PSGuard first appeared on my system, which is running under Windows
98, on 06-26-05, according to the date/time stamp on the folder it
created. At the time i did not appreciate its danger and potential
for irritation, and foolishly even ran it a few times as it appeared
to be a useful virus scanner.
Early in July, I purchased and installed Norton AntiVirus 2005,
which has worked well after I spent nearly a week trying to download
the latest updates across my dial-up line. I am currently using
updates downloaded on August 1, 2005.
On or about July 15th, I was affected by the TrojanDesktophijack.B
virus as described in Norton's Symantic Security
Response-W32_Desktophijack.htm web page. I managed to clean this but
was left with an altered dialog box when I tried to change the
Destop Display Properties. I have since discovered that the
Settings/Folder Options had been changed from my original Classics
setting. However this took a long time to figure out. By this time
the wallpaper had been changed to a message saying the I had been
infected by "Trojan-Spy.HTML.Smitfraud.c" I managed to get rid of
this and return to a wallpaper of my choosing by some juggling in
DOS. Still did not have the Background tab back in the Display Dialog
Shortly after this good old PSGuard kicked in with the flashing red
warning message on my desktop. This was harder to get rid of.
Finally I isolated the "Intell32.exe" file in Windows\Ststem as the
culprit. Also the file "Windows\System\Wininet.dll" is sometimes
corrupted and also "Program Files\Norton AntiVirus\Defalert.dll" is
affected at times. Fortunately I had many months ago made a backup
coly of all my dll files in Windows and Windows\System so I could
restore Wininet.dll from that and I got Defalert.dll from the Norton
CD. Later I copied Defalert.dll to the backup folder as well and set
up a two line DOS batch file to restore these files. The batch files
have to be run in standalone DOS as you get a sharing violation in
DOS under Windows.
On August 1, at my son's suggestion, I downloaded and installed
AdAware SE, which is a great help in removing the damage caused by
PSGuard and/or TrojanDesktophijack when it reappears. It only seems
to happen when I an online to the Internet and usually the first
sign that it is back is a round red icon with and exclamation point
appearing in the SysTray. When this happens I immediately exit from
my Internet session. I then do a Control-Alt-Delete and close the
Intell32 task which is now running. Next I delete the "Intell32.exe"
from Windows\System and then run AdAware, which cleans up much of
the PSGuard damage. Finally I run Norton on my C drive and can now
remove the red Warning message and recover my own wallpaper.
What I cannot find out yet is which web site(s) causes the PSGuard
malware to reappear. I have installed a product called Personal
Firewall but while it will block me getting to my email it does not
seem to stop PSGuard effectively! I am still not sure there is not
something lurking on my computer which is invoked sometimes when I
acces the Internet. I think I shall try another firewall product next.
By the way the Geeks-to-Go Web site suggested the ewido security
suite as a good protection against PSGuard. Unfortunately this only
is available for users of Windows 200 and XP, not Win 98.
Does anyone have any suggestions about trying to fix what is specifically causing the infections?
Sorry for what now looks like a long diatribe.
RRWILL (My very first Unix email name!)