Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSguard and other malware [CLOSED]


  • This topic is locked This topic is locked

#1
Subzero

Subzero

    Member

  • Member
  • PipPip
  • 14 posts
Pls help me from Psguard. I have read this forum and tried various things but looks like everyone may not be infected to the same level. I did download all the good malware removers and got rid of Psguard but after I reboot my machine its back - feel like killing the person who invented psguard. I'm also not able to use my yahoo messenger - looks like psguard is corrupting it someone. Its really annoying. Pls help !

I use Win XP - Internet Explorer, Advance Browser, MSN & Yahoo messenger. Pls let me know if you any need any additonal info.

My hijack log taken on Aug 12 at 2am EST
-------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:33:46 AM, on 8/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Raaj\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Raaj\LOCALS~1\Temp\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AF3B0B3-0FEB-4A6A-A2E4-E8352FF72192} - C:\WINDOWS\System32\gjjf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOOMSN\ypager.exe -quiet
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O21 - SSODL: ZeldcTE - {403A13E8-EA90-B942-F5BC-245069B30CC6
  • 0

Advertisements


#2
Subzero

Subzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
The 2nd post got repeated in the same topic. Since I cannot delete the duplicate entry in the same post - I'm editing the same.

Thanks

Edited by Subzero, 13 August 2005 - 12:50 PM.

  • 0

#3
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Subzero and welcome to GeeksToGo! My name is Excal and I will be helping you.

Please do not start anymore topics. Thanks.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.
(DO NOT INSTALL SP2)


Thanks,

:tazz:

Excal

Edited by Excal, 12 August 2005 - 01:10 AM.

  • 0

#4
Subzero

Subzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thanks Excal.

Installed SP-1a as per your suggestion and created the new hijackthis log. Any specific reason you had asked me not to install SP2 ?

My hijack log taken on Aug 16 at 10pm EST

Logfile of HijackThis v1.99.1
Scan saved at 10:12:10 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\stickies\stickies.exe
C:\Documents and Settings\Raaj\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Raaj\LOCALS~1\Temp\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AF3B0B3-0FEB-4A6A-A2E4-E8352FF72192} - C:\WINDOWS\System32\gjjf.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOOMSN\ypager.exe -quiet
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124129874446
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124132225927
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O21 - SSODL: ZeldcTE - {403A13E8-EA90-B942-F5BC-245069B30CC6} - C:\WINDOWS\System32\mtmnc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Please let me know incase you need anything else.

Thanks

Edited by Subzero, 16 August 2005 - 08:16 PM.

  • 0

#5
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi :tazz:

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted

Any specific reason you had asked me not to install SP2 ?


It will mess SP2 up if you have baddies on your computer.


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS


Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Place a shortcut to Panda ActiveScan on your desktop.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX


1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Raaj\LOCALS~1\Temp\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {1AF3B0B3-0FEB-4A6A-A2E4-E8352FF72192} - C:\WINDOWS\System32\gjjf.dll (file missing)
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O21 - SSODL: ZeldcTE - {403A13E8-EA90-B942-F5BC-245069B30CC6} - C:\WINDOWS\System32\mtmnc.dll


7. click the Fix Checked box

8. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\mtmnc.dll

9. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Remove all it finds.

11. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#6
Subzero

Subzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Excal,

I was finally able to do everything as per your suggestion. I guess I got rid of psguard & smitfraud but there seems to be another new family of spyware - ISTbar. I removed it from control panel but on reboot it always manages to come back with few bad friends such as "sidefind" and "Internet Optimizer". I'm attaching a recent log of anti-virus runs. I don't have log for ActiveScan though.

One more thing - I'm not able to use Yahoo messenger. I have tried installing and re-installing it again and again but it dies at re-boot saying that serious error has occured. I dont know if any spyware has got anything to do with it. Pls let me know incase you have any other question.

Thanks

Attached Files


Edited by Subzero, 19 August 2005 - 02:57 PM.

  • 0

#7
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Looking good :tazz:

any luck with the Activescan log?


DOWNLOAD PROGRAMS


Please download ISTFIX Here
Please do not run yet


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [42bAE9] C:\WINDOWS\rfykh.exe


7. click the Fix Checked box

8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

ISTsvc or ISTBar

9. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\ISTsvc

10. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\rfykh.exe

11. Please run IstFix

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#8
Subzero

Subzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Excal,

Just when I thought that I cruised home, it looks like there are still miles to go before I sleep. During my process of cleaning the Istbar and its rougue friends, another malware xyz.exe hijacked my system [As a matter of fact it popped up when I was typing this :tazz: ]. It shows a DOS command on my screen with some cryptic characters. When I was thinking about how to get rid of that, a new problem surfaced called lsass.exe and windows gave me 60 secs warning time before automatic shutdown. This has already happened 3 times. I also am thinking maybe the panda software activescan is also infected. I don't feel comfortable in using that too.

Please help.

Attached Files


Edited by Subzero, 20 August 2005 - 02:33 PM.

  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Your doing fine, these things happen when you are doing a cleanup. One thing i can assure u is that Activescan is not infected :) I have used this and recommended this to probally over 1000 people.

Part of the problem of Why you keep getting infected is that you have 0 protection.
No antivirus and no Firewall that I can see.

So lets get thsose squared away first, then we will fix you alot easier.

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict. (I Use AVG, its free and works very effectively and efficently)

AVG
Avast
AntiVir

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system) (I use Sygate, its free and works well with the AVG)

Sygate
Kerio
ZoneLabs


Please post a HiJackthis log after you have installed one of each.

Thanks,

:tazz:

Excal
  • 0

#10
Subzero

Subzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Excal,

I was getting little frustated. Can you first suggest me something to stop the lsass.exe to shutdown my computer ? It performs automatic shutdown giving 60 secs warning before I can fully download the utilities suggested by you.

Thanks
  • 0

Advertisements


#11
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
You have the Sasser worm

You should be able to abort the shutdown within those first 60 seconds by doing the following:
  • Press the Start button and then the Run menu item.
  • Type shutdown -a. That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".
  • Press OK.

I need you to go HERE and download and install that.

Next i need you to download and install that Firewall first.
  • 0

#12
Subzero

Subzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Excal,

I installed AVG Free and on reboot to my surprise, my machine didn't start fully. After I entered my Win XP logon password, it showed me desktop background with no icons and no start buttons. I waited for about few mins. However I was able to see the Task Window by pressing ALT-CTL-DEL. Then I rebooted in Safe mode and uninstalled AVG and this time I was able to logon in normal mode. I don't know if my machine is really compromised to use AVG right away. I also see multiple versions of svchost.exe running in task window. How to get rid of the same as at times my CPU usage gets big.

I am currently downloading the Windows security patch and will install the same. I will also download and install the sygate firewall as per your suggestion. Do I need to do something else to get rid of sasser worm ?

I have downloaded multiple antivirus utilities that I dont know whether they are compatible with each other. Please tell me incase I need to get rid of any. Ad Aware - eWido - Cleanup - Hijack This - Smitrem -Istfix etc.

Thanks

Edited by Subzero, 21 August 2005 - 08:29 AM.

  • 0

#13
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
This is pretty new, so like you, I am still learning about the sasser worm.

I have downloaded multiple antivirus utilities that I dont know whether they are compatible with each other. Please tell me incase I need to get rid of any. Ad Aware - eWido - Cleanup - Hijack This - Smitrem -Istfix etc.


These are all fine to have. YOu can actually delete SMithRem. ensure oyu never run more than one cleaner/detector at a time.

Do you have the Firewall installed?

:tazz:

Excal
  • 0

#14
Subzero

Subzero

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Excal,

Yes. Got the sypgate firewall installed. Thanks for spygate - makes me feel much better :) - downloaded windows update and installed that too. Attached the new hijackthis log. There are still multiple versions of svchost.exe running in my task windows.

What are my next steps ? I have the feeling though that maybe I'm closer to home this time :tazz:

Thanks !

Attached Files


Edited by Subzero, 21 August 2005 - 11:19 AM.

  • 0

#15
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Did you run that scan in safe mode? If not, everything is cleaned.

You can check this off on Hijackthis and fix it. Its will save resources :)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Hows the computer running?

:tazz:

Excal
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP