How do I get rid of PSGuard? already read the sticky

I'm running Windows2000, and have been infected with PSGuard. I followed all of the steps in the sticky thread on how to get rid of trojans. Every time I open Internet Explorer, my Trend Micro software detects TROJ_STARTPAG.RE, and quarantines a file called axobj.dll. The quarantine log also has lsukr.dll, oxkkq.dll, and dsnvi.dll. Nove of these can be found in a search of the hard drive.

After running all the suggested spyware software in the sticky, I still get the same trojan when I start internet explorer. About:blank manages to become the start page every so often. When I re-run Spybot, it finds CoolWWWSearch, Trek Blue Error Nuker, and the aforementioned PSGuard. PSGuard is the only one it can't delete.

This is driving me crazy! I made a Hijack This log, let me see if I can attach it:

 

OK, let's see if I can recap the results. I followed the instructions as much as I could. I couldn't see a way to disable System Restore for Windows2000. The first run-through, HiJack This couldn't kill sysar.exe and crgg32.exe. I did kill all the other processes you listed. I also couldn't delete sysar.exe and crgg32.exe from their folders, or even from the DOS prompt. None of the other specific files you asked me to delete from WINNT and System32 were there. I mistakenly shut down the PC without pulling the power cord, so I ran through all these steps again.

This time, HiJack This was able to kill sysar.exe and crgg32.exe. The R3 Default URLSearchHook was back, so I killed it and I think one other process. I noticed something suspicious: 023 Service:Workstation Netlogon Svc-[some jibberish]-unkown owner-C:\WINNT\sysar.exe I wanted to kill it, but I didn't. This time I was able to delete crgg32.exe and sysar.exe from their folders.

Pulled the power cord and repeated the steps, but didn't find anything else. I emptied the recycle bin, but I don't have a prefetch folder as far as I can tell. Ran CCleaner and HSRemove. AboutBuster has been run both times, I didn't see anything about a 'second scan'. It adds new information to the same log file, so it should all be available (see attached).

Rebooted in normal mode and ran CCleaner again. Reset my Explorer settings. Launched Internet Explorer to come on to this forum and post results: Trend Micro is still detecting TROJ_STARTPAG.RE virus, with axobj.dll being the infected file. I ran Spybot again to see what it picked up, it found and fixed 34 instances of CoolWWWSearch.Aff.Winshow, a Startpage-EH, and 3 instances of Trek Blue Error Nuker. PSGuard was still there, and Spybot still couldn't delete it.

After I read the second response above, I did a search for f23mxins*. There must have been 20 variations of it, all of which I deleted.

I feel like we're on to something here . . . any more ideas?

 

OK, I downloaded Pocket KillBox and did what you suggested. Fortunately I realized f23hser.exe was part of my FireGL software, then I saw the other post, lol. Still getting the trojan, still getting popups. This time I ran HJT before and after getting online, see attached.

I've downloaded Ewido, and will try it next.

 

Wow, what can I say except that Ewido ROCKS. I didn't run a complete system scan because I have a lot of data on D: that can't be disturbed. So I ran a custom scan of the registry, memory, and C: After all that work previously, it still found and fixed 45 problems; see report. After I got online, I made another HJT log too, see attached.

When I launched internet explorer, no trojan warning from Trend Micro, and no popups so far! I'll keep an eye on it, I'm gun shy about claiming success at this point.

Any follow-up checks or reporting I should do? I plan to read through the sticky on how to prevent future problems.

 

OK, fixed the two entries. Could not find sdkbr.dll in the WINNT or system32 directories, so maybe that is a good thing. For kicks I ran Spybot again, and is still finding the CoolWWW and PSGuard trojans, and not able to delete PSGuard. Doesn't seem to be affecting anything so far though, still no hijacking or popups going on.

To answer your question, yes, I would like to clean up as much crap as possible on my computer, wherever it can be found. If I've got unnecessary processes running, then let's hear it.

Oh, new HJT log attached.

 

OK, fixed all the things you suggested. I've already run CWShredder, but I ran it again just to check. It didn't find anything. Spybot still picks up PSGuard, but CoolWWW seems to be gone for now. If I click on PSGuard in Spybot, it gives me the following information: HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard

if that means anything to you. I bet if I run HJT again it will pick up a bunch of axobj.dll processes running . . . . let me try it . . . hmm I was wrong, it didn't find any. See attached.

 

Not any more. Before I discovered this forum I had already removed PSGuard that way, I don't recall ShudderLTD being there. In any case, neither of them show up now in Add/Remove, just the Spybot search.

Is HKEY_LOCAL_MACHINE a reference to the registry key? How can one gain access to this?

 

I definitely don't know exactly what I"m doing. I downloaded RegSeeker, and it found 38 instances of PSGuard. I couldn't figure out a way to create a log file or copy/paste into the notepad. I'd like someone more knowledgeable to at least look at what it found . . .

Most of the references are to a C:\Program Files\PSGuard\Core.dll file, even though I can't find a PSGuard directory anywhere. It also references WndSystem.dll in the same directory, as well as other things that have names like:

SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PSGuard spyware remover

I see Regseeker can back up the files before deletion, is this a reasonably safe way to proceed in case I nuke anything important?

 

Just to be 100% sure, am I deleting everything RegSeeker finds, or just the things with PSGuard and ShudderLTD? Don't want to screw this up . . .

 

OK, this is actually becoming fun. Does that make me a geek? After running RegSeeker numerous times, it consistently turns up one entry: SOFTWARE\ShudderLTD\PSGuard\PSGuard. If I search for PSGuard it shows up twice, but it's the same string. ShudderLTD shows up once, same string. It disappears when I delete it, but reappears on the next scan. I let Spybot run again on a restart, just to see if it had any better luck deleting PSGuard that way, but it didn't.

At this point I guess I'm just being anal about it. There doesn't seem to be any leftovers except for this mysterious file tree. Hopefully it is not just playing dead . . . .

 

Hey guys,

You could try this:

Download SmitRem
Boot to Safe Mode and run smitRem.exe and follow the prompts.
It will create a log at C:\smitfiles.txt - Please attach it.

If that doesn't get it, you could try regedit and manually yank it out of there

PP

 

Thanks for all the help guys. I downloaded and ran the vbs tool. It didn't find ShudderLTD, so there is not file for that. It did find PSGuard, see attached.

I might try SmitRem. I'm dimly aware of the Regedit feature if I search way back through the cobwebs to 10th grade computer class . . .

 

The vbs tool did not delete the file upon closing Wordpad.

I just made the registry entry you suggested . . . let me see what happens . . . RegSrch is still finding PSGuard.

 

I did another Spybot check just to confirm. I didn't realize I could get into the Registry Editor from Spybot. The full name of the file, or key, or whatever it is, is as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License

If I highlight ShudderLTD, PSGuard, or PSGuard, then new information appears in the box on the right hand side of the Registry Editor window. Under "name" there is a red box icon with "ab" inside it, then the word "Default" in perentheses. Under "type" it says REG_SZ.

I tried deleting and/or renaming all of the files listed above, but it won't let me. I can click open the ab-(Default) icon, and there is a blank field called 'value data' that I can type something in. I don't know what any of this means obviously.

 

You're going to think I'm an idiot . . . I have administrator priveleges, but I wasn't logged on as administrator. It never even occured to me to try -- I just logged out and logged in as Administrator, and it was like "welcome to Windows, would you like to register?", I guess I just always logged on as me.

SO, which one of these steps should I do over, while logged on as Administrator?

 

As far as I know my normal account has full priveleges. I never get any messages prompting me for the administrator password or anything.

Anyway, I ran Spybot again logged on as administrator, and also the registry key thing, but no dice. I downloaded SmitRem yesterday, gonna try that here over lunch.

 

KaBOOM! SmitRem did it. I logged on to administrator in safe mode, with the internet connection severed as a precaution. Does it have a specific tool to look for ShudderLTD? Because it found it in like two seconds, before even running the scan. See attached log file, it says it removed it. Logged back on as myself, ran Spybot and it found no threats!

MajorGeeks has done it! Thank you.


Wait, now that's weird. When I went to attach the file, Trend Micro popped up a warning window that it found an infected file LTD.exe in the SmitRem folder. It lists the virus as HKTL_NIOREH.A. I hope it is just mis-recognizing this.

 

Oh, and in going through all these steps, my computer has much snappier response than before. Must have had a whole lot of junk.