Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PS Guard Virus [RESOLVED]


  • This topic is locked This topic is locked

#1
cosmo0026

cosmo0026

    Member

  • Member
  • PipPip
  • 23 posts
Please help! I have somehow obtained the virus/spyware known as PS Guard. I have tried multiple approaches ie. Spyware Doctor, SpySweeper etc. to destroy it, however whenever I restart my computer there it is again.

Please advise as to alternate options/procedures that I can try.

Thanks,


Nate
  • 0

Advertisements


#2
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download HijackThis by Merijn Bellekom. Doubleclick the file, click Unzip and extract the application to C:\HijackThis. Run it from there to scan your computer.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Save the log, Ctrl-A to Select All and post it here for examination. Don't fix anything yet as most of what it lists will be harmless.
  • 0

#3
cosmo0026

cosmo0026

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Please find the following Hijack report:


Logfile of HijackThis v1.99.1
Scan saved at 6:45:49 AM, on 08/22/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
C:\PROGRAM FILES\SONY\GIGAVAULT\BMON.EXE
C:\WINDOWS\PHMALDR.EXE
C:\PROGRAM FILES\MYLINKER\MYLINKER.EXE
C:\DOWNLOADS\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\SMC2635WMONITOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netian.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {064C0FF3-ACE6-A559-65E6-FB564CBC0ACB} - C:\WINDOWS\SYSTEM\VSIOS8W3.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\DOWNLO~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\DOWNLO~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOWNLO~1\SPYBOT~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [Phm Battery Monitor] C:\Program Files\Sony\GigaVault\BMon.exe
O4 - HKLM\..\Run: [PHM Auto Loader] C:\WINDOWS\PHMALDR.EXE
O4 - HKLM\..\Run: [myLinker] C:\PROGRA~1\MYLINKER\MYLINKER.EXE /B
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\DOWNLOADS\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: SMC2635W 11Mbps WLAN Monitor.lnk = C:\WINDOWS\SYSTEM\SMC2635WMonitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\DOWNLO~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.netian.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.196.0.39,151.196.0.38


-Nate

  • 0

#4
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Not much showing up there. Click here to download Spybot Search & Destroy v1.4 - install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file.
  • Click "Start"
  • Select "Perform Full System scan"
  • Click "Next" to start the scan.
When the scan is finished, the screen will tell you if anything has been found.
  • Click "Next". The bad files will be listed.
  • Right click the pane and click "Select all objects" - this will put a check mark in the box at the side.
  • Click "Next" again
  • Click "OK" at the prompt "# objects will be removed. Continue?".
Reboot when done.

Rescan with HJT and post a new log.
  • 0

#5
cosmo0026

cosmo0026

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here is the latest:

Download of Spybot S&D successful.


- Updates complete.

System Scan Results:

01) Avenue A, Inc. - 1 Entry
02) CoreMetrics - 1 Entry
03) DoubleClick - 1 Entry
04) DSO Exploit - 1 Entry
05) MediaPlex - 2 Entry
06) PSGuard.msmsgs - 1 Entry
07) PSGuard - 104 Entries


Should I proceed to fix all?


Download of AdAware unsuccessful.


- Continious system error whenever attempting to run, almost resulting in system wide crash.


Thanks,


Nate
  • 0

#6
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Yes, fix them all. Then download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode by tapping F8 after the BIOS has loaded. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with a new HJT log in your next reply.
  • 0

#7
cosmo0026

cosmo0026

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I was prompted with the following after I had run the SmitRem:

File system wininet.dll is infected.
Please follow up with Panda ActiveScan

Otherwise it seems as though the scan went without error.

Please advise as to how I shall proceed.

Thanks,


Nate
  • 0

#8
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Please provide the logs I requested.

Go here:

Panda ActiveScan

do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it in your next reply.
  • 0

#9
cosmo0026

cosmo0026

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :tazz:



In regards to the Panda ActiveScan:

No Dice, I was unable to download it due to the fact that I am running Mozilla Firefox and must utalize Internet Explorer 5.0 for Panda ActiveScan to work. This is a problem because PS Guard is causing Internet Explorer to crash my system whenever opened.

Please advise...

Also, what are you refering to when you asked for the HJT log?

Thanks,


Nate
  • 0

#10
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Do this. Click start>run and type command.

Type:

copy c:\windows\system\wininet.dll c:\windows\desktop

Reboot. Scan the desktop folder with eTrust Web Scanner. When done, make sure the box is checked for wininet.dll and click cure.

After doing this, go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

c:\windows\desktop\wininet.dll

Click on the submit button. Please post the results in your next reply.
  • 0

Advertisements


#11
cosmo0026

cosmo0026

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Copy of wininet.dll to windows desktop successful.

eTrust Web Scanner unsuccessful. Once again I was unable to use the software due to the fact the Internet Explorer cannot be opened without system failure.

Should I proceed to Jotti's Malware Scan?

Please advise...

Thanks,


Nate
  • 0

#12
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Yes, it's probably infected but this will confirm it.
  • 0

#13
cosmo0026

cosmo0026

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here are the results of Jotti's Malware Scan:

Service load:
0% 100%
File: wininet.dll
Status:
INFECTED/MALWARE
MD5 d6863b023d5463d85fc0a10c869a7064
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found Trojan.Callgate.Oleadm.3
Avast
Found Win32:Nsag-B
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found W32.Nsag.B
Dr.Web
Found Trojan.DownLoader.2636
F-Prot Antivirus
Found nothing
Fortinet
Found W32/Nsag.B
Kaspersky Anti-Virus
Found Virus.Win32.Nsag.b
NOD32
Found Win32/Oleloa.gen
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

Thanks,


Nate
  • 0

#14
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Zip it up and send it to this e-mail address including a link to this thread in the body of the email. I'll see if I can clean it for you and send it back.
  • 0

#15
cosmo0026

cosmo0026

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
File Sent.

Please be advised that I will be leaving the office in 15 min and will return tomorrow morning.

Thanks again for all the help,


Nate
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP