Thank you for providing this service.
I am typing this on an unaffected computer, so I'll post the logs you may want to see after a response , when I get back to the affected computer.
But let me describe what I have done, what problems reoccur, and what concerns I have.
I read your "You Must Read This Before Posting a Hijackthis Log ..." link.
Under category Prepartion:
==> I had no internet connection problem.
Under Clean temporary files:
==> I ran the cleanmgr.
==> Nothing appeared to disabled by startup. But sometimes it appears to grind away for a couple minutes longer than usual.
Under Step One: Scan for Spyware/Adware:
==> I downloaded Ad-aware SE. I customized the settings as detailed in the link. I ran it and saved the file.
==> I downloaded CWShredder. I ran it. It found no problem.
==> I already had Spybot S&D. Tried to update definitions. There was a problem. I did not have latest version. So I downloaded latest version. Downloaded updates. Ran the check for problems. Among the problems it saw was Smitfraud_C. I had it try to remove all problems. It removed all but 12. It said it needed to restart the computer to complete the process. I let it do so. The computer restarted and Spybot initiated action by itself. I think it handled most of them.
==> I linked to the Rogue/Suspect Anti-Spyware Products & Web Sites, and did some research on PSGUARD, one of the repeating problems I was experiencing.
(...
==> Note to others: Look under your harddrive Windows/Prefetch subfolder for similar malware objects to eventually remove. End Note.
==> I then downloaded and bought a True Sword program and ran it. It found three items. One was for Ad-aware. I later had to restore that. One was PSGuard. It quarantined what it found. It temporarily stopped the PSGUARD problem. However it is not a permanent solution. The PSGUARD problem reappears, installing itself after a few logons to Windows XP.
==> From a relative, I got the idea of starting Task Manager before and after dialing into my ISP provider. We noticed that mssearchnet.exe was now running after the dialup connected. We guessed that might be what was running the blinking yellow triangle in the task bar that was constantly popping up a balloon and warning us of spyware, slow downs, etc., and it linked to PSGUARD.com site.
==> In Task Manager I then highlighted it and pressed the END PROCESS button. It disappeared. A few seconds later it reappeared. I highlighted mssearchnet.exe and right clicked it and clicked END PROCESS TREE. It eliminated the yellow triangle in the task bar and the repeated balloon warnings for about 10 minutes. Then it would start again. But it at least it was temporary relief from the bombardment.
==> I went into MyComputer and searched on mssearch.exe and tried to delete it. It would not, saying it was in use. I did further research on the internet and saw that someone else once went into SAFE MODE (pressing F8 before Windows screen appeared on the boot) to delete it. That worked. I deleted it. It has not returned. The awful repetitive taskbar balloon messages stopped for good.
==> In addition, earlier I went into the my Internet Explorer browser and removed the HomepageBHO and some other add-on I did not recognize. That got rid of the Security task bar that was appearing near the screen top. I also found warnhp.html in MyComputer and renamed it to get rid of the WARNING black background screen that first appeared. I later just hand deleted that file. I also deleted all the hpXXXX.tmp files I found with MyComputer search too. XXXX represents some random characters in the name that vary.
One last important item. I noticed that my dialer NO LONGER was making the dial sounds it used to. This was true from the start of the infection.
...)
Under Step Two: Viruses/Trojans
==> I downloaded Ewido Security Suite, updated the database, and then clicked on scanner. It found 154 bad objects and about 50 more questionable ones. (I may be wrong about the actual numbers. This is from my memory.) I cleaned them, but I don't remember if I created encrypted backup. I saved the report.
==> I went to Trend Housecall link and had it perform the free virus scan.
==> I did not download AVG, as I already have Trend Micro PC-cillin software active on my computer before I ever noticed all these problems.
==> I downloaded TrojanHunter, and it found no problem.
Under Step Three: Windows Updates.
==> I previously installed Windows XP Service Pack 2 some months ago. So I did not do this task.
Under Step Four: Reboot - Test
==> There was no obvious problem when I rebooted. But I still saw there was potential for reoccurrence. PSGUARD and subfolders were still in the registry, when I checked by running regedit.exe.
Under Step Five: Posting a Hijack This Log.
==> Not trusting that the problem was completely solved, I downloaded HijackThis and ran it. I kept the log.
Since all this:
==> I've been repeatedly deleting all PSGUARD or P.S.GUARD files as find in MyComputer search. I've run regedit.exe and deleted what i could under PSGUARD.com subfolders. Some things do not delete. I've run the Ewido and Trojan Hunter several times to see what remains.
==> I keep seeing Ewido mention the PSGUARD entries in the registry, which it can't process to clean. I saved some of those logs.
My Major Concerns:
==> I read somewhere that this PSGUARD problem could get worse. http://www.msusenet....1870990307.html
==> The part about international calls now makes the silent dialer problem loom up in my concerns. I noticed an extra entry in my dialer Saturday. It made no sense to me. I'm going to later pencil that number from the dialer, and then delete that entry, if the dialer will allow it. It's the standard Windows XP supplied dialer.
==> This morning PSGUARD tried to reinstall itseld. When I run True Sword, it doesn't find anything new. (Because it's previously found it???) I manually deleted PSGUARD and P.S.GUARD files in the MyComputer search.
==> Of course the link above also talks about it eventually wiping out files. That's a concern too.
I work during the days Mon-Thu, so I may not get to do what you request immediately, but I am motivated and determined to get rid of this menace.
Now I can use some help.
Please state what you would like me to do next.
And thanks for all your efforts.
Rich
Edited by rckolon, 28 October 2005 - 02:20 PM.