[nrsherman]

Have had several spyware problems. Have run SpyBot S and D, AdAware, and removed some malware, but system still infected with PSGuard, about blank homepage, and the c:\winnt\system32\wininet.dll file now has a virus. I have to turn off Norton in order to access the internet.

Also, have lost normal desktop background. My Desktop backgroung keeps changing from blask with message that my computer is infected, to "click here" to learn how to protect it. When you click on the "Click here" words, (again as long as Norton is disabled), IE opens and goes to PSGuards website and wants my money to fix what they probably caused.

Found PSGuard was actually loaded on system. Removed it but above symptoms persist.

Ran CWS Shredder, and it said I was totally clean. During the process, it showed that nothing was found for all threats.

Here is hijack this log. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 6:07:20 PM, on 7/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Cisco Systems\MDS 9000\bin\Wrapper.exe
C:\Program Files\Cisco Systems\MDS 9000\bin\Wrapper.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Java\j2re1.4.2_08\bin\javaw.exe
C:\Program Files\Java\j2re1.4.2_08\bin\javaw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\javaoa32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\ipre.exe
C:\Program Files\Adaptec\Wireless Utility\ADPCCfg.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\sherman\Desktop\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\sherman\Desktop\hjthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINNT\blfrw.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\blfrw.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINNT\blfrw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINNT\blfrw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\blfrw.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINNT\blfrw.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINNT\blfrw.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {198729D7-2C8B-1A45-E654-146F43C14875} -

C:\WINNT\system32\ntrs32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar4.dll
O2 - BHO: Class - {C3ABA8A3-7970-EFA1-A475-25AF4569FBD8} -

C:\WINNT\system32\netqx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [ntrs32.exe] C:\WINNT\system32\ntrs32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [nteu32.exe] C:\WINNT\nteu32.exe
O4 - HKLM\..\Run: [ipre.exe] C:\WINNT\ipre.exe
O4 - Global Startup: Adaptec Wireless PC Card v3.0 Utility.lnk = C:\Program

Files\Adaptec\Wireless Utility\ADPCCfg.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN

Client\vpngui.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program

Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11

Config Utility\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar4.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell....iler/SysPro.CAB
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) -

http://scpwka.ops.pl...quicksilver.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://premconf.web...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XIOCORP.DOM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = XIOCORP.DOM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = XIOCORP.DOM
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner -

C:\WINNT\javaoa32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software

Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Cisco MDS Database Server (FMPersist) - Unknown owner - C:\Program

Files\Cisco Systems\MDS 9000\bin\Wrapper.exe" -s "C:\Program Files\Cisco Systems\MDS

9000\conf\FMPersist.conf (file missing)
O23 - Service: Cisco MDS Fabric Manager (FMServer) - Unknown owner - C:\Program

Files\Cisco Systems\MDS 9000\bin\Wrapper.exe" -s "C:\Program Files\Cisco Systems\MDS

9000\conf\FMServer.conf (file missing)
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner -

C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G

Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Cisco MDS Performance Manager (PMCollector) - Unknown owner -

C:\Program Files\Cisco Systems\MDS 9000\bin\Wrapper.exe" -s "C:\Program Files\Cisco

Systems\MDS 9000\conf\PMCollector.conf (file missing)

[Advertisements]

Hi nrsherman, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.


1. In addition to having an infection from PSGuard, your system has a very serious About:Blank infection as well as a disruption in your lSP chain which affects the internet. There are other smaller problems.

2. Please download FireFox from HERE

• Install the program
• Use it instead of Internet Explorer until your system is clean.

3. REBOOT only when absolutely necessary and don't turn off your machine, if you can.

4. To remove the double spacing in your log, please do the following:

.Please go to Start - Run... and type notepad.exe
.Hit OK.
.Now go to Format and uncheck WordWrap.
.Close Notepad.

5. Please post a fresh HJT log for analysis.

6. We will have to try and go after the A:B infection first.

Regards,

Trevuren

[Trevuren]

Hi nrsherman, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.


1. In addition to having an infection from PSGuard, your system has a very serious About:Blank infection as well as a disruption in your lSP chain which affects the internet. There are other smaller problems.

2. Please download FireFox from HERE

• Install the program
• Use it instead of Internet Explorer until your system is clean.

3. REBOOT only when absolutely necessary and don't turn off your machine, if you can.

4. To remove the double spacing in your log, please do the following:

.Please go to Start - Run... and type notepad.exe
.Hit OK.
.Now go to Format and uncheck WordWrap.
.Close Notepad.

5. Please post a fresh HJT log for analysis.

6. We will have to try and go after the A:B infection first.

Regards,

Trevuren

[Trevuren]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.