Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGuard malware, Smitfraud_C, silent dialer [resolved]


  • This topic is locked This topic is locked

#1
rckolon

rckolon

    Member

  • Member
  • PipPip
  • 17 posts
Hi.

Thank you for providing this service.

I am typing this on an unaffected computer, so I'll post the logs you may want to see after a response , when I get back to the affected computer.

But let me describe what I have done, what problems reoccur, and what concerns I have.

I read your "You Must Read This Before Posting a Hijackthis Log ..." link.
Under category Prepartion:
==> I had no internet connection problem.

Under Clean temporary files:
==> I ran the cleanmgr.
==> Nothing appeared to disabled by startup. But sometimes it appears to grind away for a couple minutes longer than usual.

Under Step One: Scan for Spyware/Adware:
==> I downloaded Ad-aware SE. I customized the settings as detailed in the link. I ran it and saved the file.
==> I downloaded CWShredder. I ran it. It found no problem.
==> I already had Spybot S&D. Tried to update definitions. There was a problem. I did not have latest version. So I downloaded latest version. Downloaded updates. Ran the check for problems. Among the problems it saw was Smitfraud_C. I had it try to remove all problems. It removed all but 12. It said it needed to restart the computer to complete the process. I let it do so. The computer restarted and Spybot initiated action by itself. I think it handled most of them.
==> I linked to the Rogue/Suspect Anti-Spyware Products & Web Sites, and did some research on PSGUARD, one of the repeating problems I was experiencing.

(...
==> Note to others: Look under your harddrive Windows/Prefetch subfolder for similar malware objects to eventually remove. End Note.
==> I then downloaded and bought a True Sword program and ran it. It found three items. One was for Ad-aware. I later had to restore that. One was PSGuard. It quarantined what it found. It temporarily stopped the PSGUARD problem. However it is not a permanent solution. The PSGUARD problem reappears, installing itself after a few logons to Windows XP.
==> From a relative, I got the idea of starting Task Manager before and after dialing into my ISP provider. We noticed that mssearchnet.exe was now running after the dialup connected. We guessed that might be what was running the blinking yellow triangle in the task bar that was constantly popping up a balloon and warning us of spyware, slow downs, etc., and it linked to PSGUARD.com site.
==> In Task Manager I then highlighted it and pressed the END PROCESS button. It disappeared. A few seconds later it reappeared. I highlighted mssearchnet.exe and right clicked it and clicked END PROCESS TREE. It eliminated the yellow triangle in the task bar and the repeated balloon warnings for about 10 minutes. Then it would start again. But it at least it was temporary relief from the bombardment.
==> I went into MyComputer and searched on mssearch.exe and tried to delete it. It would not, saying it was in use. I did further research on the internet and saw that someone else once went into SAFE MODE (pressing F8 before Windows screen appeared on the boot) to delete it. That worked. I deleted it. It has not returned. The awful repetitive taskbar balloon messages stopped for good.
==> In addition, earlier I went into the my Internet Explorer browser and removed the HomepageBHO and some other add-on I did not recognize. That got rid of the Security task bar that was appearing near the screen top. I also found warnhp.html in MyComputer and renamed it to get rid of the WARNING black background screen that first appeared. I later just hand deleted that file. I also deleted all the hpXXXX.tmp files I found with MyComputer search too. XXXX represents some random characters in the name that vary.
One last important item. I noticed that my dialer NO LONGER was making the dial sounds it used to. This was true from the start of the infection.
...)

Under Step Two: Viruses/Trojans
==> I downloaded Ewido Security Suite, updated the database, and then clicked on scanner. It found 154 bad objects and about 50 more questionable ones. (I may be wrong about the actual numbers. This is from my memory.) I cleaned them, but I don't remember if I created encrypted backup. I saved the report.
==> I went to Trend Housecall link and had it perform the free virus scan.
==> I did not download AVG, as I already have Trend Micro PC-cillin software active on my computer before I ever noticed all these problems.
==> I downloaded TrojanHunter, and it found no problem.

Under Step Three: Windows Updates.
==> I previously installed Windows XP Service Pack 2 some months ago. So I did not do this task.

Under Step Four: Reboot - Test
==> There was no obvious problem when I rebooted. But I still saw there was potential for reoccurrence. PSGUARD and subfolders were still in the registry, when I checked by running regedit.exe.

Under Step Five: Posting a Hijack This Log.
==> Not trusting that the problem was completely solved, I downloaded HijackThis and ran it. I kept the log.

Since all this:
==> I've been repeatedly deleting all PSGUARD or P.S.GUARD files as find in MyComputer search. I've run regedit.exe and deleted what i could under PSGUARD.com subfolders. Some things do not delete. I've run the Ewido and Trojan Hunter several times to see what remains.
==> I keep seeing Ewido mention the PSGUARD entries in the registry, which it can't process to clean. I saved some of those logs.

My Major Concerns:
==> I read somewhere that this PSGUARD problem could get worse. http://www.msusenet....1870990307.html
==> The part about international calls now makes the silent dialer problem loom up in my concerns. I noticed an extra entry in my dialer Saturday. It made no sense to me. I'm going to later pencil that number from the dialer, and then delete that entry, if the dialer will allow it. It's the standard Windows XP supplied dialer.
==> This morning PSGUARD tried to reinstall itseld. When I run True Sword, it doesn't find anything new. (Because it's previously found it???) I manually deleted PSGUARD and P.S.GUARD files in the MyComputer search.
==> Of course the link above also talks about it eventually wiping out files. That's a concern too.

I work during the days Mon-Thu, so I may not get to do what you request immediately, but I am motivated and determined to get rid of this menace.

Now I can use some help.

Please state what you would like me to do next.

And thanks for all your efforts.

Rich

Edited by rckolon, 28 October 2005 - 02:20 PM.

  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome rckolon to Geeks to Go!

We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a Hijackthis log in your next reply
  • 0

#3
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks for the reply. I downloaded the smitRem.exe, and ran it under safe mode. It worked rather quickly. It identified wininet.dll as infected and replaced it with another wininet.dll on the computer.

Restarting in normal Window XP mode, the smitRem.exe completed it's task at the start, and the PSGUARD window did NOT appear (like the prior time I ran in normal mode).

I searched for PSGUARD and mssearchnet.exe in MyComputer and found no problem objects.

Then I ran Hijackthis and saved the log. I placed the log in the file attachment to keep this post shorter.

Rich

Attached Files


Edited by rckolon, 28 October 2005 - 02:19 PM.

  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
The tool created a log named smitfiles.txt in the root of your drive, eg; Local Disk C:.
Post me the contents of the smitfiles.txt log as you post back.

Let´s see how we need to continue.
  • 0

#5
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
In about 9 hours after your latest reply, I will be home to do your request. Catch you later.

Rich.
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
The timezones will kill our speed, I'll see your reply tomorrow I guess.
  • 0

#7
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Good evening.

So far no PSGUARD problem is presenting itself. No popups or task bar balloons are appearing while the internet is connected. The PSGUARD subfolders are not present. :tazz:

I assume Windows is a little slower to boot up with all the anti-spyware, etc. stuff now present.

There remains the silent Windows XP dialer problem. And I don't know if there is anything else lurking that has not been obvious to me.

The file requested is attached below. I attached the shudder file too.

Thanks for your efforts.

Rich

Attached File  smitfiles.txt   1.94KB   62 downloadsAttached File  shudder.txt   755bytes   56 downloads
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
These logs look clean, let's dig a bit.

Run the Free use Panda Active Scan.
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post me that report to check.
  • 0

#9
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Will do in about four hours. I am also available Thu->Sun for more interaction.

Rich :tazz:
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Take your time Rich, it's past midnight here now. I'll be back tomorrow (and the days after that :tazz: ).
  • 0

Advertisements


#11
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is the results of Panda Activescan:

Incident Status Location

Possible Virus. No disinfected C:\Program Files\Skynergy\HotKeyz\eSellerateControl200.dll
Adware:adware/sidestep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe02a.inf

Why eSellerateControl200.dll appears in HotKeyz folder is unknown to me. I haven;t used HotKeyz in ages. Modification date was 3/19/2002. Looks like Panda copied it and renamed it to eSellerateControl_dll.vir and said it was type VIR file in a temp folder.

I see no evidence of the SbCIe02a.inf file in my system in MyComputer search. What happened to it?

Now for the curiosity:
eSellerate was the handler of my purchase of the True Sword software, which I bought soon after the infection to get rid of PSGuard.

I'm called my credit card company. No unusual transactions.

Rich
  • 0

#12
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
A few weeks ago I bought a CD and it played fine until track 16, and then started skipping like an old damaged record album.

I played the CD on another computer and it worked fine.

In researching the Panda results, I noticed a file C:\Windows\cdplayer.ini modified 10/15/2005. I suspect that this file was corrupted? Any ideas?

Rich
  • 0

#13
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Every time I run Ewido it keeps finding this high threat:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:49:32 AM, 10/27/2005
+ Report-Checksum: 8D9A5E13

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup


::Report End

At least it no longer finds the PSGUARD objects. :tazz:

Rich
  • 0

#14
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
It does belong to the same infection...

Open Notepad.
Copy the text from the box to an empty file.
Save it as ‘remove.reg’ to your desktop.
Choose ‘save as all types *.*’

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]


Close Notepad.
Double-click the remove.reg on your desktop. Allow it to merge to your Registry. Reboot after that.

***

As for the other result:

C:\WINDOWS\Downloaded Program Files\SbCIe02a.inf

This one belongs to SideStep, let's remove it:

Download the Killbox.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\Downloaded Program Files\SbCIe02a.inf
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


Let's see what else is there:
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post

  • 0

#15
rckolon

rckolon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I downloaded the killbox.zip

I created the remove.reg.

I logged off and booted in SAFE mode.

I executed the remove.reg. It "added" to the registry, rather than "merged".

I rebooted into SAFE mode.

I ran the killbox.exe. I selected delete on reboot. I pointed to C:Windows\Dowloaded Program Files, but had to type in \SbCIe02a.inf after it. (It did not show as a file to pick in the tree.)

I clicked the white X in red delete button, said yes to reboot on delete, but don't remember seeing Pending Operations prompt. The computer restarted automatically. I let it go into normal Windows XP mode.

I opened Highjackthis.exe and the result is attached.

Rich

Attached File  uninstall_list20051027.txt   2.9KB   68 downloads
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP