P.S.Guard and win-eto

Please help me to get rid of the P.S. Guard problem - it hijacked my laptop. It changed the desktop to a black screen with info warning about spyware; it starts pseudo spyware scan; it changed home page to http://win-eto.com/hp.htm?id=9; makes pop-up "Dialer Platform" and "For Your Instant Access Please Click Yes"; doesn't allow Panda Active Scan to run and many more.

It can be avoided in Safe mode, but it's terribly annoying.

Yesterday I tried to get rid of it and used the instructions posted here (SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal) and by noahdfear, but it helped only a little. After doing all the prescribed steps, PSGuard is back, even though wininet.dll got deleted.

I've noticed why running HJT at the beginning of the procedures that it had the following R0/R1 lines not listed in your instructions, so I didn't checked them to be fixed by HJT. Should I have done that?:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

Obviously, they refer to my hijacked home page, which I'd like to be google.com, but any time I change it, it goes back to that stupid search side...

Anyway, here is what I did, and what I achieved yesterday, Jan. 16, 2006:

1. Switched to Safe mode.
2. Used CCleaner - 13.6MB removed
3. Used Windows Malicious... Removal - nothing found
4. Used Ad-Aware - found :
Malware.Psguard (7 objects) TAC 7
Possible Browser Hijack attempt (4 objects) TAC 7
1 negligible
12 objects removed
5. Used Spybot - no threats found
6. Used CWShredder - CWS.Misconfig removed, restored hidden IEOptions tabs
7. Used Bitdefender - identified 5 viruses, 44 infected files, 34 deleted files. Viruses:
Trojan.WininetHook.A 1
Exploit.Html.Codebase.Exec.Gen 2
Trojan.Krepper.AL 38
Trojan.Dialer.EE 2
Trojan.Downloader.Small.AYL 1

8. Tried to use Panda Active Scan, but was unable - win-eto was popping up, etc. By the way, it also prevents online scan from Trend Micro, which I noticed before.

9. Based on that above, I decided to use methodology proposed here any by noahdfear. And here is what I did (I had HJT installed already):
10. Downloaded smitrem.exe, rebooted laptop to Safe mode.
11. Ran HJT - scan only. I didn't find any line for fixing among those you have listed in the instructions, but checked and fixed the following:
04 - HKLM\..\Run:[P.S.Guard]C:\Program Files\P.S.Guard\P.S.Guard.exe

Note: as I wrote above, there were suspicious to me lines R0 and R1 with http://win-eto.com/hp.htm?id=9 mentioned above, but as I'm not an expert on HJT, I left them.

However, probably they should be fixed also, because the procedure didn't work - see below...

12. After fixing that 1 PSGuard item via HJT, I opened the smitrem folder and started the tool. Everything went fine. I got message, that:
"...The system file wininet.dll has been identified as infected! This tool will attempt to replace the infected wininet.dll on your computer with a copy from another location on the drive...I file was copied... Successfully replaced... Reboot will delete infected wininet.dll and oleadm.dll/oleext.dll... clean up the disk...
13. Smitrem tool created the smitfiles.txt file.
14. I opened Control Panel, went to Customize Desktop-Web, but there was nothing to uncheck there.
15.In Windows Explorer there was no file from your list to delete.
16. I rebooted laptop to normal mode, but the PSGuard showed up again! The black screen "Warning! You'are in danger..." When I started IE, the home page was from win-eto.com/hp.htm?id=9.
17. I tried to do Panda Active Scan, but 2 popups from "Dialer Platform" appeared plus the search page from win-eto.com/hp.htm?id=9 plus popup "For Your Instant Access Please Click Yes". When I closed it all, it disappeared, but Panda disappeared also and I wasn't able to do the scan.
18. I rebooted to Safe mode. Started IE - it opened with win-eto.com/hp.htm?id=9 as the home page. I went to:
http://www.pandasoftware.com/products/activescan.htm
and clicked on Scan your PC. Panda's popup window appeared and I clicked on Check Now! I filled the info as asked and clicked on Scan Now! First a popup from Panda appeared and when I closed it, under it was again a screan from win-eto.com/hp.htm?id=9 - with search options and again popup/message:"For Your Instant Access Please Click Yes". When I closed it, Panda was gone too...

Please help.

I'm enclosing attachments, as requested - smitfiles.txt and HJT log.

Thanks in advance.

Stan

 

Your HJT is out of date, please update to Hijack This 1.99.1 and then procede with the below.

Please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

Thanks, bjgarrick,

I updated the programs and did the scans.
SpySweeper found a lot of bad stuff...
Please take a look at the logs.

Thanks.
Stan

 

I see you already have Ewido, be sure it's updated and configured as in the thread below.

Running Ewido Security Suite ...

 

I did ewido scan and HJT scan again. Please take a look at the results.
When I rebooted from Safe to normal, that bad black screen from win-eto/PSGuard appeared again - i.e. the virus still stays... Very strong beast..

Please help.

Stan

 

First, let me start of by saying stay in one thread with your problems. I just now realized you have two threads going, the other I am closing and we will continue with this thread!

Now go back and run Spy Sweeper, download the version from the thread I requested. If you have this version, get the updated definitions and then run another full sweep. Remove any and all found infections, then attach that log.

 

Thanks, bjgarrick.

It's true I have two threads going on, but only because I have two computers - both infected, but with two different sets of viruses...

I'll do the second scan with SpySweeper.

Stan

 

Was the other thread the other computer? If so, let me know and I will re-open it and procede with both threads.

 

I'm sorry, but it was - I have 2 computers with two different sets of viruses!!

And I had there in the 2nd thread a question re too big SpySweeper log - 293K - what to do - I can't send it...?

Please re-open. Thanks,

Stan

 

I apologize for the confusion, I will re-open the thread and we will work both for the 2 computers.

If you can't attach a file due to size, ZIP it and attach it.

In the meantime, let's get back to fixing this thread...

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - blank (file missing)

O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - blank (file missing)

O4 - HKLM\..\Run: [ldvpayf] C:\WINDOWS\System32\ldvpayf.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - blank (file missing)

O16 - DPF: {071F859C-2646-36BC-D027-2FB274D9A5A0} - http://69.50.173.166/1/gdnCA1862.exe
O16 - DPF: {2526120F-50AC-7773-C891-100F67BE795B} - http://69.50.173.166/1/gdnCA1862.exe

O20 - AppInit_DLLs: kernel.dll

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\ldvpayf.exe

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT to normal windows and proceed with the rest of this fix...

FINAL STEP

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete this entire fix, reboot once more and attach a fresh HJT log.

 

Thanks, bjgarrick,

I did last night (around midnight) everything exactly as you instructed (the only exception that from the beginning I was in Safe mode as PS Guards makes it difficult to work in normal).

First, I uninstalled
Ewido
SpySweeper

Then, here is what happened :

1. I scanned with HJT, checked and fixed the suggested lines.

NOTE:
After I clicked fix, this message appeared:
An unexpected error has occurred at procedure:
modBackup_MakeBackup(sItem=20 - AppInit_DLLs: kernel.dll)
Error#5 - Involved procedure call or argument.
Please email me at merijn@spywareinfo.com, reporting:
- what were you trying to fix when error occurred
- how you can reproduce the error
- complete HJT scan log if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HJT version: 1.99.1
This message copied to clippboard.
Click OK to continue with the rest of the scan."


2. After that I re-booted to Safe and looked for ldvpayf.exe - not found
3. Run CCleaner
4. Full scan with Ad-Aware - found 69 critical objects, 1 negligible:
MRUList (1 object)
Malware.Psguard (63 objects)
Possible Browser Hijack attempts (6 objects)
All problems were fixed (quarantined).
5. Full scan with Spybot - 2 problems found
- Windows.ActiveDesktop - 1 entry
- ABetterInternet - 1 entry (Registry key)
All items were fixed by Spybot.

6. Run cleanmgr

7. Rebooted to normal windows.
Unfortunately, PSGuard effects DIDN'T disappeared!
- that black screen with pseudo spyware warning appear again. win-eto went into the home page address and the Dialer popup appear plus the search screen. However, I changed - as per instructions Web Settings and Default Security Settings, home page to MSN, search page to Google and - luckily - it appears that part worked, as they stay!!! (see below to what 's now)

8. The bad thing is that when I rebooted, the black, warning screen and Dialer popup appeared again, although - as I said - Internet works better - doesn't force to use win-eto - great fix!!

9. After I rebooted, Trend Micro Anti-Spyware program started and was making overnight scan while I went to bed...

10. In the morning the following info was given by Trend Micro Anti-Spyware:
"One or more high Privacy Threats were detected and currently pose a danger to your system. We recommend that you delete that item.
The Results were:
- AdWare_BHJK_CoolWebSearch (1 item) - CWS.Msconford
- TSPY_Small (1 item)
in HKU\S-1-5-21-1292428093...\Software\Microsoft\Windows\CurrentVersion\Run\desktop
- Adware_BHJK_RealSearch (1 item)
in HKU\S-1-5-21-1292428093...\Software\Microsoft\InternetExplorer\Main\conc
- Adware_ABetterInternet (1 item)
HKU\S-1-5-21-1292428093...\Software\aurora

NOTE: I noticed that this program had under "Whitelist" tab this item:
Freeloader_PSGuard that was checked (I didn't do it - it was done by malware itself!!!) It meant that this item was ignored automatically during the scan!!!!!
I UNCHECKED IT, but a minute later it came back - appeared again under that tab as checked item!

I clicked on CWShredder in the Trend Micro program; it showed CWS.Msconford. I decided to delete it. It was cleaned by the program.
I made log - tmslogltjan18...

11. I did HJT scan/log - without any fixing.

12. I tried how IE works now - home page is MSN, search page - from Google. It means HUGE improvement - thanks a lot. What remains is the starting black screen and warning - there must be traces of PSGuard still.

Thanks for what we've done already and please fix more (including my other computer in other thread). Thanks a lot!

Stan

 

See the below thread, after you complete it attach the log from the smitRem tool with a fresh HJT log.

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal