[Subzero]

Pls help me from Psguard. I have read this forum and tried various things but looks like everyone may not be infected to the same level. I did download all the good malware removers and got rid of Psguard but after I reboot my machine its back - feel like killing the person who invented psguard. I'm also not able to use my yahoo messenger - looks like psguard is corrupting it someone. Its really annoying. Pls help !

I use Win XP - Internet Explorer, Advance Browser, MSN & Yahoo messenger. Pls let me know if you any need any additonal info.

My hijack log taken on Aug 12 at 2am EST
-------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:33:46 AM, on 8/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Raaj\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Raaj\LOCALS~1\Temp\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AF3B0B3-0FEB-4A6A-A2E4-E8352FF72192} - C:\WINDOWS\System32\gjjf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOOMSN\ypager.exe -quiet
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O21 - SSODL: ZeldcTE - {403A13E8-EA90-B942-F5BC-245069B30CC6

[Advertisements]

The 2nd post got repeated in the same topic. Since I cannot delete the duplicate entry in the same post - I'm editing the same.

Thanks

Edited by Subzero, 13 August 2005 - 12:50 PM.

[Subzero]

The 2nd post got repeated in the same topic. Since I cannot delete the duplicate entry in the same post - I'm editing the same.

Thanks

Edited by Subzero, 13 August 2005 - 12:50 PM.

[Excal]

Hi Subzero and welcome to GeeksToGo! My name is Excal and I will be helping you.

Please do not start anymore topics. Thanks.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.
(DO NOT INSTALL SP2)


Thanks,



Excal

Edited by Excal, 12 August 2005 - 01:10 AM.

[Subzero]

Thanks Excal.

Installed SP-1a as per your suggestion and created the new hijackthis log. Any specific reason you had asked me not to install SP2 ?

My hijack log taken on Aug 16 at 10pm EST

Logfile of HijackThis v1.99.1
Scan saved at 10:12:10 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\stickies\stickies.exe
C:\Documents and Settings\Raaj\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Raaj\LOCALS~1\Temp\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AF3B0B3-0FEB-4A6A-A2E4-E8352FF72192} - C:\WINDOWS\System32\gjjf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOOMSN\ypager.exe -quiet
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124129874446
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124132225927
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O21 - SSODL: ZeldcTE - {403A13E8-EA90-B942-F5BC-245069B30CC6} - C:\WINDOWS\System32\mtmnc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Please let me know incase you need anything else.

Thanks

Edited by Subzero, 16 August 2005 - 08:16 PM.

[Excal]

Hi

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted

Any specific reason you had asked me not to install SP2 ?

It will mess SP2 up if you have baddies on your computer.


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Place a shortcut to Panda ActiveScan on your desktop.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Raaj\LOCALS~1\Temp\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {1AF3B0B3-0FEB-4A6A-A2E4-E8352FF72192} - C:\WINDOWS\System32\gjjf.dll (file missing)
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O21 - SSODL: ZeldcTE - {403A13E8-EA90-B942-F5BC-245069B30CC6} - C:\WINDOWS\System32\mtmnc.dll

7. click the Fix Checked box

8. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\mtmnc.dll

9. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Remove all it finds.

11. Now open and run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log. Let me know how your computer is running.

[Subzero]

Hi Excal,

I was finally able to do everything as per your suggestion. I guess I got rid of psguard & smitfraud but there seems to be another new family of spyware - ISTbar. I removed it from control panel but on reboot it always manages to come back with few bad friends such as "sidefind" and "Internet Optimizer". I'm attaching a recent log of anti-virus runs. I don't have log for ActiveScan though.

One more thing - I'm not able to use Yahoo messenger. I have tried installing and re-installing it again and again but it dies at re-boot saying that serious error has occured. I dont know if any spyware has got anything to do with it. Pls let me know incase you have any other question.

Thanks

Attached Files

•  smitfiles.txt   840bytes   50 downloads
•  eWido_Scan_report_20050820.txt   0bytes   41 downloads
•  hijackThis.txt   3.14KB   79 downloads

Edited by Subzero, 19 August 2005 - 02:57 PM.

[Excal]

Looking good

any luck with the Activescan log?


DOWNLOAD PROGRAMS

Please download ISTFIX Here
Please do not run yet


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [42bAE9] C:\WINDOWS\rfykh.exe

7. click the Fix Checked box

8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

ISTsvc or ISTBar

9. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\ISTsvc

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\rfykh.exe

11. Please run IstFix

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

[Subzero]

Hi Excal,

Just when I thought that I cruised home, it looks like there are still miles to go before I sleep. During my process of cleaning the Istbar and its rougue friends, another malware xyz.exe hijacked my system [As a matter of fact it popped up when I was typing this ]. It shows a DOS command on my screen with some cryptic characters. When I was thinking about how to get rid of that, a new problem surfaced called lsass.exe and windows gave me 60 secs warning time before automatic shutdown. This has already happened 3 times. I also am thinking maybe the panda software activescan is also infected. I don't feel comfortable in using that too.

Please help.

Attached Files

•  hijackThis.txt   3.45KB   93 downloads

Edited by Subzero, 20 August 2005 - 02:33 PM.

[Excal]

Your doing fine, these things happen when you are doing a cleanup. One thing i can assure u is that Activescan is not infected I have used this and recommended this to probally over 1000 people.

Part of the problem of Why you keep getting infected is that you have 0 protection.
No antivirus and no Firewall that I can see.

So lets get thsose squared away first, then we will fix you alot easier.

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict. (I Use AVG, its free and works very effectively and efficently)

AVG
Avast
AntiVir

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system) (I use Sygate, its free and works well with the AVG)

Sygate
Kerio
ZoneLabs


Please post a HiJackthis log after you have installed one of each.

Thanks,



Excal

[Subzero]

Hi Excal,

I was getting little frustated. Can you first suggest me something to stop the lsass.exe to shutdown my computer ? It performs automatic shutdown giving 60 secs warning before I can fully download the utilities suggested by you.

Thanks

[Excal]

You have the Sasser worm

You should be able to abort the shutdown within those first 60 seconds by doing the following:

• Press the Start button and then the Run menu item.
  
• Type shutdown -a. That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".
  
• Press OK.

I need you to go HERE and download and install that.

Next i need you to download and install that Firewall first.

[Subzero]

Hi Excal,

I installed AVG Free and on reboot to my surprise, my machine didn't start fully. After I entered my Win XP logon password, it showed me desktop background with no icons and no start buttons. I waited for about few mins. However I was able to see the Task Window by pressing ALT-CTL-DEL. Then I rebooted in Safe mode and uninstalled AVG and this time I was able to logon in normal mode. I don't know if my machine is really compromised to use AVG right away. I also see multiple versions of svchost.exe running in task window. How to get rid of the same as at times my CPU usage gets big.

I am currently downloading the Windows security patch and will install the same. I will also download and install the sygate firewall as per your suggestion. Do I need to do something else to get rid of sasser worm ?

I have downloaded multiple antivirus utilities that I dont know whether they are compatible with each other. Please tell me incase I need to get rid of any. Ad Aware - eWido - Cleanup - Hijack This - Smitrem -Istfix etc.

Thanks

Edited by Subzero, 21 August 2005 - 08:29 AM.

[Excal]

This is pretty new, so like you, I am still learning about the sasser worm.

I have downloaded multiple antivirus utilities that I dont know whether they are compatible with each other. Please tell me incase I need to get rid of any. Ad Aware - eWido - Cleanup - Hijack This - Smitrem -Istfix etc.

These are all fine to have. YOu can actually delete SMithRem. ensure oyu never run more than one cleaner/detector at a time.

Do you have the Firewall installed?



Excal

[Subzero]

Hi Excal,

Yes. Got the sypgate firewall installed. Thanks for spygate - makes me feel much better - downloaded windows update and installed that too. Attached the new hijackthis log. There are still multiple versions of svchost.exe running in my task windows.

What are my next steps ? I have the feeling though that maybe I'm closer to home this time

Thanks !

Attached Files

•  hijackthis.txt   1.99KB   52 downloads

Edited by Subzero, 21 August 2005 - 11:19 AM.

[Excal]

Did you run that scan in safe mode? If not, everything is cleaned.

You can check this off on Hijackthis and fix it. Its will save resources

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Hows the computer running?



Excal