[rckolon]

Hi.

Thank you for providing this service.

I am typing this on an unaffected computer, so I'll post the logs you may want to see after a response , when I get back to the affected computer.

But let me describe what I have done, what problems reoccur, and what concerns I have.

I read your "You Must Read This Before Posting a Hijackthis Log ..." link.
Under category Prepartion:
==> I had no internet connection problem.

Under Clean temporary files:
==> I ran the cleanmgr.
==> Nothing appeared to disabled by startup. But sometimes it appears to grind away for a couple minutes longer than usual.

Under Step One: Scan for Spyware/Adware:
==> I downloaded Ad-aware SE. I customized the settings as detailed in the link. I ran it and saved the file.
==> I downloaded CWShredder. I ran it. It found no problem.
==> I already had Spybot S&D. Tried to update definitions. There was a problem. I did not have latest version. So I downloaded latest version. Downloaded updates. Ran the check for problems. Among the problems it saw was Smitfraud_C. I had it try to remove all problems. It removed all but 12. It said it needed to restart the computer to complete the process. I let it do so. The computer restarted and Spybot initiated action by itself. I think it handled most of them.
==> I linked to the Rogue/Suspect Anti-Spyware Products & Web Sites, and did some research on PSGUARD, one of the repeating problems I was experiencing.

(...
==> Note to others: Look under your harddrive Windows/Prefetch subfolder for similar malware objects to eventually remove. End Note.
==> I then downloaded and bought a True Sword program and ran it. It found three items. One was for Ad-aware. I later had to restore that. One was PSGuard. It quarantined what it found. It temporarily stopped the PSGUARD problem. However it is not a permanent solution. The PSGUARD problem reappears, installing itself after a few logons to Windows XP.
==> From a relative, I got the idea of starting Task Manager before and after dialing into my ISP provider. We noticed that mssearchnet.exe was now running after the dialup connected. We guessed that might be what was running the blinking yellow triangle in the task bar that was constantly popping up a balloon and warning us of spyware, slow downs, etc., and it linked to PSGUARD.com site.
==> In Task Manager I then highlighted it and pressed the END PROCESS button. It disappeared. A few seconds later it reappeared. I highlighted mssearchnet.exe and right clicked it and clicked END PROCESS TREE. It eliminated the yellow triangle in the task bar and the repeated balloon warnings for about 10 minutes. Then it would start again. But it at least it was temporary relief from the bombardment.
==> I went into MyComputer and searched on mssearch.exe and tried to delete it. It would not, saying it was in use. I did further research on the internet and saw that someone else once went into SAFE MODE (pressing F8 before Windows screen appeared on the boot) to delete it. That worked. I deleted it. It has not returned. The awful repetitive taskbar balloon messages stopped for good.
==> In addition, earlier I went into the my Internet Explorer browser and removed the HomepageBHO and some other add-on I did not recognize. That got rid of the Security task bar that was appearing near the screen top. I also found warnhp.html in MyComputer and renamed it to get rid of the WARNING black background screen that first appeared. I later just hand deleted that file. I also deleted all the hpXXXX.tmp files I found with MyComputer search too. XXXX represents some random characters in the name that vary.
One last important item. I noticed that my dialer NO LONGER was making the dial sounds it used to. This was true from the start of the infection.
...)

Under Step Two: Viruses/Trojans
==> I downloaded Ewido Security Suite, updated the database, and then clicked on scanner. It found 154 bad objects and about 50 more questionable ones. (I may be wrong about the actual numbers. This is from my memory.) I cleaned them, but I don't remember if I created encrypted backup. I saved the report.
==> I went to Trend Housecall link and had it perform the free virus scan.
==> I did not download AVG, as I already have Trend Micro PC-cillin software active on my computer before I ever noticed all these problems.
==> I downloaded TrojanHunter, and it found no problem.

Under Step Three: Windows Updates.
==> I previously installed Windows XP Service Pack 2 some months ago. So I did not do this task.

Under Step Four: Reboot - Test
==> There was no obvious problem when I rebooted. But I still saw there was potential for reoccurrence. PSGUARD and subfolders were still in the registry, when I checked by running regedit.exe.

Under Step Five: Posting a Hijack This Log.
==> Not trusting that the problem was completely solved, I downloaded HijackThis and ran it. I kept the log.

Since all this:
==> I've been repeatedly deleting all PSGUARD or P.S.GUARD files as find in MyComputer search. I've run regedit.exe and deleted what i could under PSGUARD.com subfolders. Some things do not delete. I've run the Ewido and Trojan Hunter several times to see what remains.
==> I keep seeing Ewido mention the PSGUARD entries in the registry, which it can't process to clean. I saved some of those logs.

My Major Concerns:
==> I read somewhere that this PSGUARD problem could get worse. http://www.msusenet....1870990307.html
==> The part about international calls now makes the silent dialer problem loom up in my concerns. I noticed an extra entry in my dialer Saturday. It made no sense to me. I'm going to later pencil that number from the dialer, and then delete that entry, if the dialer will allow it. It's the standard Windows XP supplied dialer.
==> This morning PSGUARD tried to reinstall itseld. When I run True Sword, it doesn't find anything new. (Because it's previously found it???) I manually deleted PSGUARD and P.S.GUARD files in the MyComputer search.
==> Of course the link above also talks about it eventually wiping out files. That's a concern too.

I work during the days Mon-Thu, so I may not get to do what you request immediately, but I am motivated and determined to get rid of this menace.

Now I can use some help.

Please state what you would like me to do next.

And thanks for all your efforts.

Rich

Edited by rckolon, 28 October 2005 - 02:20 PM.

[Advertisements]

Welcome rckolon to Geeks to Go!

We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a Hijackthis log in your next reply

[g2i2r4]

Welcome rckolon to Geeks to Go!

We'll need to transport some files from the computer you are now using, to your infected computer.

Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a Hijackthis log in your next reply

[rckolon]

Thanks for the reply. I downloaded the smitRem.exe, and ran it under safe mode. It worked rather quickly. It identified wininet.dll as infected and replaced it with another wininet.dll on the computer.

Restarting in normal Window XP mode, the smitRem.exe completed it's task at the start, and the PSGUARD window did NOT appear (like the prior time I ran in normal mode).

I searched for PSGUARD and mssearchnet.exe in MyComputer and found no problem objects.

Then I ran Hijackthis and saved the log. I placed the log in the file attachment to keep this post shorter.

Rich

Attached Files

•  hijackthis20051025c.txt   5.18KB   140 downloads

Edited by rckolon, 28 October 2005 - 02:19 PM.

[g2i2r4]

The tool created a log named smitfiles.txt in the root of your drive, eg; Local Disk C:.
Post me the contents of the smitfiles.txt log as you post back.

Let´s see how we need to continue.

[rckolon]

In about 9 hours after your latest reply, I will be home to do your request. Catch you later.

Rich.

[g2i2r4]

The timezones will kill our speed, I'll see your reply tomorrow I guess.

[rckolon]

Good evening.

So far no PSGUARD problem is presenting itself. No popups or task bar balloons are appearing while the internet is connected. The PSGUARD subfolders are not present.

I assume Windows is a little slower to boot up with all the anti-spyware, etc. stuff now present.

There remains the silent Windows XP dialer problem. And I don't know if there is anything else lurking that has not been obvious to me.

The file requested is attached below. I attached the shudder file too.

Thanks for your efforts.

Rich

 smitfiles.txt   1.94KB   125 downloads  shudder.txt   755bytes   138 downloads

[g2i2r4]

These logs look clean, let's dig a bit.

Run the Free use Panda Active Scan.

• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on Local Disks to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post me that report to check.

[rckolon]

Will do in about four hours. I am also available Thu->Sun for more interaction.

Rich

[g2i2r4]

Take your time Rich, it's past midnight here now. I'll be back tomorrow (and the days after that ).

[rckolon]

Here is the results of Panda Activescan:

Incident Status Location

Possible Virus. No disinfected C:\Program Files\Skynergy\HotKeyz\eSellerateControl200.dll
Adware:adware/sidestep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe02a.inf

Why eSellerateControl200.dll appears in HotKeyz folder is unknown to me. I haven;t used HotKeyz in ages. Modification date was 3/19/2002. Looks like Panda copied it and renamed it to eSellerateControl_dll.vir and said it was type VIR file in a temp folder.

I see no evidence of the SbCIe02a.inf file in my system in MyComputer search. What happened to it?

Now for the curiosity:
eSellerate was the handler of my purchase of the True Sword software, which I bought soon after the infection to get rid of PSGuard.

I'm called my credit card company. No unusual transactions.

Rich

[rckolon]

A few weeks ago I bought a CD and it played fine until track 16, and then started skipping like an old damaged record album.

I played the CD on another computer and it worked fine.

In researching the Panda results, I noticed a file C:\Windows\cdplayer.ini modified 10/15/2005. I suspect that this file was corrupted? Any ideas?

Rich

[rckolon]

Every time I run Ewido it keeps finding this high threat:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:49:32 AM, 10/27/2005
+ Report-Checksum: 8D9A5E13

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup


::Report End

At least it no longer finds the PSGUARD objects.

Rich

[g2i2r4]

It does belong to the same infection...

Open Notepad.
Copy the text from the box to an empty file.
Save it as ‘remove.reg’ to your desktop.
Choose ‘save as all types *.*’

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]


Close Notepad.
Double-click the remove.reg on your desktop. Allow it to merge to your Registry. Reboot after that.

***

As for the other result:

C:\WINDOWS\Downloaded Program Files\SbCIe02a.inf

This one belongs to SideStep, let's remove it:

Download the Killbox.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\Downloaded Program Files\SbCIe02a.inf
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


Let's see what else is there:

• Open HijackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from notepad into your post

[rckolon]

I downloaded the killbox.zip

I created the remove.reg.

I logged off and booted in SAFE mode.

I executed the remove.reg. It "added" to the registry, rather than "merged".

I rebooted into SAFE mode.

I ran the killbox.exe. I selected delete on reboot. I pointed to C:Windows\Dowloaded Program Files, but had to type in \SbCIe02a.inf after it. (It did not show as a file to pick in the tree.)

I clicked the white X in red delete button, said yes to reboot on delete, but don't remember seeing Pending Operations prompt. The computer restarted automatically. I let it go into normal Windows XP mode.

I opened Highjackthis.exe and the result is attached.

Rich

 uninstall_list20051027.txt   2.9KB   125 downloads