P
Purgatory
Hi there. Excuse me if my english is bad (im from sweden
I'm having problem with some sh*t called PS Guard
Not in Mozilla firefox but in Internet Explorer...
I get som wierd message in the lower right window "Security alert!
and that my computer is infected.
A lot like when i try to open explorer. Some strange message abou
infection, ip-adress from the startpage "http://www.security2k.net/
I've tryed following spywareprograms to get rid of my problem, i eve
did everything in "safe mode
Ad-Aware
Xoft Sp
Spybot Search&Destro
Security cente
Spysweepe
A lot of registry keys and files was found and deleted with thes
programs but the only program that now finds a strange file is Xof
Spy
It found 2 files
"PS guard - registry key - malware\deskto
hijackersoftware\shudderltd
"Smitfraud - registry key - Malware\deskto
hijackersoftware+microsoft\windows\currentversion\explorer\browse
helper objecta
They are deleted successfully everytime but when i do it again th
files show up again and again and again........ it doesnt matter wha
i do with them. They return the hole time
I had one infected virus on c:windows\system32\oleext.dl
I've tryed to repair it with Norton Antivirus 2005 but it woulnt eve
got deleted but in "safe mode" i managed to delete it
That virus was called trojan.desktophijack.
Now, here is my hijackthis log
Logfile of HijackThis v1.97.
Scan saved at 22:12:10, on 2005-09-1
Platform: Windows XP SP2 (WinNT 5.01.2600
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180
Running processes
C:\WINDOWS\System32\smss.ex
C:\WINDOWS\system32\csrss.ex
C:\WINDOWS\system32\winlogon.ex
C:\WINDOWS\system32\services.ex
C:\WINDOWS\system32\lsass.ex
C:\WINDOWS\system32\Ati2evxx.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\Ati2evxx.ex
C:\WINDOWS\Explorer.EX
C:\Program\Delade filer\Symantec Shared\ccSetMgr.ex
C:\Program\Delade filer\Symantec Shared\SNDSrvc.ex
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.ex
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.ex
C:\WINDOWS\system32\spoolsv.ex
C:\WINDOWS\system32\mssearchnet.ex
C:\WINDOWS\system32\nvctrl.ex
C:\Program\ATI Technologies\ATI.ACE\cli.ex
C:\WINDOWS\SOUNDMAN.EX
C:\Program\D-Tools\daemon.ex
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.ex
C:\Program\Java\jre1.5.0_04\bin\jusched.ex
C:\Program\Delade filer\Symantec Shared\ccApp.ex
C:\Program\Webroot\Spy Sweeper\SpySweeper.ex
C:\Program\MSN Messenger\MsnMsgr.Ex
C:\WINDOWS\system32\ctfmon.ex
C:\Program\PeerGuardian2\pg2.ex
C:\Program\ATI Technologies\ATI.ACE\CLI.ex
C:\Program\GetRight\getright.ex
C:\Program\GetRight\getright.ex
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EX
C:\Program\Norton AntiVirus\navapsvc.ex
C:\Program\Norton AntiVirus\IWP\NPFMntor.ex
C:\WINDOWS\system32\svchost.ex
C:\Program\Webroot\Spy Sweeper\WRSSSDK.ex
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\system32\wdfmgr.ex
C:\WINDOWS\System32\alg.ex
C:\Program\Internet Explorer\IEXPLORE.EX
C:\Program\Mozilla Firefox\firefox.ex
C:\WINDOWS\Explorer.EX
C:\Program\Messenger\msmsgs.ex
D:\downloads\Program\HijackThis.ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
about:blan
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_UR
= http://www.security2k.net/search.php?qq=%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderNam
= Länka
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext
http://windowsupdate.microsoft.com
O2 - BHO: (no name) - {893fad3a-931e-4e53-b515-b1426d63799b}
C:\WINDOWS\system32\hp4B22.tm
O3 - Toolbar: Norton AntiVirus
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norto
AntiVirus\NavShExt.dl
O4 - HKLM\..\Run: [ATICCC] "C:\Program\AT
Technologies\ATI.ACE\cli.exe" runtim
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EX
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe
-lang 103
O4 - HKLM\..\Run: [HPDJ Taskbar Utility
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Vbptwow] c:\Program Files\Kzrernl\Kcknlj.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy
Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade
filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GetRight - Tray Icon.lnk =
C:\Program\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight -
C:\Program\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel -
res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser -
C:\Program\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.dvdforum.nu
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.dvdforum.nu
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) -
http://www.fk.se/inloggning/telia/vspta3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwa...ash/swflash.cab
I'm having problem with some sh*t called PS Guard
Not in Mozilla firefox but in Internet Explorer...
I get som wierd message in the lower right window "Security alert!
and that my computer is infected.
A lot like when i try to open explorer. Some strange message abou
infection, ip-adress from the startpage "http://www.security2k.net/
I've tryed following spywareprograms to get rid of my problem, i eve
did everything in "safe mode
Ad-Aware
Xoft Sp
Spybot Search&Destro
Security cente
Spysweepe
A lot of registry keys and files was found and deleted with thes
programs but the only program that now finds a strange file is Xof
Spy
It found 2 files
"PS guard - registry key - malware\deskto
hijackersoftware\shudderltd
"Smitfraud - registry key - Malware\deskto
hijackersoftware+microsoft\windows\currentversion\explorer\browse
helper objecta
They are deleted successfully everytime but when i do it again th
files show up again and again and again........ it doesnt matter wha
i do with them. They return the hole time
I had one infected virus on c:windows\system32\oleext.dl
I've tryed to repair it with Norton Antivirus 2005 but it woulnt eve
got deleted but in "safe mode" i managed to delete it
That virus was called trojan.desktophijack.
Now, here is my hijackthis log
Logfile of HijackThis v1.97.
Scan saved at 22:12:10, on 2005-09-1
Platform: Windows XP SP2 (WinNT 5.01.2600
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180
Running processes
C:\WINDOWS\System32\smss.ex
C:\WINDOWS\system32\csrss.ex
C:\WINDOWS\system32\winlogon.ex
C:\WINDOWS\system32\services.ex
C:\WINDOWS\system32\lsass.ex
C:\WINDOWS\system32\Ati2evxx.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\Ati2evxx.ex
C:\WINDOWS\Explorer.EX
C:\Program\Delade filer\Symantec Shared\ccSetMgr.ex
C:\Program\Delade filer\Symantec Shared\SNDSrvc.ex
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.ex
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.ex
C:\WINDOWS\system32\spoolsv.ex
C:\WINDOWS\system32\mssearchnet.ex
C:\WINDOWS\system32\nvctrl.ex
C:\Program\ATI Technologies\ATI.ACE\cli.ex
C:\WINDOWS\SOUNDMAN.EX
C:\Program\D-Tools\daemon.ex
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.ex
C:\Program\Java\jre1.5.0_04\bin\jusched.ex
C:\Program\Delade filer\Symantec Shared\ccApp.ex
C:\Program\Webroot\Spy Sweeper\SpySweeper.ex
C:\Program\MSN Messenger\MsnMsgr.Ex
C:\WINDOWS\system32\ctfmon.ex
C:\Program\PeerGuardian2\pg2.ex
C:\Program\ATI Technologies\ATI.ACE\CLI.ex
C:\Program\GetRight\getright.ex
C:\Program\GetRight\getright.ex
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EX
C:\Program\Norton AntiVirus\navapsvc.ex
C:\Program\Norton AntiVirus\IWP\NPFMntor.ex
C:\WINDOWS\system32\svchost.ex
C:\Program\Webroot\Spy Sweeper\WRSSSDK.ex
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\system32\wdfmgr.ex
C:\WINDOWS\System32\alg.ex
C:\Program\Internet Explorer\IEXPLORE.EX
C:\Program\Mozilla Firefox\firefox.ex
C:\WINDOWS\Explorer.EX
C:\Program\Messenger\msmsgs.ex
D:\downloads\Program\HijackThis.ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
about:blan
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_UR
= http://www.security2k.net/search.php?qq=%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderNam
= Länka
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext
http://windowsupdate.microsoft.com
O2 - BHO: (no name) - {893fad3a-931e-4e53-b515-b1426d63799b}
C:\WINDOWS\system32\hp4B22.tm
O3 - Toolbar: Norton AntiVirus
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norto
AntiVirus\NavShExt.dl
O4 - HKLM\..\Run: [ATICCC] "C:\Program\AT
Technologies\ATI.ACE\cli.exe" runtim
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EX
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe
-lang 103
O4 - HKLM\..\Run: [HPDJ Taskbar Utility
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Vbptwow] c:\Program Files\Kzrernl\Kcknlj.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy
Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade
filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GetRight - Tray Icon.lnk =
C:\Program\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight -
C:\Program\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel -
res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser -
C:\Program\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.dvdforum.nu
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.dvdforum.nu
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) -
http://www.fk.se/inloggning/telia/vspta3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwa...ash/swflash.cab