Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Annoying PS Guard keeps coming back!

Started by monagahh , Jul 27 2005 07:37 AM

  • This topic is locked This topic is locked

#1
monagahh
Posted 27 July 2005 - 07:37 AM

monagahh

    New Member

  • Member
  • Pip
  • 3 posts
Hello!

I have a Google pop up blocker, but about a week ago when I was surfing the Net, my computer froze after several advertisments popped up.

When I re-started my computer, there was an Explorer window that says that my "..computer has performed an illegal operation..". Everytime I click to close this annoying window, it keeps coming back again and again. Because of this window, I can't access anything.

I have managed to find a way to try and get onto Internet Explorer - As soon as I close the window, I have to in a split second try and click on the icon on the lower tool bar - but even then it won't load! I have to keep closing the annoying window and quickly try to click on anything on the toolbar (Internet Explorer, Yahoo Msg, Winamp, Windows Media, etc) for it to load - if I'm lucky. I also noticed a new icon on my desktop - it says PSGuard. I tried to go into Program Files - Remove Programs to delete it. That worked, but it was replaced with two more icons: One that says Download Music & the other, Download Movies. I deleted those as well - and there were no more new icons, but just the Explorer pop up.


I look through this website to see if anyone has had a similar problem - I tried all the steps that Geeks to Go mentions for Spyware including Clean Up, Ad-aware, Spy bot & that CW Shredder? Any other suggestions?

When I tried to download "HiJack This" my viruscan tells me that it contains a worm. I've tried to download it on several sites and everytime it tells me that. I have a McAfee virus scan.

Not sure what to do - because I really need to get rid of whatever has taken over my computer and it seems that showing you my log from "HiJack This" would really help to identify the problem.

After trying all these scans - the PS Guard Icon is back up on my desktop!!

Can someone please help me - it's been about a week now - and I don't want to re-install everything because many of my precious digital photos are saved on my hard drive.

Please help! Thank you!
  • 0

Advertisements

#2
g2i2r4
Posted 27 July 2005 - 08:21 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome monagahh to Geeks to Go!

Disable McAfee for just the download. Then, when you start working with it, tell McAfee to exclude it from scanning.

We need the log to start cleaning.
  • 0

#3
monagahh
Posted 28 July 2005 - 07:48 AM

monagahh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hello g2i2r4!

Thanks for helping me out.

After getting your message yesterday I went back to my computer - restarted it to install Hijack and to my surprise the Explorer window was no longer there, but replaced with a "Runtime Error 3@041D4714" window which also continually pops up.

I ran the all the programs (ie. CleanUp, Adaware, etc.) again and it picked up TROJ_startpage.sw & TROJ_DLOADED.sw - also under task manager it shows that Intell32 program is running. The PSGuard icon is still on my desktop -and when I open Inter.Explorer, it automatically takes me to a page for PS Guard virus & Spyware Remover.

My computer works a bit better now - but I will still install HiJack to get rid of this nasty. I will send you the logfile this afternoon.

Thanks again!! Cheers!
  • 0

#4
monagahh
Posted 28 July 2005 - 04:51 PM

monagahh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hello!

When I run Adware & Spybot - the PSGuard will go away temporarily, then suddenly will come up with a pop up that looks like a PSGuard scanning my files.
I just go the Task Manager and end the program. So not sure how to get rid of this virus. Could you please tell me what's been happening with my computer & how I can get rid of it?


Okay - so here is my logfile:


Logfile of HijackThis v1.99.1
Scan saved at 6:40:04 PM, on 7/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q854829641_DISK.DLL (file missing)



Thanks very much!!
  • 0

#5
g2i2r4
Posted 29 July 2005 - 12:07 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
There's more than 'just' PS Guard bugging your computer!

Let's see if we can attack it in one run.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

First we will need to download a few tools that will help us in the removal of your problem.

Update AdAware SE 1.06 to the latest definitions.

***

Download about:buster by RubbeRDuckY.
Download CWShredder.
Download SpSeHjfix.

Save all of these files somewhere you will remember like to the Desktop.

***

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

***

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
***

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
***

Download SmitRem to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Recycled\Q330995.exe
C:\WINDOWS\Q854829641_DISK.DLL

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

***

Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

***

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

***

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe

O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O20 - Winlogon Notify: style2 - C:\WINDOWS\Q854829641_DISK.DLL

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it’s done, press Close.
Reboot your computer into normal windows.

***

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 14 August 2005 - 02:23 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP