To start off, I'm deeply frustrated. I had to type this message three times as IE kept crashing on me. So please forgive me if I come off as a little impatient.
Also keep in mind that all my computer knowledge is all jack-legged. (i.e self taught)Okay, PSGaurd installed itself on my computer night before last. Apparently I had gone to bed without logging off and I had a “Who’s Online” page that kept the connection alive for who know how long. The next morning I’m forced to restart this joker and my Desktop image has been replaced with a HTML page telling me “Your computer might be infected with spyware or adware!!!” No kidding?
And there is this little red icon in my tool bar that insists my browser has been infected.Now I’m little fuzzy on the order I did things, as I suffer from some short term memory loss
but I know... I’m pretty sure I ran Gateway Go Back first and tried restoring my computer to a time before the program installed. Unfortunately my history had been eaten alive by a HTML page that kept being rewritten. (I’ll mention that later) so I could only go back a few hours. I did that anyway but it didn’t help. I ran Ad-aware next. I deleted something that the program told me was bad, but little info beyond that... that I understood anyway. (I believe I did this twice)Sometime around here PSGaurd automatically starts up and begins scanning my system.
I’ve become pretty good at tracking down files that shouldn’t be on my computer (though admittedly not that good) and found the source of the desktop icon in my system tray. C:\WINDOWS\SYSTEM\Intell32. (Interestingly, I've done a search for this problem and I've notice that intel32 is found in the SYSTEM32 folder on most peoples computers and not in the SYSTEM folder like was on mine) I think it was .exe. but cant quite remember.
I deleted it, and noticed that a HTML page called wppp was the source of the new Desktop replacing my old image. I also discovered at this point that I cannot get rid of this web page. It is continuously being re-written. And now my desktop is constantly flashing as this page re-writes. (This is what’s eating up my Gateway Go Back history)I used the Add/Remove Programs function and uninstalled PSGaurd and deleted the folder afterwards. But my desktop continued to flash even after a restart.
I downloaded Hijackthis and ran the program and deleted what I knew to be ... well... bad.
No here is some of the bone head things I did. Somewhere in all this I clicked on Activate My Desktop not really knowing what I was doing and this is when I noticed the Desktop blinking as it reloads again and again. Now every fifteen minutes or so a dialogue box pops up telling me that IE cannot find the Active Desktop HTML file needed to for Active Desktop and to click OK to turn it off. (“OK” happens to be the only button, so , whatever) I had to leave town for doctors appointment and when I got back, I had somewhere around 30 of those boxes I had to close.
And the other bonehead thing I did, embarrassingly enough was to install Hijackthis without creating a folder for it in my Program Files. SO after the initial scan, I deleted it thinking it wont hurt to reinstall it in a proper folder. Of course now I have no idea where the first log file went. But if it helps I do have the backup files it initially created so I can give you a list of what I deleted. (The list being equally, if not more, embarrassing.)
O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://sexarchive.ex...210/livesex.exe
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????????????????????????????????????????????
O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://sexarchive.ex...210/livesex.exe
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????????????????????????????????????????????
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
?????????????????????????????4?????????????????????????????????????????????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
O4 - HKLM\..\Run: [SSRunScript] "c:\program files\Support.com\Charter\bin\SSRunScript.exe" /script "c:\program files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freepornislan...h/searchfr.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freepornislan...h/searchfr.html
O4 - HKLM\..\Run: [Uninstall0002] "C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freepornislan...rch/search.html
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
?????????????????????????????4?????????????????????????????????????????????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
O4 - HKLM\..\Run: [SexoBFes] C:\SexoBFes\TODOELSEXO.EXE -t
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freepornislan...h/searchfr.html
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
I’m not really sure why some of these were even in the scan as I have deleted a lot of these locations a long time ago. Did I mention I restarted and I still haven’t been able to get rid of this web page on my desktop? I can’t find the file responsible for it. Here is a log file of Hijackthis after I moved it to a proper folder and after I did my own bonehead deleting.
Well, that’s about all I can remember. I hope its descriptive enough. Thanks for your time. If I remember more (and no one posts) I’ll edit this post to reflect that with an EDIT at the bottom. Thanks again.Logfile of HijackThis v1.99.1
Scan saved at 10:41:17 PM, on 08/04/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSNQMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACMONITOR_X84-X85.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACBTNMGR_X84-X85.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [IgfxTray] c:\windows\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] c:\windows\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13....es/MsnPUpld.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
-The Jedi
Sign In
Create Account
