katydiddd
26 Sep 2005, 6:31pm
http://home.att.net/~katydiddd/PSGuard.html
Here is
How I Fixed The PSGuard.com virus -
a desktop and computer hijacker.
Files cannot be deleted or restored when they are being used.
Even when I press "CTRL + ALT + DELETE" and
End Task for everything except Explorer,
and even when I uncheck to view my desktop as a Web Page,
the virus would check and repair itself every 2 seconds.
(Note, end task for IExplore but not Explorer)
So, use the System File Checker to swap the virus files
during a restart -
using the proper files for changed files;
and innocuous dummy files for the virus files.
I used the File Checker by going to
START / Run / sfc / OK
or
START / Programs / Accessories / System Tools /
System Information / Tools / System File Checker
THE CHANGES TAKE EFFECT ON RESTART
When you open the file checker, you have 2 options.
Since you know the files that you do not like,
you can specify the files you want to restore from your
Windows and Internet Explorer disks.
(I made a floppy disk with a couple false .dll and .exe files -
that the computer would not allow me to delete,
because the "files are being used".)
For example: oleext.dll
I found a little .dll file, and copied it onto a floppy disk.
I changed its name to oleext.dll
Then, when it came time to restore the file, I told
sfc to restore it from the floppy disk file named oleext.dll)
(I used a copy of C:\WINDOWS\ moricons.dll
as my renamed dummy file)
When you look through these files,
calling them up on your "Find File",
you will probably learn the date of the change,
and be able to find all the files of that date,
then restore, delete, or substitute them with
a phony file. You can even make phony .exe files.
Files affected include:
intel32.exe
mshtml.dll
oleext.dll
oleadm.dll
uninstIU.exe
vbar.dll
wp.bmp
wppp.html
wininet.dll
hlinkprx.dll
syshlp.exe
sysmain.DLL
sysmain.exe
vxh8jkdq1.exe
vxh8jkdq2.exe
vxh8jkdq3.exe
vxh8jkdq4.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe
vxh8jkdq8.exe
vxh8jkdq9.exe
vxh8jkdqi.exe
If you run them through Search / Find File,
you will see that they were all modified on the same day.
Then, you can run a search for other files that have
the same modification date.
It took me a couple tries to get them all in one batch,
so the restart could stop them from repairing themselves.
The "virus" was on a friend's computer, so we
brought the computer to my house.
If a file is on my computer, and can be restored from
the Windows CD, or a newer version of mshtml from
the Internet Explorer CD, then that is what we did.
If the file was not on my computer or the CDs,
and could not be dragged to the trash,
then we made a dummy file on a floppy disk,
and told the System File Checker to restore the
file from the floppy disk file.
During restart, the files were changed,
and his computer functioned again,
with his chosen wallpaper and no blinking every two seconds.
Here is
How I Fixed The PSGuard.com virus -
a desktop and computer hijacker.
Files cannot be deleted or restored when they are being used.
Even when I press "CTRL + ALT + DELETE" and
End Task for everything except Explorer,
and even when I uncheck to view my desktop as a Web Page,
the virus would check and repair itself every 2 seconds.
(Note, end task for IExplore but not Explorer)
So, use the System File Checker to swap the virus files
during a restart -
using the proper files for changed files;
and innocuous dummy files for the virus files.
I used the File Checker by going to
START / Run / sfc / OK
or
START / Programs / Accessories / System Tools /
System Information / Tools / System File Checker
THE CHANGES TAKE EFFECT ON RESTART
When you open the file checker, you have 2 options.
Since you know the files that you do not like,
you can specify the files you want to restore from your
Windows and Internet Explorer disks.
(I made a floppy disk with a couple false .dll and .exe files -
that the computer would not allow me to delete,
because the "files are being used".)
For example: oleext.dll
I found a little .dll file, and copied it onto a floppy disk.
I changed its name to oleext.dll
Then, when it came time to restore the file, I told
sfc to restore it from the floppy disk file named oleext.dll)
(I used a copy of C:\WINDOWS\ moricons.dll
as my renamed dummy file)
When you look through these files,
calling them up on your "Find File",
you will probably learn the date of the change,
and be able to find all the files of that date,
then restore, delete, or substitute them with
a phony file. You can even make phony .exe files.
Files affected include:
intel32.exe
mshtml.dll
oleext.dll
oleadm.dll
uninstIU.exe
vbar.dll
wp.bmp
wppp.html
wininet.dll
hlinkprx.dll
syshlp.exe
sysmain.DLL
sysmain.exe
vxh8jkdq1.exe
vxh8jkdq2.exe
vxh8jkdq3.exe
vxh8jkdq4.exe
vxh8jkdq5.exe
vxh8jkdq6.exe
vxh8jkdq7.exe
vxh8jkdq8.exe
vxh8jkdq9.exe
vxh8jkdqi.exe
If you run them through Search / Find File,
you will see that they were all modified on the same day.
Then, you can run a search for other files that have
the same modification date.
It took me a couple tries to get them all in one batch,
so the restart could stop them from repairing themselves.
The "virus" was on a friend's computer, so we
brought the computer to my house.
If a file is on my computer, and can be restored from
the Windows CD, or a newer version of mshtml from
the Internet Explorer CD, then that is what we did.
If the file was not on my computer or the CDs,
and could not be dragged to the trash,
then we made a dummy file on a floppy disk,
and told the System File Checker to restore the
file from the floppy disk file.
During restart, the files were changed,
and his computer functioned again,
with his chosen wallpaper and no blinking every two seconds.