Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGaurd on Windows 98 and My Screwed Up Desktop


  • Please log in to reply

#1
Digital Jedi

Digital Jedi

    New Member

  • Member
  • Pip
  • 5 posts
First off let me say thanks in advance to anyone who can help me and for their effort.

To start off, I'm deeply frustrated. I had to type this message three times as IE kept crashing on me. So please forgive me if I come off as a little impatient. :) Also keep in mind that all my computer knowledge is all jack-legged. (i.e self taught)

Okay, PSGaurd installed itself on my computer night before last. Apparently I had gone to bed without logging off and I had a ďWhoís OnlineĒ page that kept the connection alive for who know how long. The next morning Iím forced to restart this joker and my Desktop image has been replaced with a HTML page telling me ďYour computer might be infected with spyware or adware!!!Ē No kidding? ;) And there is this little red icon in my tool bar that insists my browser has been infected.

Now Iím little fuzzy on the order I did things, as I suffer from some short term memory loss :( but I know... Iím pretty sure I ran Gateway Go Back first and tried restoring my computer to a time before the program installed. Unfortunately my history had been eaten alive by a HTML page that kept being rewritten. (Iíll mention that later) so I could only go back a few hours. I did that anyway but it didnít help. I ran Ad-aware next. I deleted something that the program told me was bad, but little info beyond that... that I understood anyway. (I believe I did this twice)

Sometime around here PSGaurd automatically starts up and begins scanning my system.

Iíve become pretty good at tracking down files that shouldnít be on my computer (though admittedly not that good) and found the source of the desktop icon in my system tray. C:\WINDOWS\SYSTEM\Intell32. (Interestingly, I've done a search for this problem and I've notice that intel32 is found in the SYSTEM32 folder on most peoples computers and not in the SYSTEM folder like was on mine) I think it was .exe. but cant quite remember. :woot: I deleted it, and noticed that a HTML page called wppp was the source of the new Desktop replacing my old image. I also discovered at this point that I cannot get rid of this web page. It is continuously being re-written. And now my desktop is constantly flashing as this page re-writes. (This is whatís eating up my Gateway Go Back history)

I used the Add/Remove Programs function and uninstalled PSGaurd and deleted the folder afterwards. But my desktop continued to flash even after a restart.

I downloaded Hijackthis and ran the program and deleted what I knew to be ... well... bad. :(

No here is some of the bone head things I did. Somewhere in all this I clicked on Activate My Desktop not really knowing what I was doing and this is when I noticed the Desktop blinking as it reloads again and again. Now every fifteen minutes or so a dialogue box pops up telling me that IE cannot find the Active Desktop HTML file needed to for Active Desktop and to click OK to turn it off. (ďOKĒ happens to be the only button, so , whatever) I had to leave town for doctors appointment and when I got back, I had somewhere around 30 of those boxes I had to close.

And the other bonehead thing I did, embarrassingly enough was to install Hijackthis without creating a folder for it in my Program Files. SO after the initial scan, I deleted it thinking it wont hurt to reinstall it in a proper folder. Of course now I have no idea where the first log file went. But if it helps I do have the backup files it initially created so I can give you a list of what I deleted. (The list being equally, if not more, embarrassing.) :tazz:

O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://sexarchive.ex...210/livesex.exe

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????????????????????????????????????????????
O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://sexarchive.ex...210/livesex.exe

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????????????????????????????????????????????
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)

?????????????????????????????4?????????????????????????????????????????????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
O4 - HKLM\..\Run: [SSRunScript] "c:\program files\Support.com\Charter\bin\SSRunScript.exe" /script "c:\program files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freepornislan...h/searchfr.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freepornislan...h/searchfr.html
O4 - HKLM\..\Run: [Uninstall0002] "C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freepornislan...rch/search.html
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL (file missing)

?????????????????????????????4?????????????????????????????????????????????????????????????????????????4???=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
O4 - HKLM\..\Run: [SexoBFes] C:\SexoBFes\TODOELSEXO.EXE -t
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freepornislan...h/searchfr.html
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML


Iím not really sure why some of these were even in the scan as I have deleted a lot of these locations a long time ago. Did I mention I restarted and I still havenít been able to get rid of this web page on my desktop? I canít find the file responsible for it. Here is a log file of Hijackthis after I moved it to a proper folder and after I did my own bonehead deleting.

Logfile of HijackThis v1.99.1
Scan saved at 10:41:17 PM, on 08/04/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSNQMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACMONITOR_X84-X85.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACBTNMGR_X84-X85.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [tgcmd] "c:\program files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [IgfxTray] c:\windows\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] c:\windows\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [Microsoft QMGR] msnqmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Microsoft QMGR] msnqmgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13....es/MsnPUpld.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB

Well, thatís about all I can remember. I hope its descriptive enough. Thanks for your time. If I remember more (and no one posts) Iíll edit this post to reflect that with an EDIT at the bottom. Thanks again. :wub:

-The Jedi
  • 0

Advertisements


#2
Digital Jedi

Digital Jedi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Okay, I fixed the problem myself , I think. Since you guys respond to unreplied messages first, I'm bumping this one to give someonelse my place in line.

Jus so you know, I was reluctant to download anymore software simply becasue I have very little space left. But I went ahead and downloaded CWShredder and SpyBot S&D anyway. I was surprised that SpyBot ultimatly fixed the problem since a lot of your posters said that Adaware and Spybot were not helping.

Thanks for this resource page. No offense, but I hope I never have to come here again. :) But if I do have another problem, I'm glad you guys exists. :tazz:

Peace,
-The Jedi
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP