Thread: PS Guard Problems
View Single Post
Old 10-16-2005, 11:00 AM   #4 (permalink)
colblimp
I helped the forums.
 
Join Date: Nov 2004
Posts: 26
OS: XP


PS Guard Problems
Thanks for the instructions. I have carried out all the procedures and the various logs are below:

Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 17:52:20, on 16/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/....yahoo.com/%3f
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/....yahoo.com/%3f
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\ATI-CPanel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29775E67-2C9F-496C-ACDD-81BF2FA44E85}: NameServer = 192.168.0.1
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido Log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:25:27, 16/10/2005
+ Report-Checksum: 84326CCD

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
C:\WINDOWS\b2_t_CLIFF+RICHARD225.xml:cambod -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\b2_t_RENAULT+CLIO+16V+PARTS+DOMAIN%3ARENAULTSPORTSCLUB.CO.UK631.xml:sgmpwz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cdplayer.ini:qqzvc -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\dahotfix.log:tskfzq -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:njjsk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\JB3DRV.LOG:dkwybu -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\KB820128.log:gqiram -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB821557.log:sneyyt -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\KB822603.log:jfejv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB837001.log:egkfeo -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\KB839643.log:orhey -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB840315.log:chgzk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\pss\system.ini.backup:myeffd -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\Q811630.log:wmzrtm -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\Q811630.log:wpxpg -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\Rhododendron.bmp:tckhmn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system.ini:myeffd -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32:thaa.dll -> TrojanDownloader.Small : Cleaned with backup
C:\WINDOWS\wmprfell.prx:ncllv -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\wmprfita.prx:hdvml -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\wmprfnld.prx:evtcbd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wmprfptb.prx:sxyfh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wmprfsve.prx:irajg -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\wmprfsve.prx:vizeb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:dhloqg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:fhfvzr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:hgefdj -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\_default.pif:khabwe -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\_default.pif:ngmpfg -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\_default.pif:odocp -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\_default.pif:sgeol -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\_default.pif:ybqia -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:zzxtxu -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

Smitfiles Log:


smitRem log file
version 2.6

by noahdfear

The current date is: 16/10/2005
The current time is: 16:26:38.53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

Panda Activescan Log:


Incident Status Location

Adware:Adware/Popuper No disinfected C:\Program Files\Hijackthis\backups\backup-20051014-134414-298.dll
Adware:Adware/Popuper No disinfected C:\Program Files\Hijackthis\backups\backup-20051014-134812-968.dll
Adware:adware/comet No disinfected C:\WINDOWS\inf\dm.inf
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp
Adware:adware/securityerror No disinfected C:\WINDOWS\system32\ts.ico
Thanks for your help. I look forward to receiving your further instructions.

Regards

John
colblimp is offline