Time to call in the Cavalry

TheMadStapler

New Member
Hi guys, newbie here. While I'm not a complete idiot (don't ask my wife though) I've run in to a wall here. One of the computers here at work has been infected with PSGuard and a dash of Spyware-Stop to boot. I appreciate the Stickys and have gone through basic threads but to no avail. The buggy bastard is still there. I followed the basic instructions and have run SpSehjtfix, Smitrem, Ccleaner, Ad Aware, even Spy Bot and Spyware Doc in Safe mode. I've run Trend Micro and Panda scans also. The only trouble I have with the basic instructions is Ewido. I can't run it as this is an older computer running Win 98..I know, I know get with the program. It's not up to me though.

To the point..can anyone help me out here? I've been at it on and off to 2 days. My most recent HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 5:48:21 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WAVETIME\WAVETIME.EXE
C:\WAVETIME\SKEY.EXE
C:\WAVETIME\LXCOM1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 10.10.5.18
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [psx] C:\WINDOWS\psx.exe
O4 - HKLM\..\Run: [Jvxygxn] C:\PROGRAM FILES\BEUQRJ\SMJSFC.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe
O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.msn.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)



Thanks in advance. There is a great wealth of knowledge here!
 
Run Hijackthis and check the following lines

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 10.10.5.18
O4 - HKLM\..\Run: [psx] C:\WINDOWS\psx.exe
O4 - HKLM\..\Run: [Jvxygxn] C:\PROGRAM FILES\BEUQRJ\SMJSFC.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)


Close all open windows and hit "Fix checked".

Find and delete the following folders\files.

C:\WINDOWS\psx.exe
C:\PROGRAM FILES\BEUQRJ
C:\Program Files\PSGuard

Then reboot and post a new Hijackthis log.
 
Round two

Did as instructed. Could not find c:\windows\psx.exe or c:\program files\beuqrj HJT log as follows:


Logfile of HijackThis v1.99.1
Scan saved at 6:25:02 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WAVETIME\WAVETIME.EXE
C:\WAVETIME\SKEY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WAVETIME\LXCOM1.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe
O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.msn.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33
 
No idea. This computer is only used for internet access primarily for medical research and definitions. It's only other function is to interface with an MRI scanner and runs a Wavetime program for gating monitoring and scan time readout.
 
another try

I just rebooted in safe mode again and ran the following scans. (I added CWShredder and About Buster). results as follow:

CWShredder-none infected
About Buster-done
CCleaner-done
SpSeHifix-wninet.dll infected
Ad-Aware-31 registered keys, 2 registered values, 2 files IDed (incl PS Guard)
Spyware doctor-2 infections found (incl PS Guard.

I then rebooted and ran HJT. Log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:13 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WAVETIME\SKEY.EXE
C:\WAVETIME\LXCOM1.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: WaveTime.lnk = C:\wavetime\WaveTime.exe
O4 - Startup: Service Key.lnk = C:\wavetime\SKey.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.msn.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33



And, yes..PS Guard is still here. Yikes!
 
Get xoftspy it will get rid of it, its the only program I found that can get rid of it, I did not know about ewido then it should be able too also but you said you have issues installing it? You should be able to install xoftspy on 98 with no problems!
 
Sorry, TheMadStapler, the thread got buried and I missed it. If I had seen the advice about xsoftspy I would have deleted it, until recently it was on the "rogue" spyware remover list. I think we need to go back to the start here, and run the fix from A onwards. I'll be back in a while.
 
Go to Add\Remove programs and uninstall these programs, if there.

Security IGuard
Virtual Maid
Search Maid
AntiVirusGold
PSGuard
SpySheriff


Then boot to safemode.

Then run Hijackthis and check these lines.

O15 - Trusted IP range: 206.161.125.149
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 137.118.1.32,137.118.1.33


Then open Smitrem and double-click Runthis.bat. Wait for cleanup to finish.

Then do a full AdawareSE scan.

Boot back to normal mode and do an online scan ]here.

Reboot again and post the new Hijackthis log.
 
I beg to differ your opinion on xoftspy. I had psguard myself and it was the only spyware remover program that fixed the problem. You have to do a scan and then reboot it will fix it when you reboot! I will post a link with some info about manual removal instructions. PS: I was not trying to step on your toes buzz I was just offering some advice that had worked for me in the past because I know this is hard to remove!

http://labs.paretologic.com/spyware.aspx?remove=PSGuard
 
Last edited:
Back
Top