plz help.

Viruses and worms
1

hey, i have virus or spyware named mguard.exe. I have done boot avast scan and it deleted it,but i am getting a messege that couldnt find mguard.exe,please go to search and find the fileat every time i restart or start pc, and have now 2 program with windows home at restart.i cant delete the other one. all help needed. thanks for the effort and time.

2

What is your OS ?
Where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
What was the malware name ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

I assume this message is a windows message and not an avast one ?
If so the deleted file is being referenced from somewhere, registry, since avast deleted it it can’t be found.

Try a registry search for the mguard.exe and se if you can identify what is calling it.

A google search for mguard.exe returns many hits, http://www.google.com/search?q=mguard.exe this is common from some hijackthis logs:

F2 - REG:system.ini: Shell=Explorer.exe mguard.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,mguard.exe

If you have anything like this then that could be what is causing the couldn’t fimd mguard,exe.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2 Or post a copy of the contents of the log here
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

3

hey I had never used hijack tools, i googled about it and it was not helping me,the pc i am talking about have a windows xp home.i cant register at bleepingcomputer.com.to use the tutorials.I need help to delete the other OS with same name.thanks and I will try to do as u asked too.

4

You don’t have to register, just click on any of the Blue Text links and it takes you to the page with all the information.

5

Are you sure that wasn’t msguard?

Msguard is a rootkit infection amd would fit your symptoms.

Removal instructions here:

http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html

6

Logfile of HijackThis v1.99.1
Scan saved at 17:59:42, on 19.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\NCH Swift Sound\Talk\talk.exe
C:\DOCUME~1\madule\LOKALE~1\Temp\RtkBtMnt.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\madule\Skrivebord\Proglib\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [AzMixerSel] C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM..\Run: [BroadcomWireless] C:\Programfiler\Broadcom\Wireless\Utility\WlanUtil.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Programfiler\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TalkRun] “C:\Programfiler\NCH Swift Sound\Talk\talk.exe” -logon
O4 - HKLM..\Run: [TkBellExe] “C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Programfiler\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [Skype] “C:\Programfiler\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [MsnMsgr] “C:\Programfiler\MSN Messenger\MsnMsgr.Exe” /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168988228485
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\ppchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

here is the log from hijack.

7

No i am sure yhat it is mguard.exe because this the file missing on everytime I start computer.

8

I think it would be worthwhile rebooting to confirm, if the file name was msguard.exe and not mguard.exe then you should refer to the link he posted on the rustock_b removal instructions and do that first.

9

I just started this computer,and the messege was \couldnt find file mguard.exe.\ when i click on ok.then comes new messege that i should go to searh and look for mguard.exe. it happens everytime i reboot or start this computer.David u asked for hijack log and as u see,the name is there.

F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

10

Do you have any RealTek equipment ?
C:\DOCUME~1\madule\LOKALE~1\Temp\RtkBtMnt.exe

Here is the mguard reference, you can fix this.
F2 - REG:system.ini: Shell=Explorer.exe mguard.exe
O4 - HKLM..\Run: [Ms Java for Windows NT] mguard.exe
O4 - HKCU..\Run: [Ms Java for Windows NT] mguard.exe

This looks suspect, whilst the userinit.exe file is a valid system file I can’t see why this would appear like this in a HJT log.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

Suspect may be realtek again.
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

Suspect
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\ppchost.exe (file missing)

11

Yep. mguard is bad too.

Something probably deleted the file so you should use hijack this to fix all the references to it.

This double entry needs fixing: instructions below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

http://forum.avast.com/index.php?topic=23031.msg190884#msg190884

The following entry looks very suspicious. You can fix it by stopping and deleting the service- instructions in the same link above.

The Realtek thing is a privacy issue- it gathers personal info- but not a real threat.

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\ppchost.exe (file missing)

12

but does anyone knows why i get 2 OS at reboot windows. I googled it and find out that i can fix it in boot.ini. but i dont know how to come into boot.ini or how i can find this? u ppl are so nice so plz help me with this too.

13

Lets deal with this one problem before dealing with the other one, we want to know the original problem is resolved ?

but does anyone knows why i get 2 OS at reboot windows.

This is different to what you first stated:

and have now 2 program with windows home at restart.i cant delete the other one. all help needed. thanks for the effort and time.

Can you be more specific, what does 2 programs with windows home mean or look like can you post a screen shot ?

based on the google, boot.ini comment, do you mean you get dual boot options ?

If so the boot.ini is a text file located in the C:\ folder, this can be opened with a text editor like notepad. I don’t suggest messing with this as it could seriously stuff your system.

If there is a dual boot option, one is the default OS and if you leave it it should run that OS.

14

This is a copy of my boot.ini contents and I have only ever had a single OS no dual boot, so you can compare it to yours. I have XP Pro, which is likely to differ from your version.


[boot loader]
timeout =3
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Ignore the Code tag it is just used to contain my values in the forum post it isn’t in the boot.ini file.

15

You need to folow these instructions from the link I posted above:

Run regedit and navigate to:

HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

In there there should be a value (on right hand side of screen) called Userinit.

The data for this value is probably something similar to:

C:\windows\system32\userinit.exe,C:\windows\system32\userinit.exe,

If you do see a duplicated string in there similar to the above - simply double click on the Userinit value and edit the data so as to delete everything to the right of the first comma (,). In the case above you would leave only:

C:\windows\system32\userinit.exe,

I can’t recall where I found these instructions originally: apologies and thanks to whoever originally posted the solution, wherever it was.