Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGuard infect, wininet.dll virus, display? [CLOSED]


  • This topic is locked This topic is locked

#1
nrsherman

nrsherman

    New Member

  • Member
  • Pip
  • 1 posts
:tazz:
Have had several spyware problems. Have run SpyBot S and D, AdAware, and removed some malware, but system still infected with PSGuard, about blank homepage, and the c:\winnt\system32\wininet.dll file now has a virus. I have to turn off Norton in order to access the internet.

Also, have lost normal desktop background. My Desktop backgroung keeps changing from blask with message that my computer is infected, to "click here" to learn how to protect it. When you click on the "Click here" words, (again as long as Norton is disabled), IE opens and goes to PSGuards website and wants my money to fix what they probably caused.

Found PSGuard was actually loaded on system. Removed it but above symptoms persist.

Ran CWS Shredder, and it said I was totally clean. During the process, it showed that nothing was found for all threats.

Here is hijack this log. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 6:07:20 PM, on 7/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Cisco Systems\MDS 9000\bin\Wrapper.exe
C:\Program Files\Cisco Systems\MDS 9000\bin\Wrapper.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Java\j2re1.4.2_08\bin\javaw.exe
C:\Program Files\Java\j2re1.4.2_08\bin\javaw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\javaoa32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\ipre.exe
C:\Program Files\Adaptec\Wireless Utility\ADPCCfg.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\sherman\Desktop\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\sherman\Desktop\hjthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINNT\blfrw.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\blfrw.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINNT\blfrw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINNT\blfrw.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINNT\blfrw.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINNT\blfrw.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINNT\blfrw.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {198729D7-2C8B-1A45-E654-146F43C14875} -

C:\WINNT\system32\ntrs32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar4.dll
O2 - BHO: Class - {C3ABA8A3-7970-EFA1-A475-25AF4569FBD8} -

C:\WINNT\system32\netqx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [ntrs32.exe] C:\WINNT\system32\ntrs32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [nteu32.exe] C:\WINNT\nteu32.exe
O4 - HKLM\..\Run: [ipre.exe] C:\WINNT\ipre.exe
O4 - Global Startup: Adaptec Wireless PC Card v3.0 Utility.lnk = C:\Program

Files\Adaptec\Wireless Utility\ADPCCfg.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN

Client\vpngui.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program

Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11

Config Utility\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar4.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar4.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar4.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar4.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar4.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell....iler/SysPro.CAB
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) -

http://scpwka.ops.pl...quicksilver.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://premconf.web...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XIOCORP.DOM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = XIOCORP.DOM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = XIOCORP.DOM
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner -

C:\WINNT\javaoa32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software

Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Cisco MDS Database Server (FMPersist) - Unknown owner - C:\Program

Files\Cisco Systems\MDS 9000\bin\Wrapper.exe" -s "C:\Program Files\Cisco Systems\MDS

9000\conf\FMPersist.conf (file missing)
O23 - Service: Cisco MDS Fabric Manager (FMServer) - Unknown owner - C:\Program

Files\Cisco Systems\MDS 9000\bin\Wrapper.exe" -s "C:\Program Files\Cisco Systems\MDS

9000\conf\FMServer.conf (file missing)
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner -

C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G

Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Cisco MDS Performance Manager (PMCollector) - Unknown owner -

C:\Program Files\Cisco Systems\MDS 9000\bin\Wrapper.exe" -s "C:\Program Files\Cisco

Systems\MDS 9000\conf\PMCollector.conf (file missing)
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi nrsherman, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.


1. In addition to having an infection from PSGuard, your system has a very serious About:Blank infection as well as a disruption in your lSP chain which affects the internet. There are other smaller problems.

2. Please download FireFox from HERE
  • Install the program
  • Use it instead of Internet Explorer until your system is clean.
3. REBOOT only when absolutely necessary and don't turn off your machine, if you can.

4. To remove the double spacing in your log, please do the following:

.Please go to Start - Run... and type notepad.exe
.Hit OK.
.Now go to Format and uncheck WordWrap.
.Close Notepad.

5. Please post a fresh HJT log for analysis.

6. We will have to try and go after the A:B infection first.

Regards,

Trevuren
  • 0

#3
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP