Time to call in the Cavalry

TheMadStapler · 08-24-2005, 12:48 AM

Hi guys, newbie here. While I'm not a complete idiot (don't ask my wife though) I've run in to a wall here. One of the computers here at work has been infected with PSGuard and a dash of Spyware-Stop to boot. I appreciate the Stickys and have gone through basic threads but to no avail. The buggy bastard is still there. I followed the basic instructions and have run SpSehjtfix, Smitrem, Ccleaner, Ad Aware, even Spy Bot and Spyware Doc in Safe mode. I've run Trend Micro and Panda scans also. The only trouble I have with the basic instructions is Ewido. I can't run it as this is an older computer running Win 98..I know, I know get with the program. It's not up to me though.

To the point..can anyone help me out here? I've been at it on and off to 2 days. My most recent HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 5:48:21 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WAVETIME\WAVETIME.EXE
C:\WAVETIME\SKEY.EXE
C:\WAVETIME\LXCOM1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 10.10.5.18
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [psx] C:\WINDOWS\psx.exe
O4 - HKLM\..\Run: [Jvxygxn] C:\PROGRAM FILES\BEUQRJ\SMJSFC.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe
O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.msn.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C

ne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)

Thanks in advance. There is a great wealth of knowledge here!

**Buzz1927** · 08-24-2005, 01:07 AM

Run Hijackthis and check the following lines

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 10.10.5.18
O4 - HKLM\..\Run: [psx] C:\WINDOWS\psx.exe
O4 - HKLM\..\Run: [Jvxygxn] C:\PROGRAM FILES\BEUQRJ\SMJSFC.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)

Close all open windows and hit "Fix checked".

Find and delete the following folders\files.

C:\WINDOWS\psx.exe
C:\PROGRAM FILES\BEUQRJ
C:\Program Files\PSGuard

Then reboot and post a new Hijackthis log.

TheMadStapler · 08-24-2005, 01:13 AM

Will do! Be right back.

TheMadStapler · 08-24-2005, 01:24 AM

Did as instructed. Could not find c:\windows\psx.exe or c:\program files\beuqrj HJT log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:02 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WAVETIME\WAVETIME.EXE
C:\WAVETIME\SKEY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WAVETIME\LXCOM1.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe
O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.msn.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33

**Buzz1927** · 08-24-2005, 01:28 AM

Do you know who Beyond The Network America are ?

TheMadStapler · 08-24-2005, 02:07 AM

No idea. This computer is only used for internet access primarily for medical research and definitions. It's only other function is to interface with an MRI scanner and runs a Wavetime program for gating monitoring and scan time readout.

TheMadStapler · 08-24-2005, 02:40 AM

I just rebooted in safe mode again and ran the following scans. (I added CWShredder and About Buster). results as follow:

CWShredder-none infected
About Buster-done
CCleaner-done
SpSeHifix-wninet.dll infected
Ad-Aware-31 registered keys, 2 registered values, 2 files IDed (incl PS Guard)
Spyware doctor-2 infections found (incl PS Guard.

I then rebooted and ran HJT. Log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:13 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WAVETIME\SKEY.EXE
C:\WAVETIME\LXCOM1.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe
O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.msn.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33

And, yes..PS Guard is still here. Yikes!

cell4me · 08-24-2005, 05:52 AM

Get xoftspy it will get rid of it, its the only program I found that can get rid of it, I did not know about ewido then it should be able too also but you said you have issues installing it? You should be able to install xoftspy on 98 with no problems!

TheMadStapler · 08-24-2005, 10:00 PM

Thanks for the tip. I'll give it a shot now and post results.

TheMadStapler · 08-25-2005, 12:37 AM

Well, xoftspy didn't get rid of it. I wouldn't let me delete the files it had located.

08-24-2005, 12:48 AM	#1 (permalink)
TheMadStapler New Member Join Date: Aug 2005 Posts: 7	Time to call in the Cavalry Hi guys, newbie here. While I'm not a complete idiot (don't ask my wife though) I've run in to a wall here. One of the computers here at work has been infected with PSGuard and a dash of Spyware-Stop to boot. I appreciate the Stickys and have gone through basic threads but to no avail. The buggy bastard is still there. I followed the basic instructions and have run SpSehjtfix, Smitrem, Ccleaner, Ad Aware, even Spy Bot and Spyware Doc in Safe mode. I've run Trend Micro and Panda scans also. The only trouble I have with the basic instructions is Ewido. I can't run it as this is an older computer running Win 98..I know, I know get with the program. It's not up to me though. To the point..can anyone help me out here? I've been at it on and off to 2 days. My most recent HJT log is as follows: Logfile of HijackThis v1.99.1 Scan saved at 5:48:21 PM, on 8/23/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\NMSSVC.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE C:\WAVETIME\WAVETIME.EXE C:\WAVETIME\SKEY.EXE C:\WAVETIME\LXCOM1.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 10.10.5.18 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe O4 - HKLM\..\Run: [psx] C:\WINDOWS\psx.exe O4 - HKLM\..\Run: [Jvxygxn] C:\PROGRAM FILES\BEUQRJ\SMJSFC.EXE O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=www.msn.com O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33 O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file) Thanks in advance. There is a great wealth of knowledge here!

08-24-2005, 01:07 AM	#2 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,727	Run Hijackthis and check the following lines R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 10.10.5.18 O4 - HKLM\..\Run: [psx] C:\WINDOWS\psx.exe O4 - HKLM\..\Run: [Jvxygxn] C:\PROGRAM FILES\BEUQRJ\SMJSFC.EXE O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file) Close all open windows and hit "Fix checked". Find and delete the following folders\files. C:\WINDOWS\psx.exe C:\PROGRAM FILES\BEUQRJ C:\Program Files\PSGuard Then reboot and post a new Hijackthis log. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

08-24-2005, 01:13 AM	#3 (permalink)
TheMadStapler New Member Join Date: Aug 2005 Posts: 7	Thanks! Will do! Be right back.

08-24-2005, 01:24 AM	#4 (permalink)
TheMadStapler New Member Join Date: Aug 2005 Posts: 7	Round two Did as instructed. Could not find c:\windows\psx.exe or c:\program files\beuqrj HJT log as follows: Logfile of HijackThis v1.99.1 Scan saved at 6:25:02 PM, on 8/23/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\NMSSVC.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE C:\WAVETIME\WAVETIME.EXE C:\WAVETIME\SKEY.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WAVETIME\LXCOM1.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=www.msn.com O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33

08-24-2005, 01:28 AM	#5 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,727	Do you know who Beyond The Network America are ? __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

08-24-2005, 02:07 AM	#6 (permalink)
TheMadStapler New Member Join Date: Aug 2005 Posts: 7	No idea. This computer is only used for internet access primarily for medical research and definitions. It's only other function is to interface with an MRI scanner and runs a Wavetime program for gating monitoring and scan time readout.

08-24-2005, 02:40 AM	#7 (permalink)
TheMadStapler New Member Join Date: Aug 2005 Posts: 7	another try I just rebooted in safe mode again and ran the following scans. (I added CWShredder and About Buster). results as follow: CWShredder-none infected About Buster-done CCleaner-done SpSeHifix-wninet.dll infected Ad-Aware-31 registered keys, 2 registered values, 2 files IDed (incl PS Guard) Spyware doctor-2 infections found (incl PS Guard. I then rebooted and ran HJT. Log as follows: Logfile of HijackThis v1.99.1 Scan saved at 7:37:13 PM, on 8/23/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\NMSSVC.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WAVETIME\SKEY.EXE C:\WAVETIME\LXCOM1.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=www.msn.com O15 - Trusted IP range: 206.161.125.149 O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33 And, yes..PS Guard is still here. Yikes!

08-24-2005, 05:52 AM	#8 (permalink)
cell4me banned Join Date: Feb 2005 Posts: 1,486	Get xoftspy it will get rid of it, its the only program I found that can get rid of it, I did not know about ewido then it should be able too also but you said you have issues installing it? You should be able to install xoftspy on 98 with no problems!

08-24-2005, 10:00 PM	#9 (permalink)
TheMadStapler New Member Join Date: Aug 2005 Posts: 7	Thanks for the tip. I'll give it a shot now and post results.

08-25-2005, 12:37 AM	#10 (permalink)
TheMadStapler New Member Join Date: Aug 2005 Posts: 7	Well, xoftspy didn't get rid of it. I wouldn't let me delete the files it had located.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode