|
|
||
09-26-2005, 08:16 PM
|
#1 (permalink) |
|
New Member
 Join Date: Sep 2005
Posts: 2
|
PS Guard infection - Please help !!
Hi,
Can anyone please guide me through how to get rid of this psguard infection. I have ran AdAware, Spybot and Spyware Doctor in both normal and safe modes. I have also deleted the file "mssearchnet.exe" from C:\windows\system32 which I believe was the cause of the annoying info message in the tray. Many thanks Highjack This log is as follows:- Logfile of HijackThis v1.99.1 Scan saved at 19:03:13, on 26/09/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\nvctrl.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\NavNT\vptray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Homework LWC\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\System32\hp9318.tmp O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Watch.lnk = ? O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net O16 - DPF: NTLSignup - https://register.tesco.net/tesco/NTLSignup.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125053242281 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/temp...control025.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E844BD87-B8D3-4DA8-A907-37CE47D6D736}: NameServer = 194.168.4.100 194.168.8.100 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Last edited by Malcy; 09-26-2005 at 08:25 PM. Reason: Additional Information |
|
|
|
09-26-2005, 09:02 PM
|
#2 (permalink) |
|
Malware Destroyer
 
Join Date: Apr 2005
Location: Hurricane Heaven... still
Posts: 1,093
|
1. Print out these instructions as we will need to shutdown every window that is open later in the fix.
2. Download and install CleanUp! but do not run it yet. http://www.stevengould.org/downloads.../CleanUp40.exe *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. 3. Download smitRem and save the file to your desktop. http://noahdfear.geekstogo.com/click...click.php?id=1 Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem. 4. Download and Update Ewido : From the main ewido screen, click on update in the left menu, then click the Start update button. 5. After the updates are installed, exit Ewido 6. Reboot into Safe Mode, (tapping F8 key when booting up) 7. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: a. Click Options... b. Move the arrow down to Custom CleanUp! c. Put a check next to the following: * Empty Recycle Bins * Delete Cookies * Delete Prefetch files * Scan local drives for temporary files * Cleanup! All Users d. Click the OK button, then press the CleanUp! button to start the program and wait for it to finish. 7. Stay in safe mode and open HijackThis, scan and check the following items: O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\System32\hp9318.tmp 8. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. 9. Still in safe mode, start Ewido Security Suite, click on scanner, then click on Start Scan, then let the program scan the machine, (let it fix what it finds). 10. exit the program and reboot back to normal mode. 
__________________
Don't byte off more than you can chew... |
|
|
|
|
09-27-2005, 04:19 PM
|
#3 (permalink) |
|
New Member
Join Date: Sep 2005
Posts: 2
|
Many thanks Byteman, that did the trick. I thought I had the "Resident SD Helper" active in Spybot but, on investigation, discovered that not only was the checkbox not ticked it would not allow a tick to be put in. I will uninstall/reinstall it and see if that helps. Thanks again for your help...Malcy
|
|
|
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
