Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PSGAURD - Please desperate... [CLOSED]

Started by akashlee , Jul 22 2005 05:35 AM

  • This topic is locked This topic is locked

#1
akashlee
Posted 22 July 2005 - 05:35 AM

akashlee

    Member

  • Member
  • PipPipPip
  • 126 posts
Please help me remove this stupid adware thing or whatever it is...
I have been going at this 8 to 15 hours straight (not including 30min to 15 min breaks)

Please help me!!!!!!!!!!!

I killed some of the things needed to detroy this smitfroud.

Here is my Hijack

I am not getting anymore random popups. And mcafee hasn't found anything unusual. But I know I have it because it is in my stupid taskbar (biside my clock). And it keeps says my computer has spyware and other viruses. And my desktop was messed up (it had writing and said my cpu was inficted by smitfraud) So I changed it but it became blue now, but this time, there is no writing. Please help me....... I am desperate. ;) :help: ;)






Logfile of HijackThis v1.99.1
Scan saved at 7:32:12 PM, on 21/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackTh.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.client.../search/ie.html
F2 - REG:system.ini: Shell=Explorer.exe,
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpE5A0.tmp (file missing)
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reboot.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O9 - Extra 'Tools' menuitem: &Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE






PLEASE HELP ME
I NEED PEACE
Your see, I am only a student, and I would like to get on with my summer again. So Please help me (I am in the 8th grade now). So I am not to old, but I am still smart enough to do whatever you tell me to do. Please. I am not having any peace, until this frigen virus is killed and kicked out of my cpu. PLEASE HELP ME. :tazz:

Edited by akashlee, 22 July 2005 - 06:53 AM.

  • 0

Advertisements

#2
Guest_thatman_*
Posted 22 July 2005 - 07:42 AM

Guest_thatman_*
  • Guest
Hi akashlee

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop. Don't run it yet!


Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Please set your system to show all files; please see here if you're unsure how to do this.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet,

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. (XP Only)

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
[B]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
F2 - REG:system.ini: Shell=Explorer.exe,
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpE5A0.tmp (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll (file missing)
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Click on Fix Checked when finished and exit HijackThis.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CWShredder to fix your CWS problem.

Run AD-Aware se

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Delete the file's in the Code box:
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\web\related.htm

Let the system reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido HJT.log We will need them to remove previous infections that have left files on your system.

Kc :tazz:

Edited by thatman, 22 July 2005 - 07:55 AM.

  • 0

#3
akashlee
Posted 22 July 2005 - 06:57 PM

akashlee

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts
Dear thatman,

I am truly grateful for you great help. The icon in my taskbar is long gone, but some of the Hackth codes you told me to earse weren't there. So I just moved on...
As I post this message The Panda Free Software is scanning my cpu. When it is done, I will send the log to you. But is this really nessasary, won't Mcafee kill any left over virus (though for some weird reason, free ware software seem to do a better job, than a paid on like Mcafee. That is sad...) Is it alright if I remove everything I downloaded to destroy the PSGAURD? This is because I am trying to keep my cpu as clean as possible. Though I still do want to keep one of them (Between Ad-Adware and Ewido). I want to keep one, but I don't know which one... If nessary I will keep both....
~Thanks Again For You Great Help. I will send you the log sometime tomorow or even today. I am so grateful, I feel like I could continue with my summer again... ;) :tazz:

Edited by akashlee, 22 July 2005 - 06:59 PM.

  • 0

#4
akashlee
Posted 23 July 2005 - 05:14 AM

akashlee

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts
Ok I am ready, tell me the intructions...


:tazz:


Here is the report from the Panda Sofware :


Incident Status Location

Adware:adware/sahagent No disinfected C:\SahAgent.log
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180Solutions
Spyware:spyware/dyfuca No disinfected C:\PROGRAM FILES\Internet Optimizer
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Winad Client
Adware:adware/gator No disinfected C:\PROGRAM FILES\COMMON FILES\CMEII
Adware:adware/wintools No disinfected C:\PROGRAM FILES\COMMON FILES\WinTools
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\GMT\GatorRes.dll


Here is the log from Hijackthis: (By the way, when I do the actual Hijack fixing, some of them don't show up, like they show up here!) ;)
Logfile of HijackThis v1.99.1
Scan saved at 7:27:15 AM, on 23/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\HijackTh.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.client.../search/ie.html
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reboot.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Edited by akashlee, 23 July 2005 - 05:28 AM.

  • 0

#5
Guest_thatman_*
Posted 23 July 2005 - 02:52 PM

Guest_thatman_*
  • Guest
Hi akashlee

Yes you do need to run the Panda scan.

Boot into safe mode.

Use windows explorer delete the following file's/folder's:
C:\SahAgent.log<--Delete this file
C:\PROGRAM FILES\180Solutions<--Delete the whole folder
C:\PROGRAM FILES\Internet Optimizer<--Delete the whole folder
C:\PROGRAM FILES\Winad Client<--Delete the whole folder
C:\PROGRAM FILES\COMMON FILES\CMEII<--Delete the whole folder
C:\PROGRAM FILES\COMMON FILES\WinTools<--Delete the whole folder
C:\Program Files\Common Files\GMT<--Delete the whole folder

Open notepad, and copy and paste the contents of the quote box below into a new text file.
Save it as file name: "psg.reg" (not including the quotes). Save as file type: *All files* and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD]


Then, locate psg.reg on your desktop and double-click it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.log. We will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#6
akashlee
Posted 24 July 2005 - 08:53 AM

akashlee

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts
Dear thatman,

I did as you asked...
Except the panda sofware active scan is still scanning. So when it is done I will send all the logs back here. But there is a problem the files that you asked me to find and delete, well two of them weren't there...so I just moved on and did the scans. The two files were :
C:\PROGRAM FILES\Internet Optimizer<--Delete the whole folder
C:\PROGRAM FILES\Winad Client<--Delete the whole folder


PS: Once again, I will send the three logs to you after Panda is done...
  • 0

#7
akashlee
Posted 25 July 2005 - 04:24 AM

akashlee

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 126 posts
I first did hijack, ewido, then the panda sofware.
Here it is,

For Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 6:55:39 AM, on 24/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackTh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pandasoft...com/activescan/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.client.../search/ie.html
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reboot.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

For ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:46:22 AM, 24/07/2005
+ Report-Checksum: CC4F037F

+ Scan result:

:mozilla.14:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Pallabi.PALLABI-S7AJRKQ\Application Data\Mozilla\Profiles\default\pbpz1czi.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup


::Report End

For panda:

Incident Status Location

Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD




There we go...
  • 0

#8
Guest_thatman_*
Posted 25 July 2005 - 04:39 AM

Guest_thatman_*
  • Guest
Hi akashlee

Please read through the instructions before you start (you may want to print this out).

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll (file missing)
Click on Fix Checked when finished and exit HijackThis.

Open notepad, and copy and paste the contents of the quote box below into a new text file.
Save it as file name: "psg.reg" (not including the quotes). Save as file type: *All files* and save it on your Desktop.

QUOTE
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD]

Then, locate psg.reg on your desktop and double-click it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
Guest_thatman_*
Posted 30 July 2005 - 09:08 AM

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP