Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PS Guard Virus/Trojan


  • Please log in to reply

#1
sevicat

sevicat

    Member

  • Member
  • PipPip
  • 19 posts
Hello,

This is the first time I've ever tried using a forum like this, and my computer knowledge seems EXTREMELY limited compared to everyone else writing on this site. So, please bear with me if I seem slow to catch on...

I have recently been hijacked by the PS Guard Virus/Trojan. I have tried running AVG Free Edition and Adware SE. Although these programs detect problems and fix or qurantine them, the infection is persisting.

I read an interesting thread from CrustyOldBloke describing how to get rid of this infection. I would like to follow the procedures he has outlined. However, he suggests scanning with Ewido Security Suite - I am running WIndows 98 and this suite is only compatible with WIndows 2000 and XP. Does anyone know if there are other programs that I can substitute for Ewido and still use the same series of steps suggested? I believe the thread I am referring to is titled something like " I Need Help Please.... removal of PS Guard ..help!"

Thanks a lot for your help!!
  • 0

Advertisements


#2
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello to my potential helper...

Firstly, let me brutally honest here! I was duped into visiting an 'unscrupulous' website and picked up this infection as my browser was conneting to the site. I know this because I had AVG running at the time and it started detecting a Trojan at that point. So, I deserve this infection and the hours and hours I have put into trying to get rid of it.

I have done everything suggested in the Malware removal introduction. I have run these programs: Clean Up!, Ad-aware SE, CWShredder, Spybot S&D 1.4, AVG and Trojan Hunter. I have also performed online scans with Trend Housecall and Panda. I even paid for the Panda Active Scan Pro.

The infection goes away, until I connect to the net. Then the annoying "Your system is Infected" icon appears on the quickstart portion of the Task Bar and the PS Guard program begins to re-install itself. I have also never been able to recover all my desktop properties again. In particular, I run ACDSee Viewer and when I use it to set a picture as the desktop background, the icons are still surrounded by a plain colour pattern over the picture (make any sense?).

Here is my HijackThis log file and the SmitRem logfile. By the way, Trojan Hunter always detects a Trojan in the SmitRem folder?!

-----------------------------------------------------------------------------------------------


smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :tazz:

-----------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 5:56:27 AM, on 8/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
D:\RICHARD\RICHARD'S FILES\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://mmbox.mtn.co....r/mmsPlayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab



THANK YOU, IN ADVANCE, TO WHOEVER GETS THIS...
  • 0

#3
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Easiest way is to clean up the infected wininet.dll is with Power Archiver.

http://www.oldversio...am.php?n=powarc
Just double click to open and see the contents, then right click and extract the file to the desktop to view properties.
file check cabs 38, 39 and 40 in the options folder.

When you are done with the fix,

Hit control>>alt>>delete and stop this process.

C:\WINDOWS\SYSTEM\INTELL32.EXE

Run hiajck this and put a check mark next to this one.

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe

reboot into safe mode (lightly tap F8 when it reboots and find this file and delete it.)


C:\WINDOWS\SYSTEM\INTELL32.EXE

Run CleanUp, reboot and post a new log. :tazz:
  • 0

#4
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi coachwife6

Thanks a lot for trying to help. As I said in my first post, I seem to be a major NOVICE in comparison to the rest of you guys. I have downloaded Power Archiver 7.02. Now, I'm a bit stuck as to what to do with it!! Am I supposed to create a new archive with wininet.dll in the archive, and then extract that to the desktop? What exactly do you mean by "file check cabs 38, 39 and 40 in the options folder?" These cabs don't exist in my C:\Windows\Options folder?! Also, what is the "fix" you refer to and how do I do that?

Thanks again.
  • 0

#5
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I will approach this another way. Give me a little while and I'll get back with you. :tazz:
  • 0

#6
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I really hope you can help me with this! I love my computer...when it's working properly ;)
I did run Hijack This and fixed the command
04 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM|intell32.exe
I also rebooted in safe mode and deleted the intell32.exe file.
Anyway, that was all short-lived, cause as soon as I went back on the Internet, everything just re-appeared again :tazz:

I haven't included my Panda Active Scan log file yet. It might be useful to you, so here goes:


Incident Status Location

Adware:adware/psguard No disinfected C:\WINDOWS\SYSTEM\INTELL32.EXE
Adware:adware/psguard No disinfected C:\WINDOWS\ALL USERS\DESKTOP\PSGuard spyware remover.lnk
-----------------------------------------------------------------------------------------------

Also, here is my latest hijack This log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:21 PM, on 8/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\RICHARD\RICHARD'S FILES\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://mmbox.mtn.co....r/mmsPlayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab


Look forward to hearing from you...
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Yes, I wish it was that easy. The delay is I need to finish some work with my "paying job" ;) and then I can help you. It may be later tonight, but we will have it singing again. I promise. :tazz:
  • 0

#8
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.exe


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#9
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Ewido Security Suite doesn't support Windows 98. It seems to be the solution for a lot of these PS Guard problems. Anything else I can use :tazz: Also, I don't think there is such an option as 'Display > Desktop > Customize Desktop > Web ' on Win98...
  • 0

#10
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Just run the fix without Ewido for now or try another trojan scanner, such as moosoft, which lets you use it for 30 days for free. TDS3 Diamond also has another one.

I was about to turn in when I saw your note. My 98 is off and it's upstairs. Go to Control Panel, Display options and check to see if there is anything similar.
  • 0

Advertisements


#11
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi there coachwife6

I've done everything you said. Guess what, as soon as I rebooted into normal mode, that little icon in the system tray that says 'Your system is infected' was back! Then, as soon as I connected to Panda Active Scan, good 'ol PS Guard re-installed itself. Have you ever seen anything so annoying?

Anyway, I'm attaching the smitrem log file, the HijackThis log created before I removed the items you indicated and the Panda Scan results. Also, I used TDS3 instead of Ewido, as you suggested. However, it appears that TDS was discontinued from June of this year due to advances in anti-virus programs, so it's no longer possible to get updates for TDS. I also checked the Display Options for Windows 98 - there is nothing that resembles the Desktop>Customize Desktop>Web>"Security Info" check box.

I am starting to get despondent. Would this go away if I actually gave PS Guard my money and 'registered' the product? Is this even a legitimate Spyware removal program, or what is it?
-----------------------------------------------------------------------------------------------


smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~


intell32.exe
oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :tazz:
-----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:22:31 PM, on 8/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
D:\RICHARD\RICHARD'S FILES\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://mmbox.mtn.co....r/mmsPlayer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab

-----------------------------------------------------------------------------------------------


Incident Status Location

Adware:Adware/PsGuard No disinfected C:\WINDOWS\SYSTEM\INTELL32.EXE
Adware:adware/psguard No disinfected C:\WINDOWS\ALL USERS\DESKTOP\PSGuard spyware remover.lnk
Adware:Adware/PsGuard No disinfected C:\WINDOWS\SYSTEM\intell32.exe
Possible Virus. No disinfected C:\Program Files\TDS3\dcsres.exe
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
-----------------------------------------------------------------------------------------------

Thanks again for trying to help.
  • 0

#12
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
By the way, from all the research I'm doing, I'm convinced the reason this thing keeps coming back has to do with the infected wininet.dll. Is there any way you could talk me through cleaning up this file? Alternatively, would a program like Registry Mechanic or PC MightyMax be able to clean it up?
  • 0

#13
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Yes, we need to get rid of it. I just wanted to do this first. Let me get the special fix for it. Give me a little while. :tazz:
  • 0

#14
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Locate wininet.dll in your system folder and right-click to copy it (make sure you don't cut it!), then paste it on the desktop.

Get the full download trial of Kaspersky - not the online scan - but the full download trial.

Once it's on the desktop run a full system scan with Kaspersky, then when it gets to the wininet.dll on the desktop make sure it doesn't get deleted, but that it gets cleaned.

Then once it's cleaned, rename wininet.dll in the system folder to wininet.old, then copy the clean one off the desktop and paste it into the system folder.

Please download the 30-day free trial of Kaspersky

. Install the program
. Run the definition update module.
. Scan your whole system and let the program remove anything it wants.
. When finished, REBOOT your system
  • 0

#15
sevicat

sevicat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks coachwife6. I'll be sure to do this ASAP.
I just thought of something else -- I have copies of all the Win98 cab files stored in a partition on my hard drive. Couldn't I just copy this wininet.dll to the C:\Windows\System folder and delete the old one? Would doing this cause some sort of registry catastrophe or system melt-down?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP