I ran into several problems right from the start. I downloaded all the tools suggested there, and attempted to follow the instructions. The first problem I ran into was that my Windows XP refused to boot up in safe mode. I hit F8, as instructed, and get to the window to choose safe mode, but when I pick it, I end up right back in the same window, requesting which mode to boot up in. The only thing it would allow was to boot up XP normally.
Undeterred, I thought following the rest of the instructions would at least not hurt, and might help. I've run Ewido, Spyware Doctor, Ad-Aware, Hi-jack This, SPSeHjFix, and all the others that were suggested, in the order instructed.
While some logs come back as clean, Ad-Aware and Spyware Doctor always come back with the exact same infections every time they are run.
I have included the logs to various scans at the end of this... ANY help you may have to impart to me would be so appreciated that I would name my firstborn after the genius who helps me.~S~
Hope this isn't too much info to post....
Hi-Jack This
Logfile of HijackThis v1.99.1
Scan saved at 8:30:28 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Documents and Settings\User\Desktop\Dave's junk\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdxdqcnoe...DCGR_3trbU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [bvsgfe] C:\WINDOWS\System32\bvsgfe.exe
O4 - HKLM\..\Run: [owa] C:\WINDOWS\system32\owa.exe
O4 - HKLM\..\Run: [mnmlast] c:\windows\system32\mvzays.exe r
O4 - HKLM\..\Run: [gpqiqj] c:\windows\system32\egtrxef.exe r
O4 - HKLM\..\Run: [jevwnlb] c:\windows\system32\zftapwm.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Seekbind] C:\DOCUME~1\User\APPLIC~1\SUPPOR~1\Boneamokarmy.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.boxsearch.net
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115385097841
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://sympatico.zon...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
SPSeHjFix
(6/13/05 4:54:23 PM) SPSeHjFix started v1.1.2
(6/13/05 4:54:23 PM) OS: WinXP Service Pack 2 (5.1.2600)
(6/13/05 4:54:23 PM) Language: english
(6/13/05 4:54:23 PM) Win-Path: C:\WINDOWS
(6/13/05 4:54:23 PM) System-Path: C:\WINDOWS\system32
(6/13/05 4:54:23 PM) Temp-Path: C:\DOCUME~1\User\LOCALS~1\Temp\
(6/13/05 4:54:40 PM) Disinfection started
(6/13/05 4:54:40 PM) Bad-Dll(IEP): (not found)
(6/13/05 4:54:40 PM) Bad-Dll(IEP) in BHO: (not found)
(6/13/05 4:54:40 PM) UBF: 4 - UBB: 6 - UBR: 19
(6/13/05 4:54:40 PM) UBF: 4 - UBB: 6 - UBR: 19
(6/13/05 4:54:40 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(6/13/05 4:54:40 PM) Stealth-String not found
(6/13/05 4:54:40 PM) Not infected->END
(6/13/05 8:32:15 PM) SPSeHjFix started v1.1.2
(6/13/05 8:32:15 PM) OS: WinXP Service Pack 2 (5.1.2600)
(6/13/05 8:32:15 PM) Language: english
(6/13/05 8:32:15 PM) Win-Path: C:\WINDOWS
(6/13/05 8:32:15 PM) System-Path: C:\WINDOWS\system32
(6/13/05 8:32:15 PM) Temp-Path: C:\DOCUME~1\User\LOCALS~1\Temp\
(6/13/05 8:32:23 PM) Disinfection started
(6/13/05 8:32:23 PM) Bad-Dll(IEP): (not found)
(6/13/05 8:32:23 PM) Bad-Dll(IEP) in BHO: (not found)
(6/13/05 8:32:23 PM) UBF: 4 - UBB: 3 - UBR: 19
(6/13/05 8:32:23 PM) UBF: 4 - UBB: 3 - UBR: 19
(6/13/05 8:32:23 PM) Bad IE-pages: (none)
(6/13/05 8:32:23 PM) Stealth-String not found
(6/13/05 8:32:23 PM) Not infected->END
Ad-Aware SE
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, June 13, 2005 9:12:00 PM
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
ImIServer IEPlugin(TAC index:5):1 total references
MRU List(TAC index:0):6 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects
6-13-2005 9:12:00 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\User\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console
MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 436
ThreadCreationTime : 6-13-2005 11:06:08 PM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 496
ThreadCreationTime : 6-13-2005 11:06:09 PM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 564
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 576
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 780
ThreadCreationTime : 6-13-2005 11:06:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 844
ThreadCreationTime : 6-13-2005 11:06:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 868
ThreadCreationTime : 6-13-2005 11:06:11 PM
BasePriority : Normal
FileVersion : 4, 2, 14, 0
ProductVersion : 4, 2, 14, 0
ProductName : Ahead Software AG incdsrv
CompanyName : Ahead Software AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : incdsrv.exe
#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1040
ThreadCreationTime : 6-13-2005 11:06:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1220
ThreadCreationTime : 6-13-2005 11:06:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1324
ThreadCreationTime : 6-13-2005 11:06:12 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:13 [kbd.exe]
FilePath : C:\HP\KBD\
ProcessID : 1396
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : High
#:14 [navapw32.exe]
FilePath : C:\PROGRA~1\NORTON~1\
ProcessID : 1412
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 8.07.17
ProductVersion : 8.07.17
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPW32.EXE
#:15 [s3tray2.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1488
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 1.00.19-0113
ProductVersion : 1.00.19-0113
ProductName : S3 Graphics Utilities
CompanyName : S3 Graphics, Inc.
FileDescription : s3contrl
InternalName : s3contrl
LegalCopyright : Copyright © 2001-2003 S3 S3 Graphics, Inc.
LegalTrademarks : S3 is a registered trademark of S3 Incorporated
OriginalFilename : s3contrl.exe
#:16 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 1496
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 4, 2, 14, 0
ProductVersion : 4, 2, 14, 0
ProductName : Ahead Software AG InCD
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : InCD.exe
#:17 [msgplus.exe]
FilePath : C:\Program Files\MessengerPlus! 3\
ProcessID : 1508
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
#:18 [mssysmgr.exe]
FilePath : C:\PROGRA~1\Ahead\Ahead\data\Xtras\
ProcessID : 1536
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
#:19 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1556
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:20 [swdoctor.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 1576
ThreadCreationTime : 6-13-2005 11:06:14 PM
BasePriority : Normal
FileVersion : 3.2.1.359
ProductVersion : 3.1
ProductName : Spyware Doctor
CompanyName : PCTools
FileDescription : Spyware Doctor
InternalName : Spyware Doctor
LegalCopyright : Copyright © 2004. Distributed by PC Tools Pty Ltd
OriginalFilename : swdr.exe
#:21 [ad-watch.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 1588
ThreadCreationTime : 6-13-2005 11:06:14 PM
BasePriority : High
FileVersion : 3.1.2.17
ProductVersion : 3.2
ProductName : Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Watch System Protector
InternalName : Ad-Watch.exe
LegalCopyright : 1999-2004 Team Lavasoft
OriginalFilename : Ad-Watch.exe
#:22 [webshots.scr]
FilePath : C:\Program Files\Webshots\
ProcessID : 1608
ThreadCreationTime : 6-13-2005 11:06:14 PM
BasePriority : Normal
FileVersion : 2.2.0.4644
ProductVersion : 2.2.0.4644
ProductName : The Webshots Desktop
CompanyName : Webshots.com
FileDescription : Webshots Photo Manager
InternalName : Webshots2
LegalCopyright : Copyright © 2004
OriginalFilename : Webshots2.SCR
#:23 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 348
ThreadCreationTime : 6-13-2005 11:06:23 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe
#:24 [ewidoguard.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 360
ThreadCreationTime : 6-13-2005 11:06:23 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe
#:25 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 420
ThreadCreationTime : 6-13-2005 11:06:24 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe
#:26 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 456
ThreadCreationTime : 6-13-2005 11:06:24 PM
BasePriority : Normal
FileVersion : 8.07.17
ProductVersion : 8.07.17
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE
#:27 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 904
ThreadCreationTime : 6-13-2005 11:06:29 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:28 [symwsc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\Security Center\
ProcessID : 1748
ThreadCreationTime : 6-13-2005 11:06:29 PM
BasePriority : Normal
FileVersion : 2005.1.2.20
ProductVersion : 2005.1
ProductName : Norton Security Center
CompanyName : Symantec Corporation
FileDescription : Norton Security Center Service
InternalName : SymWSC.exe
LegalCopyright : Copyright © 1997-2004 Symantec Corporation
OriginalFilename : SymWSC.exe
#:29 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2560
ThreadCreationTime : 6-13-2005 11:07:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:30 [securitysuite.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 3128
ThreadCreationTime : 6-14-2005 12:29:04 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 101
ProductVersion : 3, 0, 0, 101
ProductName : ewido security suite
CompanyName : ewido networks
FileDescription : security suite
InternalName : GuiLoader
LegalCopyright : © 2003 ewido networks
OriginalFilename : SecuritySuite.exe
#:31 [opera.exe]
FilePath : C:\Program Files\Opera7\
ProcessID : 2524
ThreadCreationTime : 6-14-2005 12:36:22 AM
BasePriority : Normal
FileVersion : 3227
ProductVersion : 7.23
ProductName : Opera Internet Browser
CompanyName : Opera Software
FileDescription : Opera Internet Browser
InternalName : Opera
LegalCopyright : Copyright © Opera Software 1995-2003
OriginalFilename : Opera.exe
#:32 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 1380
ThreadCreationTime : 6-14-2005 12:52:54 AM
BasePriority : Normal
FileVersion : 7.0.0813
ProductVersion : 7.0.0813
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2005
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe
#:33 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\
ProcessID : 2936
ThreadCreationTime : 6-14-2005 1:09:36 AM
BasePriority : Normal
FileVersion : 6.2.0.238
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 7
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistantwebsearch.drsnsrch.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-507921405-1004336348-839522115-1004\Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-507921405-1004336348-839522115-1004\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 11
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2 Object Recognized!
Type : File
Data : A0017768.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D7B377E3-0BD8-4EF8-9E67-C61709F5C04D}\RP75\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll
ImIServer IEPlugin Object Recognized!
Type : File
Data : A0017769.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{D7B377E3-0BD8-4EF8-9E67-C61709F5C04D}\RP75\
FileVersion : 1, 0, 8, 1
ProductVersion : 1, 0, 8, 1
ProductName : wbho Module
FileDescription : wbho Module
InternalName : wbho
LegalCopyright : Copyright 2004
OriginalFilename : wbho.DLL
VX2 Object Recognized!
Type : File
Data : A0017881.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D7B377E3-0BD8-4EF8-9E67-C61709F5C04D}\RP77\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 15
9:24:29 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:29.62
Objects scanned:138254
Objects identified:9
Objects ignored:0
New critical objects:9
Spyware Doctor
Spyware Doctor Activity Report
Generated on 6/13/2005 7:06:17 PM Spyware Doctor Homepage PC Tools Homepage
Technical Support
Scans (basic information only):
Scan Results:
scan start: 6/13/2005 7:15:25 PM
scan stop: 6/13/2005 7:15:51 PM
scanned items: 18420
found items: 19
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##UninstallString
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##DisplayName
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##URLInfoAbout
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##Publisher
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##HelpLink
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##Contact
High
Known Bad Sites HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Trojan.Drsnsrch HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Common Components Unrelated HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}
Medium
Common Components Unrelated HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}\iexplore
Medium
Scan Results:
scan start: 6/13/2005 7:16:20 PM
scan stop: 6/13/2005 7:16:25 PM
scanned items: 935
found items: 1
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Scan Results:
scan start: 6/13/2005 7:17:06 PM
scan stop: 6/13/2005 7:35:16 PM
scanned items: 74893
found items: 9
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Known Bad Sites HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Trojan.Drsnsrch HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Scan Results:
scan start: 6/13/2005 7:37:12 PM
scan stop: 6/13/2005 7:54:17 PM
scanned items: 75003
found items: 9
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Known Bad Sites HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Trojan.Drsnsrch HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Other Sections:
Copyright © 2003-2005. Distributed by PC Tools. Legal Notice
sigs
Click to go back
I hope this helps...