A couple of days ago Psguard popups seemed to suddenly take over my computer. I was able to find this forum and start to try to get rid of it. I downloaded and ran CleanUp. I already had Ad Aware - I updated it and ran it. I downloaded and ran CWShredder. I downloaded, updated, and ran Spybot, and also I think I ran the DSO Exploit thing, but I'm not clear how that differs from the Spybot. At any rate, I did run Spybot and got rid of some things. I downloaded and ran Ewido. I did the online Housecall.
I should note here that I normally use Netscape 7, although I sometimes switch to MS IE when things don't work. I suspect that switching to MS IE was what originally downloaded the malware. Housecall got weird when I tried it from Netscape and finally I got message that it only works with IE. So I switched to that and ran the scan. Housecall had me download something during the Netscape mess, and now I wonder if it was more malware or the like.
Resuming the sequence of events - I downloaded and installed AVG. I created their "rescue diskettes", which ran to six diskettes. I had Windows SP1 already, but I downloaded SP1a and installed it. I rebooted, but Psguard was still there, after all this. I ran some more scans from all these programs to see if anything much had changed. At some point I read on a forum about how a process in the taskmanager could be killed to stop the popups - sorry, I don't remember which - and that seemed to work. During this period of just trying to figure out whether I was still really infected, I found that I couldn't access my ISP anymore. The network connection dialer was messed up. I tried to make a new one, and found that the "Make a new connection" Wizard wouldn't allow me to access the type of connection I needed - it was greyed out. My connection is through a USB DSL modem, and I need to login each time I connect. (Note from rafter: since I first posted this message, I've found a tip on the Microsoft support website on how to fix this problem by doing something in the registry - but I'm not going to try to do anything until I hear I get a response to this message, since at this point I'm worried about messing things up further by connecting the infected computer to the internet at all (further note - after sleeping on it, I couldn't resist and tried fixing the problem using the info from Microsoft. Didn't work, although I did manage to delete a reference to a file "dialer.exe" in the registry; don't know if that was a legit file or a malware file, but it's gone for now. So, still no connection to the net on the infected computer.)
Somewhere during these increasingly panicky scans and attempts to fix things, I managed to inadvertantly delete the winint.dll file, which had shown up as infected. Somehow I got around six infected copies of it into a quarentine, and thinking they were all just copies, I deleted them. That seems to have deleted the original file, too. I rebooted and a bunch of things gave error messages based on not finding that file. I tried using the rescue diskettes from the AVG program to reboot, but that didn't function, always giving a "Cannot init CORE. Corrupted AVI7.AVG?" After trying to somehow get the file off the original XP installation CD and failing (is there a way to do this? (Note from rafter - since I first posted this message, I've found out that running sfc is the way to do this (Further note - some more research seems to tell me that I can just use a "copy" command after going into repair mode from the installation CD), I decided to try to reinstall XP to restore that file. So I started the install, and after some bumps got to a point at which the installation would halt with this error msg box titled "unregmp2.exe - Entry Point Not Found" and the message in the box said "The procedure entry point GetIUMS could not be located in the dynamic link library MSDART.DLL" (Further note - I did yet another reinstall after the one described above, since it was part of the instructions from Microsoft on how to get the connection wizard working agina, and the same unregmp2/exe error happened again. Also, since I did the reinstalls of Windows XP, I'm guessing that it reverted back to pre-service-pack 1 or 1a state(?). Since I can't connect to the internet at this point with the infected computer, I can't do the service pack download. I'm sure hoping we can disinfect the computer before getting its connection to the internet back.)
After several attempts at restarting the install, I finally figured out that it was not going to go past that point. As a last resort, I figured I would try reconnecting an old computer running Windows 98 to see if I could use it to get online. Amazingly, it worked (I had forgotten that I'd first used the USB DSL modem with it). I did a Google search on "unregmp2.exe" and quickly found the solution, which was that when the error occured, hit Shift + F10 to get a command prompt, start the Taskmanager, and get rid of the unregmp2 process. So, that worked, and the install completed, with a presumeably fresh copy of the wininit.dll file. I was still not able to create a working network connection through the wizard, which still greyed out the choice I need. I tried to run the winsock fix app linked in the instructions I'm following here, but got an error saying it wasn't a valid 32-bit app.
This morning I've redone CleanUp, Ad Aware (which found evidence of an Alexa-like infection and PSGuard), CWShredder (which showed no problem), Spybot (which also showed no problem), and ewido (which found some things and I'm pasting its report below the HijackThis report). I ran Hijack This, which started with two error messages, and then ran normally (I think), and the log is pasted below.
I place my computer (and probably my sanity) into your hands.
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 10:32:02 AM, on 11/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\CU-SEE~1\Amigo.exe
C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\WHITEP~1\CUCore.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\CU-SEE~1\CONTAC~1.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\fixer files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dialup.pacbell.net/help.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://dialup.pacbel....net/help.html"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Wayne\Application Data\Mozilla\Profiles\default\elseylnu.slt\prefs.js)
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hpA99E.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WP Companion] C:\PROGRA~1\CU-SEE~1\Amigo.exe -minimize
O4 - HKLM\..\Run: [WP Call Notification] C:\PROGRA~1\CU-SEE~1\NOTIFI~1.EXE
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .efp: C:\Program Files\Internet Explorer\Plugins\NPEFPrn.dll
O12 - Plugin for .efv: C:\Program Files\Internet Explorer\Plugins\NPEFV.dll
O12 - Plugin for .fmp: C:\Program Files\Internet Explorer\Plugins\NPFMP.dll
O12 - Plugin for .fmr: C:\Program Files\Internet Explorer\Plugins\NPFME.dll
O12 - Plugin for .ifx: C:\Program Files\Internet Explorer\Plugins\NPWebPrn.dll
O12 - Plugin for .lfx: C:\Program Files\Internet Explorer\Plugins\NPLaunch.dll
O12 - Plugin for .mwp: C:\Program Files\Internet Explorer\Plugins\NPMWPrn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Report from ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:17:19 AM, 11/2/2005
+ Report-Checksum: E263DDE3
+ Scan result:
HKLM\SOFTWARE\PSGuard.com -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Spyware.PSGuard : Cleaned with backup
::Report End
Edited by rafter, 05 November 2005 - 01:01 AM.