PSGuard Problem (I think)

Never ever do something like this! This is how dozens of forms of malware infest PC's every day.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below exactly as written:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Okay! I understand you are having a problem with Internet Access but you must remember to attach logs and not post them inline.

- Also you installed HijackThis improperly.
- It also looks like the log was from safe mode and we need them from normal boot mode.
- And also, you must not use msconfig to control startups from loading. We need to see everything that could load. It is the only way to properly and completely know what you have .

All that said let's start with a fix anyway:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\Windows\System32\cmd.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 – HKLM\..\RunOnce: [Srv32 spool service] C:\Windows\System32\spoolsrv32.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Windows\System32\spoolsrv32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! Do not have HJT kill the cmd.exe process then.

Yes it does mean the report may not be accurate. However, you can still fix the item given and you can still run msconfig from the command prompt and then select normal startup.

What is the problem with booting in normal mode? Any error messages? Try after fixing what I gave you.

 

You need to have HijackThis fix the below line:
O4 – HKLM\..\RunOnce: [Srv32 spool service] C:\Windows\System32\spoolsrv32.exe

Then reboot into safe mode again and from the command prompt or explorer (run explorer.exe if it runs) delete the C:\Windows\System32\spoolsrv32.exe file.

You need to make sure that you can actual see the file and that the response to the delete of the file is positive. Otherwise you may need to use the attrib -r -h -s command on the file first.

 

Post a current HJT log.

Also look at your c:\boot.ini file and tell me what is in it. This is a hidden file system file so to be able to see it from the command prompt you will need to use the attrib -r -h -s boot.ini command first. Then you can use type boot.ini to see what is in it.

 

Are you sure about the boot.ini being what you posted? Or was it really like below:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

 

Is the below something you installed?

O4 – HKLM\..\Run: [AppHunter] C:\Program Files\SystemTracker\SystemTracker.exe /init

Please look at your current HJT log and fix the below two lines if they still appear:
O4 – HKLM\..\Run: [MSConfig] C:\Windows\ServicePackFiles\i386\msconfig.exe /auto
O4 – HKLM\..\RunOnce: [Srv32 spool service] C:\Windows\System32\spoolsrv32.exe

Then reboot (into normal boot mode if possible) and post a new HJT log.

 

Bumping is a bad idea. It only delays you in getting a response. We go from oldest threads to newest when answering. Since bumping makes your thread newer. It moves you to a point where you will basically be answered later.

Your log from safe mode shows no further problems. You may be better off working this problem that prevents you from booting to normal boot mode in the Software Forum.

Tell them if you get any error messages.

 

You're welcome.