PSGuard, intel32.exe, and desktop hijacking?
Hi guys, my desktop was recently hijacked, though I'm not sure, but I think it has to do with the PSGuard virus. A filed named "intel32.exe" was installed WINDOS/system32 directory, and when double clicked, it leads to the registration and purchase page on a rougue software called PSGuard, AND my internet browser homepage was hijacked, but I'm not sure if it has to do with the intel32 file. Further more, my desktop was hijacked with a dark blue screen, stating the following in white:
Security warning
A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> +
00010E36. Error was caused by a Trojan-Spy.HTML.Smitfraud.c
* System can not function in normal mode.
Please check you security settings.
* Scan your PC with any avaliable antivirus/spyware remover program to fix the problem.
Ok, first of all, its definitely a desktop-hijacker screen because the two words I purposely displayed in bold were typos, and an official source would never make mistakes like that (and those were pretty stupid, too).
Now, back to the intel32 file, it displays as a red button with a white "!" in the middle, on the minimized tray, and like I said, leads to the PSGuard registration page when clicked.
I tried several anti-spy/adwares such as SpywareDoctor, HijackThis, Yahoo Anti-spy and Avast! Anti-virus. The file only showed up in the result lists of SpywareDoctor and HijackThis. So I removed it, and even manually removed it from my system32 folder. But a while later it keeps on returning! I did all that in savemode, and when I boot back to normal, intel32 was still there, on my system tray AND still in my system32 dir, and my desktop has not returned to normal. I'm sure if I delete it, it will come back again on the next boot.
By the way, the page that hijacked my browser was something called "abcsearch", if I remembered correctly. I kept setting my homepage to blank, but it comes back on the next boot. Does anyone think this BHO is related to intel32.exe as well?
Anyways, if anybody have any programs or methods to remove this PSGuard annoyance or maybe even get rid of the abcsearch, I would really, really, appreciated it.
EDIT: that brower hijacker was called abcsearch4u, I just confirmed it.
"Yes, male prostitutes. The kind that wears Nike and Kappa."
system restore ?
hey! I'm glad I'm not the only one that had this issue. Though mine was a little different. I found a file on emule and when I checked it out (after scanning with norton it was clean) a file wanted to access the internet. mine was install32m.exe. It was in the system32 folder also. Windows looked for this file on startup and shutdown (I deleted it and that's how I found windows looking for it. It would come up with the message "windows cannot find....")
I used adaware SE pro to get rid of the registry entry it made and so far so good. I also checked all the running processes. All was fine after that, but I don't know what would've happened if it had accessed the internet! I couldn't find anything on this file on google or symantec.com.
I'd check your hosts file also as well as all programs running at startup. regcleaner is great for that and download procexp.exe from here
Try Google sometimes.
http://www.antivirusworld.com/articl.../smitfraud.php
SE Adaware and RegCleaner? I'll try that sometime, thanks.
ferrari, what do you mean by system restore?
DigitalJunkie, smitfraud was not the problem, PSGuard is. That smitfraud screen was probably made up by the desktop hijackers to make users believe that their computer is infected and buy their rogue anti-spy programs.
EDIT: No, sorry about that, it probably is smitfraud's doing, but I couldn't seem to detect the file anywhere though.
"Yes, male prostitutes. The kind that wears Nike and Kappa."
Hello I had the same problem. I went to the link that DigitalJunkie posted, deleted all the files that were stated there, but couldn't get rid of intel32. I then downloaded the Panda Platinum Antivirus (my Norton couldn't clean anything for some reason), and it deleted the intel32. So the homepage, the tabs in the taskbar, and all the popups saying how my system is infected disappeared, but I still can't get my desktop back to normal (the text disappered, but when I right-click and try to change the settings in the "Display Properties", there is no "desktop" tab there, just the "screensaver" tab. Come to think of it, I am not even sure the rest is clean, maybe the virus is still tracking my web surfing.
Can anyone recommend any free software (evaluation versions perhaps?) that will DEFINITELY clean this?
Or if it is already clean, how do I get my desktop back to normal?
Thanks in advance
The HKEY entries have been modified, I have the same problem. I don't know yet which HKEY registry entry has been affected.
are your important files backed up? if they are FFR might be the easiest solution.
*edit*
oops should mention FFR= fdisk, format, reinstall
DILLIGAF
It isn't that difficult to get rid of these kinds of spyware. Once you know the names to get rid of (HijackThis is a great tool) you can delete everything in safe mode that can't be deleted right away.
Posting Permissions
Reply With Quote
Bookmarks