PSGuard Virus Cure

[katydiddd]

http://home.att.net/~katydiddd/PSGuard.html
Here is
How I Fixed The PSGuard.com virus -
a desktop and computer hijacker.

Files cannot be deleted or restored when they are being used.
Even when I press "CTRL + ALT + DELETE" and
End Task for everything except Explorer,
and even when I uncheck to view my desktop as a Web Page,
the virus would check and repair itself every 2 seconds.

(Note, end task for IExplore but not Explorer)

So, use the System File Checker to swap the virus files
during a restart -
using the proper files for changed files;
and innocuous dummy files for the virus files.

I used the File Checker by going to
START / Run / sfc / OK
or
START / Programs / Accessories / System Tools /
System Information / Tools / System File Checker

THE CHANGES TAKE EFFECT ON RESTART

When you open the file checker, you have 2 options.
Since you know the files that you do not like,
you can specify the files you want to restore from your
Windows and Internet Explorer disks.
(I made a floppy disk with a couple false .dll and .exe files -
that the computer would not allow me to delete,
because the "files are being used".)

For example: oleext.dll
I found a little .dll file, and copied it onto a floppy disk.
I changed its name to oleext.dll
Then, when it came time to restore the file, I told
sfc to restore it from the floppy disk file named oleext.dll)
(I used a copy of C:\WINDOWS\ moricons.dll
as my renamed dummy file)

When you look through these files,
calling them up on your "Find File",
you will probably learn the date of the change,
and be able to find all the files of that date,
then restore, delete, or substitute them with
a phony file. You can even make phony .exe files.

Files affected include:
intel32.exe
mshtml.dll
oleext.dll
oleadm.dll
uninstIU.exe
vbar.dll
wp.bmp
wppp.html
wininet.dll

hlinkprx.dll
syshlp.exe
sysmain.DLL
sysmain.exe
vxh8jkdq1.exe
vxh8jkdq2.exe
vxh8jkdq3.exe
vxh8jkdq4.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe
vxh8jkdq8.exe
vxh8jkdq9.exe
vxh8jkdqi.exe

If you run them through Search / Find File,
you will see that they were all modified on the same day.
Then, you can run a search for other files that have
the same modification date.

It took me a couple tries to get them all in one batch,
so the restart could stop them from repairing themselves.

The "virus" was on a friend's computer, so we
brought the computer to my house.

If a file is on my computer, and can be restored from
the Windows CD, or a newer version of mshtml from
the Internet Explorer CD, then that is what we did.

If the file was not on my computer or the CDs,
and could not be dragged to the trash,
then we made a dummy file on a floppy disk,
and told the System File Checker to restore the
file from the floppy disk file.

During restart, the files were changed,
and his computer functioned again,
with his chosen wallpaper and no blinking every two seconds.

[riderx]

http://home.att.net/~katydiddd/PSGuard.html
Here is
How I Fixed The PSGuard.com virus -
a desktop and computer hijacker.

Files cannot be deleted or restored when they are being used.
Even when I press "CTRL + ALT + DELETE" and
End Task for everything except Explorer,
and even when I uncheck to view my desktop as a Web Page,
the virus would check and repair itself every 2 seconds.

(Note, end task for IExplore but not Explorer)

So, use the System File Checker to swap the virus files
during a restart -
using the proper files for changed files;
and innocuous dummy files for the virus files.

I used the File Checker by going to
START / Run / sfc / OK
or
START / Programs / Accessories / System Tools /
System Information / Tools / System File Checker

THE CHANGES TAKE EFFECT ON RESTART

When you open the file checker, you have 2 options.
Since you know the files that you do not like,
you can specify the files you want to restore from your
Windows and Internet Explorer disks.
(I made a floppy disk with a couple false .dll and .exe files -
that the computer would not allow me to delete,
because the "files are being used".)

For example: oleext.dll
I found a little .dll file, and copied it onto a floppy disk.
I changed its name to oleext.dll
Then, when it came time to restore the file, I told
sfc to restore it from the floppy disk file named oleext.dll)
(I used a copy of C:\WINDOWS\ moricons.dll
as my renamed dummy file)

When you look through these files,
calling them up on your "Find File",
you will probably learn the date of the change,
and be able to find all the files of that date,
then restore, delete, or substitute them with
a phony file. You can even make phony .exe files.

Files affected include:
intel32.exe
mshtml.dll
oleext.dll
oleadm.dll
uninstIU.exe
vbar.dll
wp.bmp
wppp.html
wininet.dll

hlinkprx.dll
syshlp.exe
sysmain.DLL
sysmain.exe
vxh8jkdq1.exe
vxh8jkdq2.exe
vxh8jkdq3.exe
vxh8jkdq4.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe
vxh8jkdq8.exe
vxh8jkdq9.exe
vxh8jkdqi.exe

If you run them through Search / Find File,
you will see that they were all modified on the same day.
Then, you can run a search for other files that have
the same modification date.

It took me a couple tries to get them all in one batch,
so the restart could stop them from repairing themselves.

The "virus" was on a friend's computer, so we
brought the computer to my house.

If a file is on my computer, and can be restored from
the Windows CD, or a newer version of mshtml from
the Internet Explorer CD, then that is what we did.

If the file was not on my computer or the CDs,
and could not be dragged to the trash,
then we made a dummy file on a floppy disk,
and told the System File Checker to restore the
file from the floppy disk file.

During restart, the files were changed,
and his computer functioned again,
with his chosen wallpaper and no blinking every two seconds.

sounds great good information
on a side note winpatrol is a good free program that can tell you if anything malicious or whatever wants to add there program etc to startup.
get it at winpatrol. it will tell u if any new bhos are added
it alerts u to potential spyware malware etc
great too
winpatrol.com

[Lord_of_the_Dense]

I love how you quoted the only post thus far in the thread.

Good thing. You may have confused her.

[riderx]

I love how you quoted the only post thus far in the thread.

Good thing. You may have confused her.

:icon_thum
and that is why its like that

[Lehk]

http://www.sysinternals.com/Utilitie...sExplorer.html

process explorer will let you
Force a program/process to let go of a file
Kill a process just like the windows task manager in XP/2000
see all sorts of information about your system

[rkoomans]

I dont get viruses... I simply dont use Microsoft programs of any kind when on the Inet.
Any virus that tries gets dissipated.
and the programs are FRREEEE, and just as easy to use as WindowsXP!
But I do keep a bootable copy of WinXP on my HDD partition, next to UBUNTU (www.ubuntu.com). Ubuntu will load and give you a boot sector which allows you to choose OS system, if you choose it.