is this a result of PSGUARD?!

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You should use Add/Remove programs to uninstall MessengerPlus! 3. It can add all kinds of bad stuff to your PC including a LOP infection.

Other than that, there are no real problems showing in your HJT log.

You should also look in Add/Remove programs for PSGuard and uninstall if found.

The goto this thread: SpySheriff (aka SpywareNo) Removal
and run step # 8. Let me know if that helps with your Desktop problems.

 

Please do not fix anything on your own. I need to see what is going on. If you make changes before I see what process are running or what items appear in a HijackThis log, I do not know what is really happening on your PC.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\intell32.exe

Also look for and delete any of the below if found (you may or may not find these but look for them anyway):
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
c:\windows\system32\wppp.html
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Program Files\Search Maid<--- the whole folder
C:\Program Files\Security IGuard<--- the whole folder
C:\Program Files\Virtual Maid<--- the whole folder
C:\Program Files\PSGuard<--- the whole folder
C:\Windows\System32\Log Files <--- the whole folder
C:\Program Files\AntivirusGold <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Well you log is clean now. The O4 line with C:\WINDOWS\system32\intell32.exe is gone.

Did you reboot before getting this log?

 

Please download getsys32.zip

Then extract it someplace you can locate it. Then use windows explorer to locate the getsys32.bat and double click on it to run the bat file. This will create a file named c:\sys32hs.txt

Post the c:\sys32hs.txt file back here as an attachment.

 

Well that did not show me anything useful.

Let's try the below.

Download this: Find It NT/2000/XP


Unzip this file to a folder of its own (like c:\findit ) and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your next post.

 

Task Manager is not useful as it does not show all processes that run and it does not give the full path. HijackThis's process manager is much better. Or you could also use Process Explorer

 

Please look for the below files right now and tell me if you find them

C:\windows\system32\intell32.exe
C:\windows\system32\oleext.dll
C:\windows\system32\oleext32.dll
C:\windows\system32\wppp.html
C:\windows\uninstIU.exe

 

Did you see what I asked in message # 14?

 

Rename the oleext.dll file to oleext.ddd then immediately reboot your PC.

After reboot make sure that the oleext.dll file did not come back!
Now delete the wppp.html file. Does it say deleted.

 

You're welcome.

That file was one of the items that can be part of the infection you had. Since the problem is now gone you should also delete the file we renamed. For more info on what you had here is one example from Symantec:

http://www.symantec.com/avcenter/venc/data/trojan.desktophijack.c.html

You will see the files I was asking about listed.

To help protect your PC, complete the steps in the below thread:

How to Protect yourself from malware!