How is PSGuard malware deleted from windows 98?

Note: HJT logs must always be posted from normal boot mode unless otherwise requested. But do the below before posting a new one.

Download smitRem.exe and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Reboot into safe mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please attach this log to your next reply.

Also attach a new HJT log. Let me know if there is any improvement.

 

Did you run Smitrem while you were booted in safe mode? If not, please do so.

Do you have your Win 98 CD?

Please do not post HJT logs inline. They must be attachments.

Do you know what C:\Program Files\TrueAssistant\TrueAssistant.exe is for?


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [NETZIP SMARTDOWNLOADER] C:\WINDOWS\SYSTEM\npnzdad.exe /t
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file
missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\npnzdad.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

If this is true (and you should check with them), then why is it necessary to still have it running if you have already done this.

Try deleting the PSGuard folder on your Desktop. Also look for on in c:\program files\psguard and delete it.

I don't know about this one.

Let's see if we can fix the rest of your problems with the Desktop hijacker first. Some of the items in the steps below may not be found. That's okay. Just ignore them and continue. This is a somewhat generic process and sometimes they do exist.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
Search Maid
Security IGuard
Virtual Maid

Now exit Add/Remove Programs.


Some of the items mentioned in the below steps may or may not be there. If not found just ignore them and continue. These problems come in a variety of forms and different filenames can be used each time.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:

C:\WINDOWS\System32\popcorn64.exe
C:\WINDOWS\system32\wppp.html
C:\WINDOWS\system32\oleext32.dll
C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\system32\intell32.exe
C:\WINDOWS\uninstIU.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hp9980.tmp
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Program Files\Search Maid<--- the whole folder
C:\Program Files\Security IGuard<--- the whole folder
C:\Program Files\Virtual Maid<--- the whole folder
C:\Windows\System32\Log Files <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and continue with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixsmit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixsmit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

Now please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Now post a new HJT log. And tell me how things are working.

 

Also look on your original Win98 CD in the Win98 folder for a file names WIN98_44.CAB. Inside this CAB file (which is a compress archive containing a bunch of Windows files) there should be a wininet.dll file. We may need to extract this files from the CAB file to replace your infected file later. You will need a utility like WinZip to do this.

You will have to extract the wininet.dll file to a different folder (a temp folder) and then we may need to boot your PC to an MS-DOS prompt to overwrite the infected one with a copy of the clean one.

 

You said that you did not find any of the process I listed but two items are clearly shown in your HJT log which means they do exist.

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

Boot into safe mode to do the below and do not run any browsers while in safe mode.

Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
PSGuard

Now exit Add/Remove Programs.

Run HijackThis and select the below lines but and click Fix:
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

After clicking Fix, exit HJT.
Use Windows Explorer to delete:
C:\WINDOWS\system32\intell32.exe
C:\Program Files\PSGuard <--- the whole folder


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Run SmitRem and post the log from it.

Now run Ccleaner (installed while running the READ ME FIRST).

Add the registry patch you download from my previous message into the registry again.

Now reboot into normal mode and post a new HJT log. And tell me how things are working.

Did you look for the file I indicated on you Win98 CD? You may need to get the Wininet.dll file from your CD, otherwise you may just keep getting reinfected.

 

Sounds like you may not have viewing of hidden and system files enabled per the READ ME.

Just upload the smitfiles.txt log just like you did with your HJT log.

Yes! This is why intell32.exe keeps coming back. You will need to boot to MS-DOS mode to replace the infected wininet.dll. Although it may be possible in Windows for you to rename the infected one to wininet.bad and then copy in the new one from your CD.

If you had a firewall installed, it may not be so easy for this to keep reinfected you.

 

It will probably come back since your wininet.dll file is still infected.

Viewing of hidden files and folders only has to do with using Windows Explorer. Nothing else. Double check the CAB file again and check a few others in the range of 44_CAB. That is where it was for Win98 SE but you have a different version of Windows.

Windows 98 shutdown issues are well know problems with Win9x & Me but this is not a topic for this forum. Try the Software Forum and also look at Microsofts Knowledgebase where there a lots of things to try.

 

Copy the file from your Desktop into the c:\windows\system folder. Just call it wininet.new.

Now I would boot into safe mode and run SmitRem. Which will still show the infected wininet.dll file. When done with SmitRem. Use Windows Explorer to locate the bad c:\windows\system\wininet.dll file. Right click on it and select rename. Change the name to wininet.bad. Now find wininet.new and rename it to wininet.dll. Now reboot your PC.

If this does not work we will need to boot your PC into MS-DOS mode to do this. Do you know how to boot to MS-DOS mode?

 

You will need to print the below instructions so you can refer to them while offline in DOS mode. But read through them first to make sure you understand them.

Make sure you have already copied the new uninfected file to the c:\windows\system folder and have named it wininet.new as I said in my previous message.

Click Start and then Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

When it boots you will be at the command prompt (full screen). Run the below commands each followed by the enter key. The final command will reboot to Windows.

cd c:\windows\system
attrib -r -h -s wininet.dll
ren wininet.dll wininet.bad
copy wininet.new wininet.dll

win <--- this will reboot to Windows

Now before doing anything else! Run smitrem and post another log from it.
Then come back here and post the new log.

 

Okay! That's clean now. Post a new HJT log and also tell me how things look from your end.


Also delete the wininet.bad file.

 

Did you delete the Desktop icon?

I'm not sure what happened to your connection to SBC. You may need to look at what the icon is associated to. Perhaps some where in the Properties you can figure out what it is supposed to be calling and why it does not work. Does it normally bring up IE?

 

You're welcome. Now to help keep you clean, check out the below:

How to Protect yourself from malware!