Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

More on PSGuard [CLOSED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 2 posts
My Experience with PSGuard. Written on August 4, 2005

PSGuard first appeared on my system, which is running under Windows
98, on 06-26-05, according to the date/time stamp on the folder it
created. At the time i did not appreciate its danger and potential
for irritation, and foolishly even ran it a few times as it appeared
to be a useful virus scanner.

Early in July, I purchased and installed Norton AntiVirus 2005,
which has worked well after I spent nearly a week trying to download
the latest updates across my dial-up line. I am currently using
updates downloaded on August 1, 2005.

On or about July 15th, I was affected by the TrojanDesktophijack.B
virus as described in Norton's Symantic Security
Response-W32_Desktophijack.htm web page. I managed to clean this but
was left with an altered dialog box when I tried to change the
Destop Display Properties. I have since discovered that the
Settings/Folder Options had been changed from my original Classics
setting. However this took a long time to figure out. By this time
the wallpaper had been changed to a message saying the I had been
infected by "Trojan-Spy.HTML.Smitfraud.c" I managed to get rid of
this and return to a wallpaper of my choosing by some juggling in
DOS. Still did not have the Background tab back in the Display Dialog

Shortly after this good old PSGuard kicked in with the flashing red
warning message on my desktop. This was harder to get rid of.
Finally I isolated the "Intell32.exe" file in Windows\Ststem as the
culprit. Also the file "Windows\System\Wininet.dll" is sometimes
corrupted and also "Program Files\Norton AntiVirus\Defalert.dll" is
affected at times. Fortunately I had many months ago made a backup
coly of all my dll files in Windows and Windows\System so I could
restore Wininet.dll from that and I got Defalert.dll from the Norton
CD. Later I copied Defalert.dll to the backup folder as well and set
up a two line DOS batch file to restore these files. The batch files
have to be run in standalone DOS as you get a sharing violation in
DOS under Windows.

On August 1, at my son's suggestion, I downloaded and installed
AdAware SE, which is a great help in removing the damage caused by
PSGuard and/or TrojanDesktophijack when it reappears. It only seems
to happen when I an online to the Internet and usually the first
sign that it is back is a round red icon with and exclamation point
appearing in the SysTray. When this happens I immediately exit from
my Internet session. I then do a Control-Alt-Delete and close the
Intell32 task which is now running. Next I delete the "Intell32.exe"
from Windows\System and then run AdAware, which cleans up much of
the PSGuard damage. Finally I run Norton on my C drive and can now
remove the red Warning message and recover my own wallpaper.

What I cannot find out yet is which web site(s) causes the PSGuard
malware to reappear. I have installed a product called Personal
Firewall but while it will block me getting to my email it does not
seem to stop PSGuard effectively! I am still not sure there is not
something lurking on my computer which is invoked sometimes when I
acces the Internet. I think I shall try another firewall product next.

By the way the Geeks-to-Go Web site suggested the ewido security
suite as a good protection against PSGuard. Unfortunately this only
is available for users of Windows 200 and XP, not Win 98.

Does anyone have any suggestions about trying to fix what is specifically causing the infections?

Sorry for what now looks like a long diatribe.

RRWILL (My very first Unix email name!)
  • 0




    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi RRWILL and welcome to GTG.

Too much to read there :tazz: I just did a brief skim through it.

We can help you remove it if you follow the steps below first:

Please read this topic and follow the steps outlined there. Post your HijackThis log when you are ready.
  • 0



    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP