Problems with PS Guard.. can you help me?

P

Purgatory

Hi there. Excuse me if my english is bad (im from sweden

I'm having problem with some sh*t called PS Guard
Not in Mozilla firefox but in Internet Explorer...
I get som wierd message in the lower right window "Security alert!
and that my computer is infected.
A lot like when i try to open explorer. Some strange message abou
infection, ip-adress from the startpage "http://www.security2k.net/

I've tryed following spywareprograms to get rid of my problem, i eve
did everything in "safe mode
Ad-Aware
Xoft Sp
Spybot Search&Destro
Security cente
Spysweepe

A lot of registry keys and files was found and deleted with thes
programs but the only program that now finds a strange file is Xof
Spy
It found 2 files
"PS guard - registry key - malware\deskto
hijackersoftware\shudderltd
"Smitfraud - registry key - Malware\deskto
hijackersoftware+microsoft\windows\currentversion\explorer\browse
helper objecta

They are deleted successfully everytime but when i do it again th
files show up again and again and again........ it doesnt matter wha
i do with them. They return the hole time

I had one infected virus on c:windows\system32\oleext.dl
I've tryed to repair it with Norton Antivirus 2005 but it woulnt eve
got deleted but in "safe mode" i managed to delete it
That virus was called trojan.desktophijack.

Now, here is my hijackthis log

Logfile of HijackThis v1.97.
Scan saved at 22:12:10, on 2005-09-1
Platform: Windows XP SP2 (WinNT 5.01.2600
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180

Running processes
C:\WINDOWS\System32\smss.ex
C:\WINDOWS\system32\csrss.ex
C:\WINDOWS\system32\winlogon.ex
C:\WINDOWS\system32\services.ex
C:\WINDOWS\system32\lsass.ex
C:\WINDOWS\system32\Ati2evxx.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\Ati2evxx.ex
C:\WINDOWS\Explorer.EX
C:\Program\Delade filer\Symantec Shared\ccSetMgr.ex
C:\Program\Delade filer\Symantec Shared\SNDSrvc.ex
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.ex
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.ex
C:\WINDOWS\system32\spoolsv.ex
C:\WINDOWS\system32\mssearchnet.ex
C:\WINDOWS\system32\nvctrl.ex
C:\Program\ATI Technologies\ATI.ACE\cli.ex
C:\WINDOWS\SOUNDMAN.EX
C:\Program\D-Tools\daemon.ex
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.ex
C:\Program\Java\jre1.5.0_04\bin\jusched.ex
C:\Program\Delade filer\Symantec Shared\ccApp.ex
C:\Program\Webroot\Spy Sweeper\SpySweeper.ex
C:\Program\MSN Messenger\MsnMsgr.Ex
C:\WINDOWS\system32\ctfmon.ex
C:\Program\PeerGuardian2\pg2.ex
C:\Program\ATI Technologies\ATI.ACE\CLI.ex
C:\Program\GetRight\getright.ex
C:\Program\GetRight\getright.ex
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EX
C:\Program\Norton AntiVirus\navapsvc.ex
C:\Program\Norton AntiVirus\IWP\NPFMntor.ex
C:\WINDOWS\system32\svchost.ex
C:\Program\Webroot\Spy Sweeper\WRSSSDK.ex
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\system32\wdfmgr.ex
C:\WINDOWS\System32\alg.ex
C:\Program\Internet Explorer\IEXPLORE.EX
C:\Program\Mozilla Firefox\firefox.ex
C:\WINDOWS\Explorer.EX
C:\Program\Messenger\msmsgs.ex
D:\downloads\Program\HijackThis.ex

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
about:blan
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_UR
= http://www.security2k.net/search.php?qq=%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderNam
= Länka
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext
http://windowsupdate.microsoft.com
O2 - BHO: (no name) - {893fad3a-931e-4e53-b515-b1426d63799b}
C:\WINDOWS\system32\hp4B22.tm
O3 - Toolbar: Norton AntiVirus
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norto
AntiVirus\NavShExt.dl
O4 - HKLM\..\Run: [ATICCC] "C:\Program\AT
Technologies\ATI.ACE\cli.exe" runtim
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EX
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe
-lang 103
O4 - HKLM\..\Run: [HPDJ Taskbar Utility
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Vbptwow] c:\Program Files\Kzrernl\Kcknlj.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy
Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian2\pg2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade
filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program\ATI
Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: GetRight - Tray Icon.lnk =
C:\Program\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight -
C:\Program\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel -
res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser -
C:\Program\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.dvdforum.nu
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.dvdforum.nu
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} (VSPTA Class) -
http://www.fk.se/inloggning/telia/vspta3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwa...ash/swflash.cab
 
R

Rock

Purgatory said:
Hi there. Excuse me if my english is bad (im from sweden)

I'm having problem with some sh*t called PS Guard.
Not in Mozilla firefox but in Internet Explorer....
I get som wierd message in the lower right window "Security alert!"
and that my computer is infected..
A lot like when i try to open explorer. Some strange message about
infection, ip-adress from the startpage "http://www.security2k.net/"

I've tryed following spywareprograms to get rid of my problem, i even
did everything in "safe mode"
Ad-Aware 6
Xoft Spy
Spybot Search&Destroy
Security center
Spysweeper

A lot of registry keys and files was found and deleted with these
programs but the only program that now finds a strange file is Xoft
Spy.
It found 2 files:
"PS guard - registry key - malware\desktop
hijackersoftware\shudderltd"
"Smitfraud - registry key - Malware\desktop
hijackersoftware+microsoft\windows\currentversion\explorer\browser
helper objecta"

They are deleted successfully everytime but when i do it again the
files show up again and again and again........ it doesnt matter what
i do with them. They return the hole time.

I had one infected virus on c:windows\system32\oleext.dll
I've tryed to repair it with Norton Antivirus 2005 but it woulnt even
got deleted but in "safe mode" i managed to delete it.
That virus was called trojan.desktophijack.B

Now, here is my hijackthis log:
Click to expand...

<snip>

This is not the forum to post HJT logs. There are specialty forums for it.

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/
 
P

pcbutts1

Have hijackthis fix the following lines by placing a check in the box next
to each line. Then download and run the antispyware program listed at the
bottom of this post. You also have an older version of HJT use the link at
the bottom to get the current version.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.security2k.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
= Länkar
O2 - BHO: (no name) - {893fad3a-931e-4e53-b515-b1426d63799b} -
C:\WINDOWS\system32\hp4B22.tmp
O4 - HKLM\..\Run: [Vbptwow] c:\Program Files\Kzrernl\Kcknlj.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian2\pg2.exe

Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/ewidosetup.exe

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/...A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

If none of the above fixes the issue then download Hijack this, run it, save
a copy of the log file and cut and paste it back here to this group so that
I can analyze it. Ignore anyone especially the troll Leythos, who will tag
along a nonsense post to this message, who tells you to post it elsewhere. I
need to see it not them.


HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip
--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
 
L

Leythos

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

Always remember - only download files from Trusted Sites.

These sites are for downloading Anti-Spyware tools, in order that I
would use them myself:

AdAwareSE can be found here:
http://www.lavasoft.de/support/download/

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

HiJack can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Ewido Security Suite Trial can be found here:
http://www.ewido.net/en/download/

CrapCleaner can be found at the vendors site here:
http://www.ccleaner.com/ccdownload.asp

CleanUp can be found at the vendors site here:
http://www.stevengould.org/software/cleanup/download.html
or from another reputable source:
http://www.tucows.com/get/405276_152071

The following are two links to Antivirus software in order that I would
use them:

You can also download Symantec Trial version of their Antivirus software
from here:
http://www.symantec.com/downloads/

Download AVG Personal Free edition from here:
http://free.grisoft.com/freeweb.php/doc/2/

These are the actual vendors sites, not some unknown or authorized no-
name site. They also don't artificially increase the hits for sites that
get paid for the amount of traffic they can generate like one poster has
admitted to in this group.
Accoding to PCBUTTS1
The authors of the above programs, with the exception of Microsoft has given
the owner of pcbutts1.com express written permission to redistribute their
software.
Click to expand...

Except he can't prove it and none of them validate his statement.
 
K

kurttrail

Purgatory said:
Hi there. Excuse me if my english is bad (im from sweden)

I'm having problem with some sh*t called PS Guard.
Not in Mozilla firefox but in Internet Explorer....
I get som wierd message in the lower right window "Security alert!"
and that my computer is infected..
A lot like when i try to open explorer. Some strange message about
infection, ip-adress from the startpage "http://www.security2k.net/"

I've tryed following spywareprograms to get rid of my problem, i even
did everything in "safe mode"
Ad-Aware 6
Xoft Spy
Spybot Search&Destroy
Security center
Spysweeper

A lot of registry keys and files was found and deleted with these
programs but the only program that now finds a strange file is Xoft
Spy.
It found 2 files:
"PS guard - registry key - malware\desktop
hijackersoftware\shudderltd"
"Smitfraud - registry key - Malware\desktop
hijackersoftware+microsoft\windows\currentversion\explorer\browser
helper objecta"

They are deleted successfully everytime but when i do it again the
files show up again and again and again........ it doesnt matter what
i do with them. They return the hole time.

I had one infected virus on c:windows\system32\oleext.dll
I've tryed to repair it with Norton Antivirus 2005 but it woulnt even
got deleted but in "safe mode" i managed to delete it.
That virus was called trojan.desktophijack.B

Now, here is my hijackthis log:
Click to expand...

This ain't the place for HJT logs. Follow Rocks advice.

pcbutthead isn't to be trusted.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problems with pops ups 6
Nt Authority System Please Help!! 0
IE redirection problem 2
PLEASE HELp.. i can not get rid of this bug on my computer 2
WinVir 5
IE 8 won't start 2
links in favorites 2
Desktop Icons Missing at startup 7

Top