Solved

pe386-msguard-lzx32 & some spywares

Posted on 2006-10-26
11
2,288 Views
Last Modified: 2012-06-21
im down to the last 3 items which is really hard to delete even in hijack this or commandprompt.

1. rootkit? pe386-msguard-lzx32 - i have no idea how to remove this. i think this one is opening & listening the port and send sentivite information to the hacker's computer.

2. dll's which are loaded even on startup safemode command prompt only.

i could not delete these dlls because these are loaded already even on command prompt only?
this is the deskbar spyware i think. cause i could still see it on the windows explorer's toolbar.
i have deleted all deskbar.dll related files except for the last 2.
xxyxtt.dll & pmkh.dll

is there another way to prevent them from loading? which files to check?
or is there a way to disable an already running dll?


im using WINXP pro btw.

last resort is to reinstall the windows.
suggestions are appreciated.
thanx
0
Comment
Question by:Jerry_Pang
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 15

Accepted Solution

by:
venom96737 earned 200 total points
ID: 17817441
use a program called killbox located here http://www.bleepingcomputer.com/files/killbox.php

give the path to the dll files and check delete on reboot option this will get rid of it.

What kind of file is the pe thing and where is it located? you can romove the file using the same method if you wanted.
0
 
LVL 15

Expert Comment

by:venom96737
ID: 17817454
there appers to be really a few things you want to do to get rid of this rootkit.  

here is a great post where they deleted it I figured there was a service and a few things to it but I didn't know 100 percent here you go.

http://www.cybertechhelp.com/forums/showthread.php?t=132769
0
 
LVL 9

Author Comment

by:Jerry_Pang
ID: 17817668
this nasty rootkit - pe386 hides itself.
i just learned about this on wiki
http://en.wikipedia.org/wiki/Rootkit

i do not know how to delete it. it's not even detected on hijackthis.
It was detected by a smitfraudfix.cmd
while im trying to fix the spywares - smitfraud and astakiller

it says i need to download a rootkit software.

but i dont trust any of the sites that i found.

thanx for the killbox.
0
 
LVL 15

Assisted Solution

by:venom96737
venom96737 earned 200 total points
ID: 17817901
rootkit revealer will help but it will only give you the text file it is writing to. Use avenger found here: http://swandog46.geekstogo.com\avenger.zip and do you have the log from smithfraudfix?  If I could get some locations I could help you out more.
0
 
LVL 9

Author Comment

by:Jerry_Pang
ID: 17817933
>  If I could get some locations I could help you out more.

it says evrything is clean
at the end of the raport.txt

it just says
pe386-msguard-lzx32
rootkit detected use rootkit tools to fix it.

no other locations.

i just found out it starts to delete all the exe file that i run
in "start/run" after reboot.

gonna backup now. brb on monday
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Assisted Solution

by:Mnf
Mnf earned 100 total points
ID: 17818796
First install this free utility
http://www.sysinternals.com/Utilities/Autoruns.html
it will help you to identify the files that loaded when boot
try it in "safe mode command prompt only" – this is very important so the spayware will not be working there-
you may put it in the root of the D:\  
then you can use the command prompt to run it (use the autoruns.exe)
then seek all the taps there to seek your files and disabling it.

And also you can use this free utility to reveal the RootKit
http://www.sysinternals.com/Utilities/RootkitRevealer.html

and the other one from AVG
http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe

and finally this is more details about "Anti-Rootkit Software - Detection, Removal & Protection"
http://antirootkit.com/software/index.htm
http://antirootkit.com/
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17825577
Smitfraudfix does detect drivers from those 3 rootkits mentioned, but it also has false positives, I had a couple of false positives reported with the smitfraudfix scan.

What you should do is to check for rootkits and  run Gmer:
Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.

If Gmer doesn't find any rootkit then that is halfway clear.
Next is to unload the driver pe386 using avenger or just stopping the service, if there are no drivers to unload then it is false positive.

0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
ID: 17825611
deskbar.dll<-- is a variant of Alcan worm/P2PNetwork worm

xxyxtt.dll <-- looks like haxdoor

pmkh.dll<-- looks like qoologic file, could also be vundo


Can we look at your hijackthis log please? hijackthis log can tell us what infections those files belong to by looking at what lines in hijackthis they are running from.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 9

Author Comment

by:Jerry_Pang
ID: 17838765
finally reformating it.  
gona split now. im giving up fixing it.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17838903
Ooops!!! too late!
malware expert just created a tool for this little buggers --> pe386-msguard-lzx32

Sorry to hear you had to reformat, maybe it's for the best, at least now you have a squeaky-clean system.

Thanks for the points!
0
 
LVL 9

Author Comment

by:Jerry_Pang
ID: 17854649
i started to backup it and just when i was about to format it,
i gave it to my friend for last try.
he said something about Defender which microsoft bought.

we installed it and it work perfectly.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now