TechSpot

Please review this HJT log

By bananerzz
Oct 8, 2005
  1. Which files do I delete to get rid of the Trojan PS Guard?

    OMG :( I cant log into anything that is a program the requires you to log in. It either freezes or pops up a message. The PS Guard I heard was a tough on to delete. I really need everyone's help or and profesiionel help =) I appriciate this. Thank you. :p
     
  2. bananerzz

    bananerzz TS Rookie Topic Starter

    In great need of someone's help (view the HJT attachment)

    I really need someone's help on my comp. The PS guard keeps popping back onto my desktop and it takes me 50 tries just to log into anytime type of program that requires a login. Sometimes, I can't even log in; It just freezes.
     
  3. bananerzz

    bananerzz TS Rookie Topic Starter

    I would appriciate it very much ^^
     

    Attached Files:

  4. bananerzz

    bananerzz TS Rookie Topic Starter

    Why isnt anyone replying or helping me out =(
     
  5. Didou

    Didou Bowtie extraordinair! Posts: 4,274

    The forums are not used by bots. The members have lives outside these forums. Sometimes they sleep, have dinner or just do things away from the computer. If you're patient enough, they might even have a look at your log & reply.
     
  6. Spike

    Spike TS Evangelist Posts: 2,168

    see How to remove Trojans and its ilk!

    Could you then please run HJT and fix all entries with (file missing) and repost the log. While you're there, remove all 016 entries.
     
  7. bananerzz

    bananerzz TS Rookie Topic Starter

    how do i fix all the file missing and remove the 016 entries like the e-games when it doesnt say the location?
     
  8. Spike

    Spike TS Evangelist Posts: 2,168

    you simply put a tick in the little square box next to the entries to be fixed (notjust 016, but for all of the entries to be fixed) and click the fix button.
     
  9. bananerzz

    bananerzz TS Rookie Topic Starter

    Alrights i got rid of the 016's and i fixed the file missing =) and the new attachment is below. Sry i took soo long, my dad had to get on ><
     
  10. Spike

    Spike TS Evangelist Posts: 2,168

    Wow! That's infected alright! If that computer was a person I had to drive to hospital, I'd want to be wearing a full biohazard suit!

    No matter though.

    Boot to safe mode and disable system restore..

    Open task manager and end any of the following processes if present...
    flagflap.exe
    jugschin.exe
    msresearch.exe
    xware.exe
    PSGuard.exe
    DALEPEAK.exe
    NEWADP~1.EXE
    Barb Exit Grid.exe
    wwiwm.exe

    uninstall the following program...
    Warezp2p

    uninstall, if possible, anything to do with the following unless you recognise it as a legitimate program
    D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
    D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
    O4 - HKLM\..\Run: [GlueKindViewUpload] D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
    O4 - HKCU\..\Run: [Boob comp] D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe

    go to start -> run and type the following then hit the enter key...
    regsvr32 /u D:\WINDOWS\System32\dcom_9.dll

    and then delete the following files and directories...

    D:\Program Files\Warez P2P Client\
    D:\WINDOWS\msresearch.exe
    D:\WINDOWS\xware.exe
    D:\Program Files\P.S.Guard\
    D:\WINDOWS\System32\NEWADP~1.EXE
    D:\PROGRA~1\COMMON~1\wwiw\
    D:\WINDOWS\System32\dcom_9.dll
    *(delete anything below this that you don't recognise as a legitimate program)*
    D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe
    D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
    D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
    D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe

    Run HJT and fix any of the following entries should they still exist (check the square box next to them all and click fix), and fix any (file missing entries). And of course all 016 entries should there be any...

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {BC2F73C5-ED76-BA02-2C08-A6CAB82050E7} - D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
    O2 - BHO: (no name) - {C4A22EAA-E6E6-A233-6D04-9C13ECCEB4FA} - D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
    O4 - HKLM\..\Run: [InternetTestEqBrowse] D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
    O4 - HKLM\..\Run: [msresearch] D:\WINDOWS\msresearch.exe
    O4 - HKLM\..\Run: [xware] "D:\WINDOWS\xware.exe"
    O4 - HKLM\..\Run: [P.S.Guard] D:\Program Files\P.S.Guard\PSGuard.exe
    O4 - HKLM\..\Run: [GlueKindViewUpload] D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
    O4 - HKLM\..\Run: [adprot] D:\WINDOWS\System32\NEWADP~1.EXE
    O4 - HKCU\..\Run: [Boob comp] D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe
    O4 - HKCU\..\Run: [wwiw] D:\PROGRA~1\COMMON~1\wwiw\wwiwm.exe
    O4 - Global Startup: Personal Coach.lnk = ?
    O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - D:\WINDOWS\System32\dcom_9.dll

    turn system restore back on, and reboot. scan with HJT and post a new log here so we can check it.
     
  11. bananerzz

    bananerzz TS Rookie Topic Starter

    i couldnt find these in processes

    flagflap.exe
    jugschin.exe
    msresearch.exe
    xware.exe
    PSGuard.exe
    DALEPEAK.exe
    NEWADP~1.EXE
    Barb Exit Grid.exe
    wwiwm.exe

    i was unable to uninstall these for some reason....
    D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
    D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
    O4 - HKLM\..\Run: [GlueKindViewUpload] D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
    O4 - HKCU\..\Run: [Boob comp] D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe

    i deleted these like 5 days ago but they still appeaar in the log...
    D:\WINDOWS\msresearch.exe
    D:\WINDOWS\xware.exe
    D:\Program Files\P.S.Guard\
    D:\PROGRA~1\COMMON~1\wwiw\
    D:\WINDOWS\System32\dcom_9.dll <--- couldnt delete
     
  12. bananerzz

    bananerzz TS Rookie Topic Starter

    omg i deleted the PS guard but it came back on my desktop >< this happens everytime i restart the comp

    the attachment below is the new HJT i just scanned. i think there is still serveral things i need to do but it wont let me
     
  13. Spike

    Spike TS Evangelist Posts: 2,168

    My first instruction was to end those processes if they were running (obviously some of them weren't going to be running)

    My second instruction was to uninstall WarezP2P. You didn't.

    the third instruction was if possible uninstall certain applications. Clearly, it wasn't possible, as the instruction implied.

    the fourth instruction was to delete things. by the fact that warezp2p is still there, you didn't.

    Now, I may be wrong, but it appears to me that you've been selective in which instructions to follow. I appreciate that some of it may not have been removed through no fault of your own, and some of it may have come back. None the less though it took me about 25 minutes all told to go through your log and write my post, and I'm very tired.

    There may well be something I'd missed, and I can see that there's new stuff in there now. I'm afraid my brain is just to frazzled to go through it again, and so hopefully you'll be able to wait a while for someone else to take a look. Luckily, it's morning here in the UK, and the real experts at this stuff may be along in a few hours. I'd be interested to know if and where I went wrong myself. Please follow their instructions properly if they help you though. There's nothing more frustrating to spend ages doing something kind for someone you don't know only to find that your instructions aren't followed.
     
  14. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Please keep all related posts in the ONE thread!

    Start with this one: (does NOT work on W98 and ME)
    To fix Trojans, see How to remove Trojans and its ilk!

    Then try one or both:
    http://uk.trendmicro-europe.com/consumer/products/housecall_launch.php
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
    Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

    Then Read: How to post your Hijackthis log-files as an attachment.
     
  15. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Ignore these instructions at your own peril!
    Either you follow them, or go somewhere else!

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the Process (if there) and click End Process for:
    ViewMgr.exe
    warez.exe

    Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
    D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    D:\Program Files\Warez P2P Client\warez.exe

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKCU\..\Run: [warez] "D:\Program Files\Warez P2P Client\warez.exe" -h
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...