Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

The Dastardly PSGuard [CLOSED]

Started by Wallbridge , Jul 21 2005 02:07 PM

  • This topic is locked This topic is locked

#1
Wallbridge
Posted 21 July 2005 - 02:07 PM

Wallbridge

    New Member

  • Member
  • Pip
  • 7 posts
Hello,

I apologize if this has been answered well before, but I am at my wit's end. This is the first time I have not been able to give Spyware a good, sound thrashing using nothing but Google as a resource.

PSGuard has hijacked this computer's desktop, displaying an advertisement for its service as well as a link to its site, www.psguard.com.

Moreover, there is an exclamation point sitting in a red bubble in the system tray that pops up a message saying I have spyware every few minutes.

I have used Bazooka, Ad-Aware, the Panda virus remover, Avast, Killbox, Registry editing, HijackThis and a variety of other programs to kill this, but nothing doing.

And I can't use that one, Edwina or something, because I am on Windows ME using a Japanese laptop.

Please, won't you help a poor guy out? I swear I'm quitting the Internet after this one!

Log:
Logfile of HijackThis v1.99.1
Scan saved at 13:24:54, on 2005/07/21
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\IMEJPMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\NEW\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1041,ラジオ(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: コリャ英和!ツールバー - {4F04E7B0-F5FD-467e-9A91-54C688F3A947} - C:\PROGRAM FILES\LOGOVISTA\KORYAIP\TAMAIEADDINS\TAMAIEADDIN.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: コリャ英和!(&A) 一発!ポップアップ - res://C:\PROGRA~1\LOGOVI~1\KORYAIP\KKPOPU~1\KKPOPUP.EXE/134
O8 - Extra context menu item: コリャ英和!(&B) ページ翻訳(訳文のみ) - res://C:\PROGRAM FILES\LOGOVISTA\KORYAIP\TAMAIEADDINS\TAMAIETRANSLATIONEXTENSION.DLL/201
O8 - Extra context menu item: コリャ英和!(&C) ページ翻訳(上下対訳) - res://C:\PROGRAM FILES\LOGOVISTA\KORYAIP\TAMAIEADDINS\TAMAIETRANSLATIONEXTENSION.DLL/202
O8 - Extra context menu item: コリャ英和!(&D) ページ翻訳(ヘッダ・リンクタグのみ) - res://C:\PROGRAM FILES\LOGOVISTA\KORYAIP\TAMAIEADDINS\TAMAIETRANSLATIONEXTENSION.DLL/203
O8 - Extra context menu item: コリャ英和!(&E) 翻訳(横)バーで翻訳 - res://C:\PROGRAM FILES\LOGOVISTA\KORYAIP\TAMAIEADDINS\TAMAIEBAR.DLL/205
O8 - Extra context menu item: コリャ英和!(&F) 翻訳(縦)バーで翻訳 - res://C:\PROGRAM FILES\LOGOVISTA\KORYAIP\TAMAIEADDINS\TAMAIEBAR.DLL/206
O8 - Extra context menu item: コリャ英和!(&G) 辞書バーで辞書引き - res://C:\PROGRAM FILES\LOGOVISTA\KORYAIP\TAMAIEADDINS\TAMAIEDICTBAR.DLL/203
O8 - Extra context menu item: コリャ英和!(&H) 音声読み上げ - res://C:\PROGRA~1\LOGOVI~1\KORYAA~1\KORYAA~2.EXE/102
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Ninja バー - {EDF5C580-EA1B-11d3-A2FE-0000C0776AF8} - C:\PROGRAM FILES\ININJA5\NJBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.spacetown.ne.jp/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Please, have mercy on my girlfriend's laptop (and me as a result), and help me take down this menace. I never once clicked yes on any install popups... can Spyware really just install itself now?

Thank you very much,
Chris

Edited by kool808, 08 August 2005 - 05:15 AM.

  • 0

Advertisements

#2
Wallbridge
Posted 21 July 2005 - 11:40 PM

Wallbridge

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Using the information from this topic:

http://www.geekstogo...showtopic=46158

I believe I have placed all remnants of the PSGuard Rebellion under chain and lock.

I had to modify the directions there to fit my personal PSGuard situation, but here is what I did to the letter.

First, what I did not do. I didn't put Panda on my computer again because when I used it before, it said, "Problem found! Pay $40 to fix it!"

I didn't install Ewido because this computer is ME, and incompatible.

Finally, to the meat of the subject: What exactly did I do?

1. Rebooted in Safe Mode
2. Scanned with HijackThis and smashed the line with "spoolsrv32.exe" and the line with "intell32.exe," and every instance that involved the word "PSGuard."
3. Did a Find for the same files to make sure they were completely deleted. They weren't, so I blasted them all.
4. Ran the smitRem batch file. A bunch of deletions appeared, my background changed from advertisement to basic blue, and my "Desktop" command came back in the Properties menu! Celebrated at an all-night festival with my victorious ally.
5. Ran Ad-Aware to root out and execute any last vestiges of the Rebellion. 90 objects found, all removed.

When I started the computer again, the background was still normal, and I still had a Desktop command. I changed the wallpaper back to Phantom of the Opera. While I came to this bookmarked link to spread the good word, the Red Exclamation point appeared again. The wallpaper was normal, but the tray icon was back.

I rallied my allies Safe Mode, HijackThis and our new partner, Regedit.

In Safe Mode, I ran HijackThis and eliminated "intell32.exe" again. Then, I did a regedit search from the run menu in my registry for all cases of "intell32.exe," deleting them.

Then, I did a find in the Windows directory for all files containing the words "intell32.exe." A backup file from HijackThis showed up, so I deleted it.

I rebooted it, and celebrated with much merriment again that the exclamation point was gone.

In short, I hate the Internet, but I made some good allies wandering its dangerous hillsides and alleyways.

Hope I helped,
Chris
  • 0

#3
kool808
Posted 08 August 2005 - 05:15 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
I will be closing this thread, Anyone having problems with SpyGuard and it's associates will be helped by our trained staff.

Please read it here:
http://www.geekstogo...nfo-t52227.html
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP