Author Topic: plz help.  (Read 6923 times)

0 Members and 1 Guest are viewing this topic.

billyboy777

  • Guest
plz help.
« on: January 18, 2007, 11:41:44 PM »
hey, i have virus or spyware named mguard.exe. I have done boot avast scan and it deleted it,but i am getting a messege that `couldnt find mguard.exe,please go to search and find the file`at every time i restart or start pc, and have now 2 program with windows home at restart.i cant delete the other one.  all help needed. thanks for the effort and time.
« Last Edit: January 18, 2007, 11:52:46 PM by billyboy777 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: plz help.
« Reply #1 on: January 19, 2007, 01:38:39 AM »
What is your OS ?
Where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
What was the malware name ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

I assume this message is a windows message and not an avast one ?
If so the deleted file is being referenced from somewhere, registry, since avast deleted it it can't be found.

Try a registry search for the mguard.exe and se if you can identify what is calling it.

A google search for mguard.exe returns many hits, http://www.google.com/search?q=mguard.exe this is common from some hijackthis logs:
Quote
F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,mguard.exe

If you have anything like this then that could be what is causing the couldn't fimd mguard,exe.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2 Or post a copy of the contents of the log here
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

billyboy777

  • Guest
Re: plz help.
« Reply #2 on: January 19, 2007, 05:10:57 PM »
hey I had never used hijack tools, i googled about it and it was not helping me,the pc i am talking about have a windows xp home.i cant register at bleepingcomputer.com.to use the tutorials.I need help to delete the other OS with same name.thanks and I will try to do as u asked too.
« Last Edit: January 19, 2007, 05:38:55 PM by billyboy777 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: plz help.
« Reply #3 on: January 19, 2007, 05:28:41 PM »
You don't have to register, just click on any of the Blue Text links and it takes you to the page with all the information.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: plz help.
« Reply #4 on: January 19, 2007, 05:57:59 PM »
Are you sure that wasn't msguard?

Msguard is a rootkit infection amd would fit your symptoms.

Removal instructions here:

http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

billyboy777

  • Guest
Re: plz help.
« Reply #5 on: January 19, 2007, 06:08:04 PM »
Logfile of HijackThis v1.99.1
Scan saved at 17:59:42, on 19.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\NCH Swift Sound\Talk\talk.exe
C:\DOCUME~1\madule\LOKALE~1\Temp\RtkBtMnt.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\madule\Skrivebord\Proglib\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [BroadcomWireless] C:\Programfiler\Broadcom\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TalkRun] "C:\Programfiler\NCH Swift Sound\Talk\talk.exe" -logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168988228485
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\ppchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


here is the log from hijack.

billyboy777

  • Guest
Re: plz help.
« Reply #6 on: January 19, 2007, 06:10:26 PM »
Are you sure that wasn't msguard?

Msguard is a rootkit infection amd would fit your symptoms.

Removal instructions here:

http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html

No i am sure yhat it is mguard.exe  because this the file missing on everytime I start computer.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: plz help.
« Reply #7 on: January 19, 2007, 06:14:09 PM »
I think it would be worthwhile rebooting to confirm, if the file name was msguard.exe and not mguard.exe then you should refer to the link he posted on the rustock_b removal instructions and do that first.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

billyboy777

  • Guest
Re: plz help.
« Reply #8 on: January 19, 2007, 06:19:40 PM »
I just started this computer,and the messege was \couldnt find file mguard.exe.\ when i click on ok.then comes new messege that i should go to searh and look for mguard.exe. it happens everytime i reboot or start this computer.David u asked for hijack log and as u see,the name is there.

F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
« Last Edit: January 19, 2007, 06:21:54 PM by billyboy777 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: plz help.
« Reply #9 on: January 19, 2007, 06:28:27 PM »
Do you have any RealTek equipment ?
C:\DOCUME~1\madule\LOKALE~1\Temp\RtkBtMnt.exe

Here is the mguard reference, you can fix this.
F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
O4 - HKLM\..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] mguard.exe

This looks suspect, whilst the userinit.exe file is a valid system file I can't see why this would appear like this in a HJT log.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

Suspect may be realtek again.
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Suspect
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\ppchost.exe (file missing)
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: plz help.
« Reply #10 on: January 19, 2007, 06:35:23 PM »
Yep. mguard is bad too.

Something probably deleted the file so you should use hijack this to fix all the references to it.

This double entry needs fixing: instructions below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

http://forum.avast.com/index.php?topic=23031.msg190884#msg190884

The following entry looks very suspicious. You can fix it by stopping and deleting the service- instructions in the same link above.

The Realtek thing is a privacy issue- it gathers personal info- but not a real threat.

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\ppchost.exe (file missing)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

billyboy777

  • Guest
Re: plz help.
« Reply #11 on: January 19, 2007, 06:53:41 PM »
but does anyone knows why i get 2 OS at reboot windows. I googled it and find out that i can fix it in boot.ini. but i dont know how to come into boot.ini or how i can find this? u ppl are so nice so plz help me with this too.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: plz help.
« Reply #12 on: January 19, 2007, 07:03:27 PM »
Lets deal with this one problem before dealing with the other one, we want to know the original problem is resolved ?

Quote
but does anyone knows why i get 2 OS at reboot windows.

This is different to what you first stated:
Quote
and have now 2 program with windows home at restart.i cant delete the other one.  all help needed. thanks for the effort and time.

Can you be more specific, what does 2 programs with windows home mean or look like can you post a screen shot ?

based on the google, boot.ini comment, do you mean you get dual boot options ?

If so the boot.ini is a text file located in the C:\ folder, this can be opened with a text editor like notepad. I don't suggest messing with this as it could seriously stuff your system.

If there is a dual boot option, one is the default OS and if you leave it it should run that OS.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89335
  • No support PMs thanks
Re: plz help.
« Reply #13 on: January 19, 2007, 07:08:32 PM »
This is a copy of my boot.ini contents and I have only ever had a single OS no dual boot, so you can compare it to yours. I have XP Pro, which is likely to differ from your version.

Code: [Select]
[boot loader]
timeout =3
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Ignore the Code tag it is just used to contain my values in the forum post it isn't in the boot.ini file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: plz help.
« Reply #14 on: January 19, 2007, 07:09:42 PM »
You need to folow these instructions from the link I posted above:

Quote
Run regedit and navigate to:

HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

In there there should be a value (on right hand side of screen) called Userinit.

The data for this value is probably something similar to:

C:\windows\system32\userinit.exe,C:\windows\system32\userinit.exe,

If you do see a duplicated string in there similar to the above - simply double click on the Userinit value and edit the data so as to delete everything to the right of the first comma (,). In the case above you would leave only:

C:\windows\system32\userinit.exe,

I can't recall where I found these instructions originally: apologies and thanks to whoever originally posted the solution, wherever it was.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog