Hi, I'm new, first topic and newly registered. Just floated in with the help of Google. I recently had my machine hijacked by something, I don't know the name of whatever it is because nothing seems to detect it. What this thing does do, however, is advertise PSGuard. Some digging has led me to understand this is a fake application pretending to be nice when it is really quite nasty. My desktop has been hijacked by an ActiveX thingy wanting me to click a link to PSGuard, I've lost most of the controls in the control panel for Display, IE was set to a weird homepage, loads of small EXE files were installed into the system, IE was blocked from accessing most web sites that explained how to remove it and I've gone from Windows XP Pro to Windows 98. Ok, not that last bit What I have done is uninstall IE, gone through the registry removing all the references to this PSGuard, gone though my WINDOWS folder removing various files but bits still remain. Any files removed were removed from the advice of those sites I could access. I'm now using Firefox. I've run HijackThis and here is the log (I've just fixed the IE links using it and if you guys can help I'll not only be extremely grateful but I'll bake you all a nice eCake ) Logfile of HijackThis v1.99.1 Scan saved at 13:27:51, on 02/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\System32\rmctrl.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\Program Files\HistoryKill\histkill.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\HistoryKill\hkPopupKiller.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\EditPlus 2\editplus.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe D:\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.148.184.7:80 O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp3753.tmp O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.chm::/MegaInstaller.exe O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://C:\Documents and Settings\Zebedee\Local Settings\Temp\ckz.tmpfffc3\motive\files\MotivePreQual.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Ndipi0ted - Creative Technology Ltd. - C:\WINDOWS\System32\drivers\ctgame.sys O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
btw I tried running SpyBot but it wouldn't let me do anything until I downloaded the included and updates. They wouldn't come down because every file had checksum errors.
I cleaned out a load of stuff and I can't get my desktop back to normal. The Display application in the control panel is still screwed. Here's the latest HijackThis log after I had a go. Anything else I should remove? Logfile of HijackThis v1.99.1 Scan saved at 15:51:08, on 02/08/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\WINDOWS\System32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\System32\rmctrl.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\Program Files\HistoryKill\histkill.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\HistoryKill\hkPopupKiller.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZONELABS\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe D:\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp3753.tmp O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Ndipi0ted - Creative Technology Ltd. - C:\WINDOWS\System32\drivers\ctgame.sys O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
bobright, that is not triple posting ZebUK ccleaner http://www.ccleaner.com/ cwshredder http://www.intermute.com/products/cwshredder.html Ad-Aware se http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1 Spybot s&d http://www.majorgeeks.com/download2471.html download, update & run in safemode in this order do an online virus & spyware scan with this link http://housecall60.trendmicro.com/en/start_corp.asp
I've removed it all now, thanks to: HijackThis, Task Manager and RegEdit. EDIT: and an MS-DOS shell script I wrote
You need to disable ActiveX!!! When I use IE, I set security level to High. Then I click custom and enable File Download. I also set cookie permission to medium-high and make some changes in advanced tab. Whenever you need to run an ActiveX or Java script and you know the site is good, add it to trusted zone. However, you must make one change here too. Click custom and disable "allow paste via script". It is towards the bottom. That is so no one can read your clipboard. If you do not want to mess with IE, you can try FireFox. So far it seems better than IE. Also get the Extension "NoScript". If you need Windows updates, you can use IE with all the windows update sites on your trusted. When you go to windows update they will let you know what to add.
Okies sit down, grab a bag of popcorn and read on... Before my encounter with this PSGuard thing I'd never known what HijackThis was. Never heard of it. I started of loading task manager (taskman) and ran each process though Google that I wasn't familiar with to see what it was. Anything came up malicious it got terminated and I wrote them down. After that I rebooted and checked again - deleting any that were still present. Then I resorted to Google to check what other people were doing to combat this evil presence and tried following examples but noticed some files were different. It was during this time that I stumbled upon this forum and heard about HijackThis. I promptly registed, ran HijackThis and posted a log. Not being able to wait, I went through the log and removed things I felt safe to delete. I also checked with Google where possible by entering just the names of the exe's or dll's into it. Managed to get a whole load of stuff cleared. I found the desktop hijacked as well as the display program in the control panel - most of the tabs had been disabled preventing me from changing the desktop so I then googled the control panel's display in Google for registry hacks and armed with regedit, started modifying bits and pieces. The desktop had text in it so I searched Windows for some of the text and found the HTML file - "wppp.html" but when I deleted it the damn thing kept appearing again so I wrote this script: @echo off erase wppp.html mkdir wppp.html attrib wppp.html +h I made this in DOS Shell by typing "copy con zx.bat" and when finished I pressed CTRL Z and pressed return. I called it "zx.bat" and ran it. Now to explain what this does, it deletes the file in question and makes a folder with the same name then hides it. I rebooted it and the desktop was mine again. After a little more Googling I discovered that this trojan makes a copy of one of the files and replaces a Windows DLL file called "wininet.dll" so I deleted this file and rebooted. What the altered file does is keep writing "wppp.html" and the registry values to hide the Display's tabs so if you delete the wppp.html file or modify the registry entries they are all put back again. After rebooting I was able to delete every occurance of wppp.html in the registry, delete my wppp.html folder and then download a clean copy of wininet.dll and again reboot. System now clean!!! I hope this information is helpful to others in removing this pernicious piece of !*#$. Unfortunately I didn't keep track of the files I ended up removing otherwise I'd list them all here but here are some I can remember: c:\windows\system32\intel32.exe c:\windows\system32\intell32.exe c:\windows\system32\wppp.html There are a few more but I can't remember, sorry!
You will actually have less problems with a pirated XP. Just go to tools, manage add-ons. Go to the add-ons that IE has used and disable the legit check tool. You can also just go to softwarepatch.com and manually downlad updates or use the Firefox windows update (something like windowsupdate.62nds.com). Windows update will only work with a "valid" key, whether it is pirated or official doesn't matter. This means if you have the FCKGW key or the two other keys you cannot update or install sp2 and other updates. Even if you have valid Xp, that legit tool can only be trouble. I think it compares your key to a list it has, but also compares information about your hardware and some programs. It may also read your Bios and get your IP. So, it is possible that if any of that changes it could render your legal xp invalid.
There are two methods. The first, which I do not recommend is a patch that allows them to be installed on an invalid key. The second is to use a keygen. These produce "valid" keys, but not official keys. MS only blocks keys beginning with FCKGW as well as these combinations: XXXXX-640-0000356-23XXX and XXXXX-640-2001765-23XXX You need to have a key that is different from these in order to install sp2 (or sp1) and use microsoft windows update. You can either generate your own key via keygen or purchase a key from MS and change your XP key. You can change it by going into your registry or the simple way by getting an xp key changer program. If you use a keygen, not all the keys it gives you will work. You can tell because XP will not activate during the activation wizard. You should probably get about 50 keys and try them one by one. If XP activates during the Wizard, it will just go back a screen. It will not give any type of confirmation. If this happens you can reboot your PC. After you reboot, go to www.softwarepatch.com and download xp sp2. You can also go to microsoft downloads, but it is a little hard to find it. If you do, get the network install, [bold]not[/bold] the single user install. It will be about 230MB so you need DSL or Cable. You can also use a school PC if it has T1. Try to install. After it exctracts the files if it starts intalling you are fine. Finish the install. If you want hard copies of updates before going to windows update get these updates: kb873333 kb873339 kb883939 kb885250 kb885836 kb886185 kb887472 kb887742 kb888113 kb888302 kb890046 kb890175 kb890830 kb890859 kb891781 kb893066 kb893086 kb896358 kb896422 kb896428 kb898461 kb901214 kb903235 Also get windows installer 3.1 After that go to windows update and you will be prompted to download the validation tool. Download it and after you are done do not validate. Close the browser and re-open. Either disable the tool from the add-ons menu or by entering javascript:void(window.g_sDisableWGACheck='all') in the browser. You will download a few more updates and then you will be done. You could also skip the microsoft update by using FireFox and going to windowsupdate.62nds.com Funny thing is that this one is a little better in giving driver updates than Microsoft's windows update.
You can actually validate your pirated windows. You can use Microsofts own Validation tool to do this. It is a tool called genuinecheck.exe You will also need a valid Windows XP. Use the tool on the valid XP and manually install it in your pirated xp. I do not know how to do this though. The key it gives you will only work for a short time, so you will never find one posted on-line.
the # i use plus the patch off the news forum allows me to do all the updates & i already install sp1 off my cd before doing the updates.
