Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need New Intell32 & PSGuard Help... [RESOLVED]


  • This topic is locked This topic is locked

#1
totenkopff

totenkopff

    Member

  • Member
  • PipPip
  • 95 posts
Hi! I hope someone can help me...please. I've had the Intell32 & PSGuard in my computer for over a week now and can't get rid of it despite lots of downloading and many suggestions.
Here's what I have downloaded and tried to no avail:

*HijackThis
*AutoRuns
*KillBox
*SmitRem
*Adware Away
*AdAwareSE
*SpywareBlaster
*SpyBot Search & Destroy (now gone)
*CWShredder

The only thing that's ever been close to indentifying anything useful has been

"AdAwareSE"

It came up with this...

Ad-Aware SE LOG entry:
----------------
Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}

_______________________________________________________________________

Object Details Per Ad-Aware SE Above Log:
-----------------------------------------
Name: Malware.Psguard
Catagory: Malware
Object TYpe: RegKey
Size: 0 Bytes
Location: clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}\
Last Activity: 8-31-05
Relevance: Low
TAC Rating: 7

Comment:
--------
Program masks as doing one thing, but does another.
_______________________________________________________

I've tried removing this particular Registry Key, but it returns immediately.
Also...

SmitRem has claimed this:

Wininet.DLL has been identified as infected
But no other stats or info given as to why or
how to fix

I do not have a Windows disk so I've been cautious as to what I do. I've tried MANY different fixes and I'm getting desperate.

HijackThis gets rid of it...and it returns upon connecting to the internet. ALL of the above downloads seem to work...then all the problems return upon connection to the internet. Any new advice would be much appreciated...thanks and will await instructions...:tazz:
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by loophole, 02 September 2005 - 11:56 PM.

  • 0

#3
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Hello...and thanks for the respond:)

Here's my HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 2:09:55 PM, on 9/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MEDIASCAPE\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MEDIASCAPE\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Mediascape\One-touch Multimedia Keyboard\KeybdMgr.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\UPDATE.EXE /startup
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
__________________________________________________________________
Now, the following entry has been removed removed MANY times...it returns immediately upon access to the internet. Even though the removals take place in "Safe Mode".

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe

Also, this "path" has been destryed via "KillBox" and all the other above mentioned tools. Also, in Safe Mode.

AdAwareSE seemingly gets rid of it, but it returns right away with each new scan. Whether you access internet or not...

I also have a copy of my HJT log without the Intell32...if you need it for some reason.

Will await further instructions and or ideas...much thanks:)
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello totenkopff :tazz:

First please do this for me

Please go here: Jotti

Click the "browse" button and locate this file:

C:\Windows\System\wininet.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here.
  • 0

#5
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Absolute coolness...I will do this right now...THANKS...Give me minute...:tazz:
  • 0

#6
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Ok...here's what it said...I copied both parts...since didn't know which was correct...


Wininet.dll
Status: INFECTED/MALWARE
MD5 c3d7506879d2aae035d62e53675e68b7
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Callgate.Oleadm.3
Avast Found Win32:Nsag-B
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found W32.Nsag.B
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found W32/Oleadm.B
Fortinet Found W32/Nsag.B
Kaspersky Anti-Virus Found Virus.Win32.Nsag.b
NOD32 Found Win32/Oleloa.gen
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Scanner Malware name
AntiVir TR/PKeyLog.147.B.3
ArcaVir Trojan.Downloader.Agent.Fz
Avast Win32:Trojan-gen. {Other}
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.Perfect
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus not-a-virus:Monitor.Win32.Perflogger.c
NOD32 a variant of Win32/Spy.PerfKey
Norman Virus Control X
UNA X
VBA32 RiskWare.Monitor.Perflogger.c
  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello totenkopff :tazz:

We are going to have to replace that file, and its a little tricky so I need to make my directions as clear as possible. I should have something up in the next hour
  • 0

#8
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Cool...thanks a bunch, loophole...your the best. I will stand by and await further instructions...:tazz:
  • 0

#9
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Online

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Now go offline

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Reboot

Online

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat


Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.


Scan the desktop folder with E trust web scanner. When done, make sure the box is check for wininet.dll and click cure.


Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

post a new HijackThis log, and the contents of the smitfiles.txt log.

Edited by loophole, 03 September 2005 - 06:46 PM.

  • 0

#10
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Great...thanks...I will do what you asked...and try to get online as soon as possible.

But what is "eTrust Web Scanner"...do I have this on my computer...or is something I have to download first?

Will await you response...thanks:)
  • 0

Advertisements


#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ack forgot the link :tazz: lol

I have edited my above post
  • 0

#12
totenkopff

totenkopff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Cool...ok...is this an "online virus scan"...? And...are the following instructions to be peformed online?

That is...the "copy and paste" stuff I'm supposed to do afterwards? Just want to do this right...:tazz:
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ive edited my post to let you know the online offline parts

When you go to the E trust site you will see what the directions are talking about :tazz:
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Just a sec
  • 0

#15
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Now its correct :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP