The following instructions have been created to help you to get rid of "PSGuard.msmsgs" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • trojan

Description:
a trojan horse intended on promoting PSGuard.
It installs other malware and also a PSGuard demo, and does not ask for user consent.The browser is beeing hijacked. There are also other websites referenced in favorites and desktoplinks.
The displaysettings menu is also beeing changed,
There are also some spyware warnings appearing on screen in different locations, like systemtray, desktopbackground, browserwindows and PSGuard itself.
The PSGuard demo cannot remove any of the malware, and it only shows a few items, all other item are not beeing shown.
Supposed Functionality:
considering filenaming msmsgs.exe it appears to be posing as microsoft messanger.
Removal Instructions:

Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
  • Shortcuts that include "helpyoursearch.com" in the target they point to.

Start Menu:

Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
  • Items that include "helpyoursearch.com" in the target they point to.

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "style2".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • A file with an unknown location named "msmsgs.exe".
  • The file at "<$WINDIR>\popuper.exe".
  • The file at "<$SYSDIR>\intmon.exe".
  • The file at "<$SYSDIR>\intmonp.exe".
  • The file at "<$SYSDIR>\msole32.exe".
  • The file at "<$SYSDIR>\ole32vbs.exe".
  • The file at "<$SYSDIR>\shnlog.exe".
  • The file at "<$SYSDIR>\oleext.dll".
  • The file at "<$SYSDIR>\oleext32.dll".
  • The file at "<$SYSDIR>\hhk.dll".
  • The file at "<$SYSDIR>\wppp.html".
  • The file at "<$WINDIR>\sites.ini".
  • The file at "<$SYSDIR>\LogFiles\A8011100.so".
  • The file at "<$FAVORITES>\Adult\Amateurs.url".
  • The file at "<$FAVORITES>\Adult\Anal Sex.url".
  • The file at "<$FAVORITES>\Adult\Babes.url".
  • The file at "<$FAVORITES>\Adult\Blow Job.url".
  • The file at "<$FAVORITES>\Adult\Cumshots.url".
  • The file at "<$FAVORITES>\Adult\Gays.url".
  • The file at "<$FAVORITES>\Adult\Hairy.url".
  • The file at "<$FAVORITES>\Adult\Hardcore.url".
  • The file at "<$FAVORITES>\Adult\Interracial Sex.url".
  • The file at "<$FAVORITES>\Adult\Lesbians.url".
  • The file at "<$FAVORITES>\Adult\Matures.url".
  • The file at "<$FAVORITES>\Adult\Pissing.url".
  • The file at "<$FAVORITES>\Adult\Shemales.url".
  • The file at "<$FAVORITES>\Adult\Stockings.url".
  • The file at "<$FAVORITES>\Adult\Teens.url".
  • The file at "<$FAVORITES>\Adult\XXX Movies.url".
  • The file at "<$FAVORITES>\Cars\Audi Cars.url".
  • The file at "<$FAVORITES>\Cars\Audi Parts.url".
  • The file at "<$FAVORITES>\Cars\Auto Dealers.url".
  • The file at "<$FAVORITES>\Cars\BMW Cars.url".
  • The file at "<$FAVORITES>\Cars\BMW Parts.url".
  • The file at "<$FAVORITES>\Cars\Car Financing.url".
  • The file at "<$FAVORITES>\Cars\Car Insurance.url".
  • The file at "<$FAVORITES>\Cars\Car Parts.url".
  • The file at "<$FAVORITES>\Cars\Honda Cars.url".
  • The file at "<$FAVORITES>\Cars\Honda Parts.url".
  • The file at "<$FAVORITES>\Cars\Lexus Cars.url".
  • The file at "<$FAVORITES>\Cars\Lexus Parts.url".
  • The file at "<$FAVORITES>\Cars\Mercedes Cars.url".
  • The file at "<$FAVORITES>\Cars\Mercedes Parts.url".
  • The file at "<$FAVORITES>\Cars\Mitsubishi Cars.url".
  • The file at "<$FAVORITES>\Cars\Mitsubishi Parts.url".
  • The file at "<$FAVORITES>\Cars\New Cars.url".
  • The file at "<$FAVORITES>\Cars\Opel Cars.url".
  • The file at "<$FAVORITES>\Cars\Opel Parts.url".
  • The file at "<$FAVORITES>\Cars\Toyota Cars.url".
  • The file at "<$FAVORITES>\Cars\Toyota Parts.url".
  • The file at "<$FAVORITES>\Cars\Used Cars.url".
  • The file at "<$FAVORITES>\Online Gambling\Baccarat.url".
  • The file at "<$FAVORITES>\Online Gambling\Bingo.url".
  • The file at "<$FAVORITES>\Online Gambling\Black Jack.url".
  • The file at "<$FAVORITES>\Black Jack Online.url".
  • The file at "<$FAVORITES>\Home Loan.url".
  • The file at "<$FAVORITES>\Job Search.url".
  • The file at "<$FAVORITES>\Network Security.url".
  • The file at "<$FAVORITES>\Online Dating.url".
  • The file at "<$FAVORITES>\Online Gambling.url".
  • The file at "<$FAVORITES>\Online Pharmacy.url".
  • The file at "<$FAVORITES>\Remove Spyware.url".
  • The file at "<$FAVORITES>\Spam Filters.url".
  • The file at "<$FAVORITES>\Web Detective.url".
  • The file at "<$FAVORITES>\Online Gambling\Free Chips.url".
  • The file at "<$FAVORITES>\Online Gambling\Horse Racing.url".
  • The file at "<$FAVORITES>\Online Gambling\Lottery.url".
  • The file at "<$FAVORITES>\Online Gambling\Online Casino.url".
  • The file at "<$FAVORITES>\Online Gambling\Online Craps.url".
  • The file at "<$FAVORITES>\Online Gambling\Online Gambling.url".
  • The file at "<$FAVORITES>\Online Gambling\Online Poker.url".
  • The file at "<$FAVORITES>\Online Gambling\Roulette.url".
  • The file at "<$FAVORITES>\Online Gambling\Slot Machines.url".
  • The file at "<$FAVORITES>\Online Gambling\Sport Betting.url".
  • The file at "<$FAVORITES>\Online Gambling\Wagering.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Adipex.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Alprazolam.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Ambien.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Carisoprodol.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Celebrex.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Cipro.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Clonazepam.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Codeine.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Diazepam.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Hydrocodone.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Lipitor.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Lorazepam.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Lorcet.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Lortab.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Norco.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Online Pharmacy.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Paxil.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Prozac.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Ritalin.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Steroids.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Ultram.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Valium.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Viagra.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Vicodin.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Xanax.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Zithromax.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Zoloft.url".
  • The file at "<$FAVORITES>\Online Pharmacy\Zyban.url".
  • The file at "<$FAVORITES>\Sexual Life\Adult Dating.url".
  • The file at "<$FAVORITES>\Sexual Life\Breast Enlargement.url".
  • The file at "<$FAVORITES>\Sexual Life\Escorts.url".
  • The file at "<$FAVORITES>\Sexual Life\Generic Viagra.url".
  • The file at "<$FAVORITES>\Sexual Life\Penis Enlargement.url".
  • The file at "<$FAVORITES>\Sexual Life\Photo Personal.url".
  • The file at "<$FAVORITES>\Sexual Life\Sex Toys.url".
  • The file at "<$FAVORITES>\Sexual Life\Sexual Enhancers.url".
  • The file at "<$FAVORITES>\Sexual Life\Single Girls.url".
  • The file at "<$FAVORITES>\Sexual Life\Swinger Clubs.url".
  • The file at "<$FAVORITES>\Sexual Life\Viagra for Woman.url".
  • The file at "<$FAVORITES>\Sexual Life\Viagra.url".
  • The file at "<$FAVORITES>\Shopping\Air Cleaner.url".
  • The file at "<$FAVORITES>\Shopping\Cell Phones.url".
  • The file at "<$FAVORITES>\Shopping\Computers.url".
  • The file at "<$FAVORITES>\Shopping\Direct TV.url".
  • The file at "<$FAVORITES>\Shopping\Gifts.url".
  • The file at "<$FAVORITES>\Shopping\Laptops.url".
  • The file at "<$FAVORITES>\Shopping\LCD Multimedia Projector.url".
  • The file at "<$FAVORITES>\Shopping\Leg Exercise Machine.url".
  • The file at "<$FAVORITES>\Shopping\Skin Care.url".
Make sure you set your file manager to display hidden and system files. If PSGuard.msmsgs uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Delete the registry key "{B212D577-05B7-4963-911E-4A8588160DFA}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "VMHomepage" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "VMHomepage.1" at "HKEY_CLASSES_ROOT\CLSID\".
  • Delete the registry key "style2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\".
  • Delete the registry value "{B212D577-05B7-4963-911E-4A8588160DFA}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\".
  • Delete the registry key "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\".
  • Delete the registry key "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
  • Delete the registry key "p%solicies" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\".
  • A key in HKEY_CLASSES_ROOT\ named "HP", plus associated values.
  • A key in HKEY_CLASSES_ROOT\ named "HP.1", plus associated values.
If PSGuard.msmsgs uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D or RunAlyzer.
  • Please check your bookmarks for links to "oneclicksearches.com".
  • Please check your bookmarks for links to "bestwebslinks.com".
  • Please check your bookmarks for links to "iqsearch.net".
  • Please check your bookmarks for links to "dumpserv.com".
  • Please check your bookmarks for links to "helpyoursearch.com".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.