SpywareGuard: Real-Time deactivates

Discussion in 'adware, spyware & hijack cleaning' started by NYScott, May 13, 2004.

Thread Status:
Not open for further replies.
  1. NYScott

    NYScott Registered Member

    Joined:
    May 13, 2004
    Posts:
    14
    SpywareGuard: Real-Time deactivates [HT! Log Now Posted]

    Hi. One of our users at work had a bunch of spyware on his PC. I cleaned everything I found, including the registry. Ran AdAware + S&D, and all eventually came up clean.

    I added Spyware Guard to his PC. I enabled all settings, and it ran perfectly. However, upon each re-boot, the Real-Time Scanning Engine disables. I re-enable it, re-boot, and it comes up disabled over & over. What should I look for? I assume I missed some spyware crap somewhere...

    He had www .websearch .com as one culprit, with that horrible search bar, as well as a few others.

    Thanks to any who help.
     
    Last edited: May 14, 2004
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    go to http://www.thespykiller.co.uk and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. NYScott

    NYScott Registered Member

    Joined:
    May 13, 2004
    Posts:
    14
    OK, I'll do that momentarily--thank you.

    By the way, if thespykiller.co.uk is your site, or the site of someone you know, the download link for HijackThis.exe is malformed. There's a \ where there should be a / , fyi.


    Thanks,
    Scott
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    if you are getting something changing the links for downloading Hijackthis, then it seems that you have a hijacker trying to prevent the download because I've checked and all the links are correct and work perfectly (in IE at any rate and in Opera)

    The couple of times people have said this before it has turned out to be a cws hijack trying to prevent any downloads
     
  5. NYScott

    NYScott Registered Member

    Joined:
    May 13, 2004
    Posts:
    14
    As for the "bad" link: I used my PC at work, which I believe is spy-free, but I use Mozilla, not IE. That's where I got the malformed link. I just copied & pasted the link in the address bar, then changed the link to a "/".

    Right now, I'm on the user's PC (the one with the spyware problem), and I'm using IE. I went to that site, and found that the link is NOT malformed... Odd.....

    Anyway, here's the HijackThis log from the problematic PC:


    Logfile of HijackThis v1.97.7
    Scan saved at 10:31:00 AM, on 5/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\FSRremoS.EXE
    C:\WINDOWS\System32\Pelmiced.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\bwurz\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=10.100.200.1:1080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {14987B7A-DB96-CB9F-4E5A-6AD241AE27B1} - (no file)
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gorr2k.gorr.state.ny.us
    O17 - HKLM\Software\..\Telephony: DomainName = gorr2k.gorr.state.ny.us
    O17 - HKLM\System\CCS\Services\Tcpip\..\{962D8165-7785-466A-AE82-267D414752DC}: NameServer = 10.100.200.5,10.100.200.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gorr2k.gorr.state.ny.us
    O17 - HKLM\System\CS1\Services\Tcpip\..\{962D8165-7785-466A-AE82-267D414752DC}: NameServer = 10.100.200.5,10.100.200.10



    THANKS!!
    -Scott
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It must be a bug in the version of Mozilla, because it works in IE and Opera
    anyway nothing much in the log, just a bit of minor cleaning

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder or get scattered all over the desktop

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O3 - Toolbar: (no name) - {14987B7A-DB96-CB9F-4E5A-6AD241AE27B1} - (no file)

    Now I can't find out what this file is or what it does, it might be some sort of driver or it could be the cause of the problem.
    C:\WINDOWS\System32\FSRremoS.EXE can you right click it select properties and see what it belongs to (unless you already know)

    If nothing listed, please copy it, zip it and send to me submit@thespykiller.co.uk and we'll have a look at it and try to find out, please include a short note referring to this thread so I know where it came from
     
  7. NYScott

    NYScott Registered Member

    Joined:
    May 13, 2004
    Posts:
    14
    This is driving me crazy...

    OK, I followed your instructions and had HijackThis delete those 4 entries. I also zipped that one file & will email it to you.

    However, I still have the problem with SG disabling itself. But I think I'm onto something: upon every re-boot of the problem PC, there would be an "Installing Microsoft Office Pro 2003" dialog box. I though that was a seperate issue, and figured I'd deal with it later. However, when I took SG out of the startup folder, I no longer got the 'Installing' dialog box upon startups.

    I then uninstalled SG, downloaded it again, reinstalled it, and had it run right after installing. Immediately, the "Installing MS Office" dialog box came up. When it finished, SG opened up, but with Real-Time disabled.

    ALSO, I did the same thing with SpywareBlaster: uninstalled, then downloaded & reinstalled. I had it run right after installation, and that, too, brought up the "Installing MS Office" dialog box....

    Have you heard of such a thing?? It seems to me that there's still a problem with the PC, PLUS the spyware problem is specifically targeting those software programs.

    Now, after ALL that, I ran HJ! again, and here are those results:


    Logfile of HijackThis v1.97.7
    Scan saved at 2:16:08 PM, on 5/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\FSRremoS.EXE
    C:\WINDOWS\System32\Pelmiced.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=10.100.200.1:1080
    O1 - Hosts: 207.36.196.189 ieautosearch
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gorr2k.gorr.state.ny.us
    O17 - HKLM\Software\..\Telephony: DomainName = gorr2k.gorr.state.ny.us
    O17 - HKLM\System\CCS\Services\Tcpip\..\{962D8165-7785-466A-AE82-267D414752DC}: NameServer = 10.100.200.5,10.100.200.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gorr2k.gorr.state.ny.us
    O17 - HKLM\System\CS1\Services\Tcpip\..\{962D8165-7785-466A-AE82-267D414752DC}: NameServer = 10.100.200.5,10.100.200.10




    Thanks,
    Scott
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've got the file C:\WINDOWS\System32\FSRremoS.EXE
    I've looked at it but am not sure whether it's good or bad so I've sent it off to a few developers to look over

    if it has got a dll with the same name send that over as well, they normally show more whether it's good or bad

    Probably won't get a reply till Monday on that one though

    as to the SG problem post in the Spyware guard /Spyware blaster forum where you will get some better advice direct from the developer
    https://www.wilderssecurity.com/forumdisplay.php?f=23
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    nothing conclusive in the dll either
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Do you have any program installed which would connect to a remote Terminal Server ? Do you use remote assistance ? FSRremoS.EXE seems to be something similar to a part of that. Its not tagged as a Microsoft file though..

    If you do use it, try disabling it for a while ;)

    Also, post an ASViewer log since it shows all known autostarts, not more adware specific autostarts and BHOs and such

    Even better, download both ASViewer and APM
    Then run APM and just close it again
    Then run ASViewer, press F2, F3, F4 ONCE each, find SAVE in the menu and email the log to the address in my profile.

    http://www.diamondcs.com.au/index.php?page=apm
    http://www.diamondcs.com.au/index.php?page=asviewer

    If this doesnt go far enough, we can boot into safe mode and save logs from both ASViewer and HijackThis :)
     
  11. NYScott

    NYScott Registered Member

    Joined:
    May 13, 2004
    Posts:
    14
    Thank you to all who have helped!! This experience, and your help, has taught me a lot, and I appreciate it.

    However, I've spent too much time on it & have decided to just re-ghost the bad PC. Continued hunting & analyzing will cost me more time that backing-up user files & re-ghosting, so I'm going to nuke it. ;)


    Thanks again!
    -scott
     
Thread Status:
Not open for further replies.