notepad text file into this thread.


Trevuren

[interbeing]

[HKEY_USERS\S-1-5-21-1390067357-1425521274-725345543-1003\Software\Google\NavClient\1.1\History]
"orer.exe virus"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Esni"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Esni"=-