Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGuard + about:blank removal


  • Please log in to reply

#1
hespy

hespy

    New Member

  • Member
  • Pip
  • 1 posts
Hi,
Have experiance trouble with PSGuard and about:blank forms of spyware. I saw other topics regarding hand have performed various ad-aware scans and removed everything, ewido, cws shredder and so on.

Now the PSGuard seems to be removed but opening IE just opens an about:blank page then shuts in a couple of seconds. When trying to access a page my firewall kicks in with this message:

Technical details about the intrusion attempt:

Injector application: C:\WINNT\Explorer.EXE
Description: Windows Explorer
File version: 5.00.3502.5321
Product name: Microsoft® Windows ® 2000 Operating System
Product version: 5.00.3502.5321
Created: 1979/12/31, 23:00:00
Modified: 2002/7/24, 06:00:00
Accessed: 2005/8/15, 23:00:00

Target application: C:\Program Files\Internet Explorer\iexplore.exe
Description: Internet Explorer
File version: 6.00.2800.1106
Product name: Microsoft® Windows® Operating System
Product version: 6.00.2800.1106
Created: 2002/8/29, 06:14:40
Modified: 2002/8/29, 06:14:40
Accessed: 2005/8/15, 23:00:00

Address of injection: 0x1000B234

It is Kerio Personal Firewall.

I see to have no access to the internet whatsoever, lan, dsl, or dial up. Here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:23, on 16/08/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec\VPNClient\vpnservices.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\System32\PRPCUI.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\EXPLORER.EXE
C:\DOCUME~1\rf_gh\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.44.1.60:80
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [update.transfer2000] C:\PROGRA~1\MARKET~1.MAN\TRANSF~1\Client.exe -t
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\System32\ezSP_Px.exe
O4 - HKLM\..\RunOnce: [ZeroSpyware Limited Edition] "C:\Program Files\FBM
Software\ZeroSpyware Limited Edition\ZSLoader.exe" -STARTUP
O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware
Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware
Limited Edition\
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpohmr08.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rockwool.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rockwool.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rockwool.co.uk
O21 - SSODL: Adobe ActiveShare - {BF90B87C-2B1C-5C23-7115-DCE92AEDBA3B} - c:\program files\adobe\activeshare\rrqmqf8.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\NetworkAssociates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Symantec Enterprise VPN Client - Symantec Corporation - C:\Program Files\Symantec\VPNClient\vpnservices.exe
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP