Need New Intell32 & PSGuard Help... [RESOLVED]

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by loophole, 02 September 2005 - 11:56 PM.

Hello...and thanks for the respond:)

Here's my HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 2:09:55 PM, on 9/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MEDIASCAPE\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MEDIASCAPE\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Mediascape\One-touch Multimedia Keyboard\KeybdMgr.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\UPDATE.EXE /startup
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
__________________________________________________________________
Now, the following entry has been removed removed MANY times...it returns immediately upon access to the internet. Even though the removals take place in "Safe Mode".

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe

Also, this "path" has been destryed via "KillBox" and all the other above mentioned tools. Also, in Safe Mode.

AdAwareSE seemingly gets rid of it, but it returns right away with each new scan. Whether you access internet or not...

I also have a copy of my HJT log without the Intell32...if you need it for some reason.

Will await further instructions and or ideas...much thanks:)

Hello totenkopff

First please do this for me

Please go here: Jotti

Click the "browse" button and locate this file:

C:\Windows\System\wininet.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here.

Absolute coolness...I will do this right now...THANKS...Give me minute...

Ok...here's what it said...I copied both parts...since didn't know which was correct...


Wininet.dll
Status: INFECTED/MALWARE
MD5 c3d7506879d2aae035d62e53675e68b7
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Callgate.Oleadm.3
Avast Found Win32:Nsag-B
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found W32.Nsag.B
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found W32/Oleadm.B
Fortinet Found W32/Nsag.B
Kaspersky Anti-Virus Found Virus.Win32.Nsag.b
NOD32 Found Win32/Oleloa.gen
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Scanner Malware name
AntiVir TR/PKeyLog.147.B.3
ArcaVir Trojan.Downloader.Agent.Fz
Avast Win32:Trojan-gen. {Other}
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.Perfect
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus not-a-virus:Monitor.Win32.Perflogger.c
NOD32 a variant of Win32/Spy.PerfKey
Norman Virus Control X
UNA X
VBA32 RiskWare.Monitor.Perflogger.c

Hello totenkopff

We are going to have to replace that file, and its a little tricky so I need to make my directions as clear as possible. I should have something up in the next hour

Cool...thanks a bunch, loophole...your the best. I will stand by and await further instructions...

Online

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Now go offline

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Reboot

Online

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.


Scan the desktop folder with E trust web scanner. When done, make sure the box is check for wininet.dll and click cure.


Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

post a new HijackThis log, and the contents of the smitfiles.txt log.

Edited by loophole, 03 September 2005 - 06:46 PM.

Great...thanks...I will do what you asked...and try to get online as soon as possible.

But what is "eTrust Web Scanner"...do I have this on my computer...or is something I have to download first?

Will await you response...thanks:)

Ack forgot the link lol

I have edited my above post

Cool...ok...is this an "online virus scan"...? And...are the following instructions to be peformed online?

That is...the "copy and paste" stuff I'm supposed to do afterwards? Just want to do this right...

Ive edited my post to let you know the online offline parts

When you go to the E trust site you will see what the directions are talking about

Just a sec

Now its correct