Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Attacked by PS Guard, cannot get regkey to delete [RESOLVED]

Started by MoogleLally , Jul 31 2005 11:30 AM

  • This topic is locked This topic is locked

#1
MoogleLally
Posted 31 July 2005 - 11:30 AM

MoogleLally

    Member

  • Member
  • PipPip
  • 10 posts
Hello.

I had PMed greyknight17, and he asked me to post a hijackthis log. My boyfriend and I have been working on this for a few days now, we're pretty saavy, but we cannot get this regkey to delete.

Logfile of HijackThis v1.99.1
Scan saved at 12:20:03 PM, on 7/31/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Lally\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

;_; I don't know how I managed this. Any help or helper applications you could point us to would be awesome.
  • 0

Advertisements

#2
Excal
Posted 31 July 2005 - 11:46 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi MoogleLally and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

I noticed that your HiJackthis.exe is located on your desktop, make sure to save HijackThis in its own folder (i.e. C:\HJT). This is very important, so HiJackThis can save backups!

If you have disabled anything in MSConfig, please re-enable it before posting a fresh HiJackthis log so I can see everything. This will require a reboot after you enable them.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.
(DO NOT INSTALL SP2)


Thanks,

:tazz:

Excal
  • 0

#3
MoogleLally
Posted 31 July 2005 - 12:19 PM

MoogleLally

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here you are, and thank you!

edit: Also, sorry, I thought I had SP1a installed.

Logfile of HijackThis v1.99.1
Scan saved at 1:16:08 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\intell32.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Edited by MoogleLally, 31 July 2005 - 12:23 PM.

  • 0

#4
Excal
Posted 31 July 2005 - 12:27 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi MoogleLally,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Place a shortcut to Panda ActiveScan on your desktop.

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Close Ewido, we will use this later.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe

7. click the Fix Checked box

8. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\intell32.exe

9. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Remove all it finds.

11. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log, Ewido log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
MoogleLally
Posted 31 July 2005 - 12:44 PM

MoogleLally

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay, I had ewido installed before, and I honestly cannot remember if we unchecked "Install background guard". Should I reinstall?
  • 0

#6
Excal
Posted 31 July 2005 - 01:29 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
To be honest, I am not sure. Just make sure that ewido is shut down totally before you do the HiJackThis fix.

:tazz:

Excal
  • 0

#7
MoogleLally
Posted 31 July 2005 - 03:16 PM

MoogleLally

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay, here goes.

smitRem log file
version 2.2

by noahdfear

The current date is: Sun 07/31/2005
The current time is: 14:54:26.10

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover


~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:22:26 PM, 7/31/2005
+ Report-Checksum: 87C9D4E2

+ Scan result:

:mozilla.23:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
:mozilla.26:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned without backup
:mozilla.27:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned without backup
:mozilla.31:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
:mozilla.32:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.36:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.41:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.42:C:\Documents and Settings\Lally\Application Data\Mozilla\Firefox\Profiles\hh79lwvb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup


::Report End

ActiveScan Shows:

Incident Status Location

Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}


I cannot delete the ShudderLtd folder using regedit. It will not allow me to. I didn't try the other one, I didn't want it to snowball and start all over again. Here's a hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:14:10 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Edited by MoogleLally, 31 July 2005 - 03:16 PM.

  • 0

#8
Excal
Posted 31 July 2005 - 03:37 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Try this.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}]



Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
  • 0

#9
MoogleLally
Posted 31 July 2005 - 04:00 PM

MoogleLally

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Done! Now what?
  • 0

#10
Excal
Posted 31 July 2005 - 04:26 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Run another active scan to ensure that the key is gone.
Post the results

Thanks,

:tazz:

Excal
  • 0

Advertisements

#11
MoogleLally
Posted 31 July 2005 - 05:16 PM

MoogleLally

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Incident Status Location

Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD

And, again, I get an error trying to delete it.

...you techs must be the most patient people. =D
  • 0

#12
Excal
Posted 31 July 2005 - 05:32 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Seems like this is a problem thruout Spyware land. Although this key is harmless with out the associated files, we are still trying to come up with a fix for it, so please be patient.

go to start>run and copy and paste this in.

regedit /e C:\search.txt "HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD"

Paste the results in your next post (file will be C:\ search.txt)


Thanks,

:tazz:

Excal
  • 0

#13
MoogleLally
Posted 31 July 2005 - 07:47 PM

MoogleLally

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD]

[HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGuard]
@="C:\\Program Files\\PSGuard"
"VersionInfo"="APP_VER=1.2.3
DATABASE_VER=3.2.3
DATE=10/10/04
SIGNATURES=50000"
"RegistrationUrl"="http://www.psguard.c...egister/37.0.2"
"InstallDir"="C:\\Program Files\\PSGuard"
"DatabaseFile"="C:\\Program Files\\PSGuard\\database.pkg"
"ResourceDll"="C:\\Program Files\\PSGuard\\Localization.dll"
"SCAN_DEPTH"="1"
"SCAN_PRIORITY"="0"
"QuarantineLocation"="C:\\Program Files\\PSGuard\\Quarantine"
"MinOnStartup"="0"
"ScanOnStartup"="1"
"StartAtWinStartup"="1"
"EnableRTMonitoring"="1"
"AlwaysBlockChanges"="0"
"AlwaysBlockWhenNoAV"="1"
"PerformUpdate"="1"
"UpdateInterval"="3"
"MGuid"="{D261E04C-0E80-4B01-8C91-E76B4F229052}"

[HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGuard\PSGuard]
@=""
"InstallationID"="{C86DFFDE-8A1E-4512-ABBC-DB06C73D7778}"
  • 0

#14
Excal
Posted 31 July 2005 - 07:54 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Lets try this one

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme2.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD]
"VersionInfo"=-
"DATABASE_VER"=-
"DATE"=-
"SIGNATURES"=-
"RegistrationUrl"=-
"@"=-
"InstallDir"=-
"DatabaseFile"=-
"ResourceDll"=-
"SCAN_DEPTH"=-
"SCAN_PRIORITY"=-
"QuarantineLocation"=-
"MinOnStartup"=-
"ScanOnStartup"=-
"StartAtWinStartup"=-
"EnableRTMonitoring"=-
"AlwaysBlockChanges"=-
"AlwaysBlockWhenNoAV"=-
"PerformUpdate"=-
"UpdateInterval"=-
"MGuid"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD\PSGuard]
"InstallationID"=-



Locate fixme2.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Reboot

go to start>run and copy and paste this in.

regedit /e C:\search.txt "HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD"

Paste the results in your next post (file will be C:\ search.txt)

Thanks,

:tazz:

Excal
  • 0

#15
MoogleLally
Posted 31 July 2005 - 08:12 PM

MoogleLally

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD]
@="C:\\Program Files\\PSGuard"

[HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD\PSGuard]
@=""



Did we win?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP