last night, whilst being half asleep I accidently clicked on a phishing Ebay spoof mail link, which priompty installed an apache httpd server onto my WXP machine.

At which point, after realising what had happened, I booted inot Fedora and and changed all my passwords, so all is well.

However, the service is still there, intermittantly. Sontimes its there, sometimes not.

Does anyone know how to search for and remove this rouge service. Anything in the registry I could check for, or any tools out there that would help me remove it, and any other nasties that may be there?

I tried to nmap my WXP box from myself, but it seems nmap cannot scan itself if running from XP

Any help would be greatly appriciated.

Regards, z.

http://www.cryer.co.uk/brian/windows/howto_nt_das.htm

Google :P

get a nice little program that does it. mine removes all those little spyware progs that are malicious. go get one. or you could try to do it manually, but good luck.

Try running msconfig on your Windows XP machine (Run -> msconfig)

msconfig will show you what is set to start when the computer is turned on.
There is a section about services, and you can disable them from the interface.
There is a section about StartUp programs, where you can disable the things you dont want to start.

Get Spybot or Windows Defender or something else to scan your computer to get it removed.

There is a section about StartUp programs, where you can disable the things you dont want to start.


Yeah you can disable it trough msconfig, you could also disable it trough administration tools. He wants to remove it however and msconfig or the administration tools wont be able to do that.

The service is not listed in msconfig. I think that its hooked into the kernel as when I http tp 127.0.0.1:80 TCPView shows it hanging off the System:0 :http.

Oddly when I boot, sometimes its there and sometimes its not. Perhaps, it fails to initialise correctly. Bad code?

I've tried MaAfee, AVG, Bazooka, and Lavesoft AdWare but no luck. I'm running avast right now.

I think I have found the blighter: CSW.loadnew. Removing now.

lol. hacker made a bad code. lmfao. see now if this happened...you figure out who the cunt is that made it, through one of the various methods and then delete his hard drives. funny as fuck. :lol:

Let's find the guy, hijack his internet connection, reroute all http traffic to some gay porn site.