Please review this HJT log

Status
Not open for further replies.
B

bananerzz

Posts: 8   +0
Which files do I delete to get rid of the Trojan PS Guard?

OMG :( I cant log into anything that is a program the requires you to log in. It either freezes or pops up a message. The PS Guard I heard was a tough on to delete. I really need everyone's help or and profesiionel help =) I appriciate this. Thank you. :p
 
In great need of someone's help (view the HJT attachment)

I really need someone's help on my comp. The PS guard keeps popping back onto my desktop and it takes me 50 tries just to log into anytime type of program that requires a login. Sometimes, I can't even log in; It just freezes.
 
The forums are not used by bots. The members have lives outside these forums. Sometimes they sleep, have dinner or just do things away from the computer. If you're patient enough, they might even have a look at your log & reply.
 
how do i fix all the file missing and remove the 016 entries like the e-games when it doesnt say the location?
 
you simply put a tick in the little square box next to the entries to be fixed (notjust 016, but for all of the entries to be fixed) and click the fix button.
 
Alrights i got rid of the 016's and i fixed the file missing =) and the new attachment is below. Sry i took soo long, my dad had to get on ><
 
Wow! That's infected alright! If that computer was a person I had to drive to hospital, I'd want to be wearing a full biohazard suit!

No matter though.

Boot to safe mode and disable system restore..

Open task manager and end any of the following processes if present...
flagflap.exe
jugschin.exe
msresearch.exe
xware.exe
PSGuard.exe
DALEPEAK.exe
NEWADP~1.EXE
Barb Exit Grid.exe
wwiwm.exe

uninstall the following program...
Warezp2p

uninstall, if possible, anything to do with the following unless you recognise it as a legitimate program
D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
O4 - HKLM\..\Run: [GlueKindViewUpload] D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
O4 - HKCU\..\Run: [Boob comp] D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe

go to start -> run and type the following then hit the enter key...
regsvr32 /u D:\WINDOWS\System32\dcom_9.dll

and then delete the following files and directories...

D:\Program Files\Warez P2P Client\
D:\WINDOWS\msresearch.exe
D:\WINDOWS\xware.exe
D:\Program Files\P.S.Guard\
D:\WINDOWS\System32\NEWADP~1.EXE
D:\PROGRA~1\COMMON~1\wwiw\
D:\WINDOWS\System32\dcom_9.dll
*(delete anything below this that you don't recognise as a legitimate program)*
D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe
D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe

Run HJT and fix any of the following entries should they still exist (check the square box next to them all and click fix), and fix any (file missing entries). And of course all 016 entries should there be any...

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BC2F73C5-ED76-BA02-2C08-A6CAB82050E7} - D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
O2 - BHO: (no name) - {C4A22EAA-E6E6-A233-6D04-9C13ECCEB4FA} - D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
O4 - HKLM\..\Run: [InternetTestEqBrowse] D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
O4 - HKLM\..\Run: [msresearch] D:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [xware] "D:\WINDOWS\xware.exe"
O4 - HKLM\..\Run: [P.S.Guard] D:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [GlueKindViewUpload] D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
O4 - HKLM\..\Run: [adprot] D:\WINDOWS\System32\NEWADP~1.EXE
O4 - HKCU\..\Run: [Boob comp] D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe
O4 - HKCU\..\Run: [wwiw] D:\PROGRA~1\COMMON~1\wwiw\wwiwm.exe
O4 - Global Startup: Personal Coach.lnk = ?
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - D:\WINDOWS\System32\dcom_9.dll

turn system restore back on, and reboot. scan with HJT and post a new log here so we can check it.
 
i couldnt find these in processes

flagflap.exe
jugschin.exe
msresearch.exe
xware.exe
PSGuard.exe
DALEPEAK.exe
NEWADP~1.EXE
Barb Exit Grid.exe
wwiwm.exe

i was unable to uninstall these for some reason....
D:\DOCUME~1\ANDYHO~1\APPLIC~1\ACEITC~1\flagflap.exe
D:\Documents and Settings\All Users\Application Data\axis frag internet test\jugschin.exe
O4 - HKLM\..\Run: [GlueKindViewUpload] D:\Documents and Settings\All Users\Application Data\2 warn glue kind\DALEPEAK.exe
O4 - HKCU\..\Run: [Boob comp] D:\DOCUME~1\ANDYHO~1\APPLIC~1\BROWSE~1\Barb Exit Grid.exe

i deleted these like 5 days ago but they still appeaar in the log...
D:\WINDOWS\msresearch.exe
D:\WINDOWS\xware.exe
D:\Program Files\P.S.Guard\
D:\PROGRA~1\COMMON~1\wwiw\
D:\WINDOWS\System32\dcom_9.dll <--- couldnt delete
 
omg i deleted the PS guard but it came back on my desktop >< this happens everytime i restart the comp

the attachment below is the new HJT i just scanned. i think there is still serveral things i need to do but it wont let me
 
My first instruction was to end those processes if they were running (obviously some of them weren't going to be running)

My second instruction was to uninstall WarezP2P. You didn't.

the third instruction was if possible uninstall certain applications. Clearly, it wasn't possible, as the instruction implied.

the fourth instruction was to delete things. by the fact that warezp2p is still there, you didn't.

Now, I may be wrong, but it appears to me that you've been selective in which instructions to follow. I appreciate that some of it may not have been removed through no fault of your own, and some of it may have come back. None the less though it took me about 25 minutes all told to go through your log and write my post, and I'm very tired.

There may well be something I'd missed, and I can see that there's new stuff in there now. I'm afraid my brain is just to frazzled to go through it again, and so hopefully you'll be able to wait a while for someone else to take a look. Luckily, it's morning here in the UK, and the real experts at this stuff may be along in a few hours. I'd be interested to know if and where I went wrong myself. Please follow their instructions properly if they help you though. There's nothing more frustrating to spend ages doing something kind for someone you don't know only to find that your instructions aren't followed.
 
Please keep all related posts in the ONE thread!

Start with this one: (does NOT work on W98 and ME)
To fix Trojans, see How to remove Trojans and its ilk!

Then try one or both:
http://uk.trendmicro-europe.com/consumer/products/housecall_launch.php
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

Then Read: How to post your Hijackthis log-files as an attachment.
 
Ignore these instructions at your own peril!
Either you follow them, or go somewhere else!

Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the Process (if there) and click End Process for:
ViewMgr.exe
warez.exe

Next, click Start/Control Panel/Add/Remove Programs. If there, UNinstall anything to do with:
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Warez P2P Client\warez.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [warez] "D:\Program Files\Warez P2P Client\warez.exe" -h
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.
 
Status
Not open for further replies.

Similar threads

D
This is how you create a completely bezel-less virtual MacBook display
Replies
0
Views
135
DragonSlayer101
D
N
HP has found a new way to add ink cartridge DRM to your printer
2
Replies
37
Views
2K
bazz2004
B
J
Need help with BSOD Event ID 41
Replies
1
Views
1K
Kshipper
Kshipper

Latest posts

Back