Had this nasty, bastard, regenerating trojan for the past three days. Got it under control, but can't fully delete it - keeps regenerating.

I've posted on another forum, but it's inundated with support enquiries at the minute, so thought I'd try here just in case someone knows how to kill it properly.

I've been using the following software

AdAware
Ewido
Spybot S&D
Webroot spysweeper
CWS shredder
spsehjfix
Microsoft Anti-Spyware Beta
panda (although I can't use it anymore because I've broken IE and rundll in the process of trying to kill psguard)
hsremove
spywareblaster
about:buster

I also have AVG/ZoneAlarm

Microsoft anti-spyware, spsehjfix, adaware, about:buster and ewido have been coming up clean.

However, hjt still shows a search assistant about:blank entry, which if I delete it reappears when I rescan. Here's the most recent log:

Any help much appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 19:03:15, on 05/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AMSN\bin\wish.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\nlc\My Documents\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {7F2E23A7-D989-4CE3-8890-6F66F6D62497} - C:\WINDOWS\System32\hdag.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Program Files\Trust\305KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: AMSN.lnk = C:\Program Files\Amsn\amsn.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A16C2BF4-501E-45FA-8A14-F26E022D5E16} (MidRadioCtrl Class) - http://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinst.cab&ptx=mratdl
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {EF05F60E-8FBA-11D2-9ED1-A60E8F4C3457} (RNSAuditionControl Class) - http://rns.nttvisual.com/Audition/RNSAuditionPlayer.ocx
O18 - Filter: text/x-mrml - {C51721BE-858B-4A66-A8BF-D2882FF49820} - C:\Program Files\YAMAHA\MidRadio Player\midradio.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Fixed the bastard.

The final thing that did it was this page:

http://www.toymania.com/toybuzz/compfaq.shtml

Fucking hell, I've got this evil PSGuard beast. It's more virulent than SARS and swallows my very limited system resources. As well as trying to sell me some bogus kind of spybot I think its linked to some nasty pop-ups that keep springing up from nowhere. Spybot and ad-aware run (though only in safe mode) and both find bits of it (ad-aware found 70 objects related to it :eek: ) but like a zombie army it just keeps coming back.
I looked at that link catch, but could you clarify how you finally purged the undead monster?

This bit:


1. Download and install Spybot - Search & Destroy.
2. Run the program.
3. GoTo Mode -> Advanced Mode, click 'Yes' at the warning.
4. Click 'Tools'.
5. Select 'BHOs'.
6. Select the bold registry entry.
7. To the right you will see a file (something.dll) ('something' can be any file name) at C:\Windows\System this is the file that regenerates everytime.
8. Select the registry entry and click 'Remove'.
9. Click 'Yes' at the confirmation.
10. Close all open windows and find C:Windows\System\something.dll
11. Right click it select 'Properties' and see that it is 30kb (30,720 bytes) and has only 'General' properties and no 'Version' properties.
12. Delete it. (Try as long as it takes it will eventully go)
13. Now if the main (.dll) file is the same on all computers you may find a file called 'dhcpcsvc.dll' at C:Windows\System\ (Or your equivalent 'System' Folder) it is about 24KB. Right it select 'Properties' and again it should have only 'General' Properties no 'Version' Properties AND you will see that the 'Modified' date is earlier (somewhere in 1999) than the 'Created' date.
14. This is the file that regenerates the other dll file. (we shall call it 'anything.dll')
15. Delete it. (You can't... mostly)
16. If you have found the culprit and reached step 15 skip ahead to step 26.
17. If you don't find the file read on.
18. First make sure 'Hide hidden files' is off.
19. To do this open Explorer -> View -> Folder Options -> View. Make sure 'Show all files' is selected. Start from step 13
20. If you still havn't found the file it means the main dll file's name is different on different computers. Don't worry.
21. Open your Internet Explorer. (You don't need to be connected).
22. Open Spybot - Search & Destroy.
22. In the tools click 'Process List'.
23. Select 'IEXPLORER.EXE'
24. See whichever dlls are being used, open 'Explorer' and check their 'Properties'.
25. Here you will find the dll mentioned in step 13 (it may or may not be named 'dhcpcsvc.dll') follow the instructions from step 13.
26. The damn file is being used by Windows isn't it.
27. If you have two operating systems you can delete one's dll files from one operating system and then vice verca. (NOTE: The dll is stored in two or three places 'Search' for them all and delete ALL of them).
28. If you have a single operating system 'Restart in MS-DOS Mode'.
29. When it restarts type 'cd \windows\system' (without the quotes)
30. When the directory changes type 'ren anything.dll anything.123'
31. Type 'exit' and restart windows.
32. Open Explorer and 'C:Windows\System' delete 'anything.123'
33. Almost done, now using 'AdAware' or something like it see if it finds a registry value with something like "HomeOldSP".
34. Delete this registry entry.
35. Open your 'Search' or 'Find' program from the Start menu.
36. Search for the two dlls you painstakingly deleted.
37. Don't worry if you find them they are dormant copies and should give you no trouble in deleting them.
38. Make sure you delete all the files even from your 'Recycle Bin'.
39. If you have Microsoft 'RegClean' use it if not don't bother.
40. DONE.

But I ran about 9 spyware programs first (ewido was good, as was spyware blaster).

OK, thanks a lot.

Incidentally, is there anything illegal about designing things like this? If not, why not? :mad:
People who make things like this and coolwebsearch etc should have their toenails ripped out.

Right, I did the above forty steps, and though it didn't completely get rid of the fucker (I think it may have been 'improved' since that was written) it did seem to render it less virulent, so thanks.

I found a lot of info about getting rid of PSguard on the geekstogo forums though and did some of the stuff they suggested.

I had the problem that my computer wouldn't run some of the programs though - spywareblaster won't work for some reason and ewido won't run on win98.

What eventually seemed to help was something called smitrem which is designed for the smitfraud trojan (which I also had :rolleyes: ) but also does a general clean-up of lots of files - it seemed to do my computer a world of good.

I'm now only finding one file under psguard instead of 60 when I run spybot and I don't think it's active - I'm not cracking open the champagne yet though...

Incidentally, is there anything illegal about designing things like this? If not, why not? :mad:
People who make things like this and coolwebsearch etc should have their toenails ripped out.


AFAIK, it's pretty illegal. Computer Misuse Act an' all that. The problem is policing it. I disagree about the toenails, though; they should be forced to slowly extract and then eat their arsenic-laced toenails all by themselves.

AFAIK, it's pretty illegal. Computer Misuse Act an' all that. The problem is policing it. I disagree about the toenails, though; they should be forced to slowly extract and then eat their arsenic-laced toenails all by themselves.
So why can't say, coolwebsearch be done then? are they based in some country they can't be extradited from?