Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

PSGuard -ShudderLTD [CLOSED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 1 posts
I have a client with the red circle with an exclamation mark in the tray. It keeps saying that 'your computer is infected' where of course it isn't, just a ploy to get them to purchase the PSGuard software.

I've cleaned up with HJThis and that and all that went well. I've edited the registry and removed anything that related to PSGuard. Everything but a folder within the registry called ShudderLTD and two subs, 1 level called PSGuard, the next level PSGuard and a folder called license. There is an error if you try to remove the top level (Shudder) folder. I suppose because something is still watching that folder.

I have ran Stinger, nothing there, the system is running NAV 2005 but you can't start NAV from the system prompt, it tells you that you have to reboot. The LU says that the subscription is out of date. Client tried to get update from Symantec and for some reason it would not load correctly, probably related to a bunch of spyware/malware that was on the machine when I got there. We'll do something else with this later.

I ran Spybot S and D and Ad-Aware in safe mode and that cleaned up lots of junk too.

I looked at the registry after a reboot and there were no changes to PSGuard nor additions so I don't think it's in the registry. I looked at win.ini and system.ini for a load and nothing there.

Any Ideas would be great! What did I miss?


Edited by chuckstarck, 15 July 2005 - 01:55 PM.

  • 0




    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
That red circle with exclamation sign in your taskbar is intel32.exe which is present in your system32-folder.

But I want you to perform next first.. because I'm sure files are still present there.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
[*]Instead of Windows loading as normal, a menu should appear
[*]Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Open Ad-aware and do a full scan. Remove all it finds.

Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

Close Ewido

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.
Let us know if any problems persist.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.
  • 0



    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP