Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

having a horrible time with spyware


  • Please log in to reply

#1
Jester143

Jester143

    Member

  • Member
  • PipPip
  • 31 posts
Before writing out my problem, I went through one of the posts on the board which seemed to have the help I needed... http://www.geekstogo...elp-t31773.html

I ran into several problems right from the start. I downloaded all the tools suggested there, and attempted to follow the instructions. The first problem I ran into was that my Windows XP refused to boot up in safe mode. I hit F8, as instructed, and get to the window to choose safe mode, but when I pick it, I end up right back in the same window, requesting which mode to boot up in. The only thing it would allow was to boot up XP normally.

Undeterred, I thought following the rest of the instructions would at least not hurt, and might help. I've run Ewido, Spyware Doctor, Ad-Aware, Hi-jack This, SPSeHjFix, and all the others that were suggested, in the order instructed.

While some logs come back as clean, Ad-Aware and Spyware Doctor always come back with the exact same infections every time they are run.

I have included the logs to various scans at the end of this... ANY help you may have to impart to me would be so appreciated that I would name my firstborn after the genius who helps me.~S~

Hope this isn't too much info to post....



Hi-Jack This

Logfile of HijackThis v1.99.1
Scan saved at 8:30:28 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Documents and Settings\User\Desktop\Dave's junk\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdxdqcnoe...DCGR_3trbU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [bvsgfe] C:\WINDOWS\System32\bvsgfe.exe
O4 - HKLM\..\Run: [owa] C:\WINDOWS\system32\owa.exe
O4 - HKLM\..\Run: [mnmlast] c:\windows\system32\mvzays.exe r
O4 - HKLM\..\Run: [gpqiqj] c:\windows\system32\egtrxef.exe r
O4 - HKLM\..\Run: [jevwnlb] c:\windows\system32\zftapwm.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Seekbind] C:\DOCUME~1\User\APPLIC~1\SUPPOR~1\Boneamokarmy.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.boxsearch.net
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115385097841
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://sympatico.zon...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


SPSeHjFix

(6/13/05 4:54:23 PM) SPSeHjFix started v1.1.2
(6/13/05 4:54:23 PM) OS: WinXP Service Pack 2 (5.1.2600)
(6/13/05 4:54:23 PM) Language: english
(6/13/05 4:54:23 PM) Win-Path: C:\WINDOWS
(6/13/05 4:54:23 PM) System-Path: C:\WINDOWS\system32
(6/13/05 4:54:23 PM) Temp-Path: C:\DOCUME~1\User\LOCALS~1\Temp\
(6/13/05 4:54:40 PM) Disinfection started
(6/13/05 4:54:40 PM) Bad-Dll(IEP): (not found)
(6/13/05 4:54:40 PM) Bad-Dll(IEP) in BHO: (not found)
(6/13/05 4:54:40 PM) UBF: 4 - UBB: 6 - UBR: 19
(6/13/05 4:54:40 PM) UBF: 4 - UBB: 6 - UBR: 19
(6/13/05 4:54:40 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(6/13/05 4:54:40 PM) Stealth-String not found
(6/13/05 4:54:40 PM) Not infected->END


(6/13/05 8:32:15 PM) SPSeHjFix started v1.1.2
(6/13/05 8:32:15 PM) OS: WinXP Service Pack 2 (5.1.2600)
(6/13/05 8:32:15 PM) Language: english
(6/13/05 8:32:15 PM) Win-Path: C:\WINDOWS
(6/13/05 8:32:15 PM) System-Path: C:\WINDOWS\system32
(6/13/05 8:32:15 PM) Temp-Path: C:\DOCUME~1\User\LOCALS~1\Temp\
(6/13/05 8:32:23 PM) Disinfection started
(6/13/05 8:32:23 PM) Bad-Dll(IEP): (not found)
(6/13/05 8:32:23 PM) Bad-Dll(IEP) in BHO: (not found)
(6/13/05 8:32:23 PM) UBF: 4 - UBB: 3 - UBR: 19
(6/13/05 8:32:23 PM) UBF: 4 - UBB: 3 - UBR: 19
(6/13/05 8:32:23 PM) Bad IE-pages: (none)
(6/13/05 8:32:23 PM) Stealth-String not found
(6/13/05 8:32:23 PM) Not infected->END



Ad-Aware SE


Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, June 13, 2005 9:12:00 PM
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
ImIServer IEPlugin(TAC index:5):1 total references
MRU List(TAC index:0):6 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


6-13-2005 9:12:00 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\User\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-507921405-1004336348-839522115-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 436
ThreadCreationTime : 6-13-2005 11:06:08 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 496
ThreadCreationTime : 6-13-2005 11:06:09 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 564
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 576
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 6-13-2005 11:06:10 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 780
ThreadCreationTime : 6-13-2005 11:06:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 844
ThreadCreationTime : 6-13-2005 11:06:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 868
ThreadCreationTime : 6-13-2005 11:06:11 PM
BasePriority : Normal
FileVersion : 4, 2, 14, 0
ProductVersion : 4, 2, 14, 0
ProductName : Ahead Software AG incdsrv
CompanyName : Ahead Software AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : incdsrv.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1040
ThreadCreationTime : 6-13-2005 11:06:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1220
ThreadCreationTime : 6-13-2005 11:06:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1324
ThreadCreationTime : 6-13-2005 11:06:12 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [kbd.exe]
FilePath : C:\HP\KBD\
ProcessID : 1396
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : High


#:14 [navapw32.exe]
FilePath : C:\PROGRA~1\NORTON~1\
ProcessID : 1412
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 8.07.17
ProductVersion : 8.07.17
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPW32.EXE

#:15 [s3tray2.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1488
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 1.00.19-0113
ProductVersion : 1.00.19-0113
ProductName : S3 Graphics Utilities
CompanyName : S3 Graphics, Inc.
FileDescription : s3contrl
InternalName : s3contrl
LegalCopyright : Copyright © 2001-2003 S3 S3 Graphics, Inc.
LegalTrademarks : S3 is a registered trademark of S3 Incorporated
OriginalFilename : s3contrl.exe

#:16 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 1496
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 4, 2, 14, 0
ProductVersion : 4, 2, 14, 0
ProductName : Ahead Software AG InCD
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : InCD.exe

#:17 [msgplus.exe]
FilePath : C:\Program Files\MessengerPlus! 3\
ProcessID : 1508
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal


#:18 [mssysmgr.exe]
FilePath : C:\PROGRA~1\Ahead\Ahead\data\Xtras\
ProcessID : 1536
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal


#:19 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1556
ThreadCreationTime : 6-13-2005 11:06:13 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:20 [swdoctor.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 1576
ThreadCreationTime : 6-13-2005 11:06:14 PM
BasePriority : Normal
FileVersion : 3.2.1.359
ProductVersion : 3.1
ProductName : Spyware Doctor
CompanyName : PCTools
FileDescription : Spyware Doctor
InternalName : Spyware Doctor
LegalCopyright : Copyright © 2004. Distributed by PC Tools Pty Ltd
OriginalFilename : swdr.exe

#:21 [ad-watch.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 1588
ThreadCreationTime : 6-13-2005 11:06:14 PM
BasePriority : High
FileVersion : 3.1.2.17
ProductVersion : 3.2
ProductName : Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Watch System Protector
InternalName : Ad-Watch.exe
LegalCopyright : 1999-2004 Team Lavasoft
OriginalFilename : Ad-Watch.exe

#:22 [webshots.scr]
FilePath : C:\Program Files\Webshots\
ProcessID : 1608
ThreadCreationTime : 6-13-2005 11:06:14 PM
BasePriority : Normal
FileVersion : 2.2.0.4644
ProductVersion : 2.2.0.4644
ProductName : The Webshots Desktop
CompanyName : Webshots.com
FileDescription : Webshots Photo Manager
InternalName : Webshots2
LegalCopyright : Copyright © 2004
OriginalFilename : Webshots2.SCR

#:23 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 348
ThreadCreationTime : 6-13-2005 11:06:23 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:24 [ewidoguard.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 360
ThreadCreationTime : 6-13-2005 11:06:23 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

#:25 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 420
ThreadCreationTime : 6-13-2005 11:06:24 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:26 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 456
ThreadCreationTime : 6-13-2005 11:06:24 PM
BasePriority : Normal
FileVersion : 8.07.17
ProductVersion : 8.07.17
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:27 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 904
ThreadCreationTime : 6-13-2005 11:06:29 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:28 [symwsc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\Security Center\
ProcessID : 1748
ThreadCreationTime : 6-13-2005 11:06:29 PM
BasePriority : Normal
FileVersion : 2005.1.2.20
ProductVersion : 2005.1
ProductName : Norton Security Center
CompanyName : Symantec Corporation
FileDescription : Norton Security Center Service
InternalName : SymWSC.exe
LegalCopyright : Copyright © 1997-2004 Symantec Corporation
OriginalFilename : SymWSC.exe

#:29 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2560
ThreadCreationTime : 6-13-2005 11:07:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:30 [securitysuite.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 3128
ThreadCreationTime : 6-14-2005 12:29:04 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 101
ProductVersion : 3, 0, 0, 101
ProductName : ewido security suite
CompanyName : ewido networks
FileDescription : security suite
InternalName : GuiLoader
LegalCopyright : © 2003 ewido networks
OriginalFilename : SecuritySuite.exe

#:31 [opera.exe]
FilePath : C:\Program Files\Opera7\
ProcessID : 2524
ThreadCreationTime : 6-14-2005 12:36:22 AM
BasePriority : Normal
FileVersion : 3227
ProductVersion : 7.23
ProductName : Opera Internet Browser
CompanyName : Opera Software
FileDescription : Opera Internet Browser
InternalName : Opera
LegalCopyright : Copyright © Opera Software 1995-2003
OriginalFilename : Opera.exe

#:32 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 1380
ThreadCreationTime : 6-14-2005 12:52:54 AM
BasePriority : Normal
FileVersion : 7.0.0813
ProductVersion : 7.0.0813
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2005
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:33 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\
ProcessID : 2936
ThreadCreationTime : 6-14-2005 1:09:36 AM
BasePriority : Normal
FileVersion : 6.2.0.238
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 7


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistantwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-507921405-1004336348-839522115-1004\Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-507921405-1004336348-839522115-1004\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 11


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : File
Data : A0017768.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D7B377E3-0BD8-4EF8-9E67-C61709F5C04D}\RP75\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


ImIServer IEPlugin Object Recognized!
Type : File
Data : A0017769.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{D7B377E3-0BD8-4EF8-9E67-C61709F5C04D}\RP75\
FileVersion : 1, 0, 8, 1
ProductVersion : 1, 0, 8, 1
ProductName : wbho Module
FileDescription : wbho Module
InternalName : wbho
LegalCopyright : Copyright 2004
OriginalFilename : wbho.DLL


VX2 Object Recognized!
Type : File
Data : A0017881.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{D7B377E3-0BD8-4EF8-9E67-C61709F5C04D}\RP77\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14


Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 15

9:24:29 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:29.62
Objects scanned:138254
Objects identified:9
Objects ignored:0
New critical objects:9


Spyware Doctor

Spyware Doctor Activity Report
Generated on 6/13/2005 7:06:17 PM Spyware Doctor Homepage PC Tools Homepage
Technical Support
Scans (basic information only):
Scan Results:
scan start: 6/13/2005 7:15:25 PM
scan stop: 6/13/2005 7:15:51 PM
scanned items: 18420
found items: 19
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##UninstallString
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##DisplayName
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##URLInfoAbout
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##Publisher
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##HelpLink
High
Common Components for VX2 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1##Contact
High
Known Bad Sites HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Trojan.Drsnsrch HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Common Components Unrelated HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}
Medium
Common Components Unrelated HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}\iexplore
Medium
Scan Results:
scan start: 6/13/2005 7:16:20 PM
scan stop: 6/13/2005 7:16:25 PM
scanned items: 935
found items: 1
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Scan Results:
scan start: 6/13/2005 7:17:06 PM
scan stop: 6/13/2005 7:35:16 PM
scanned items: 74893
found items: 9
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Known Bad Sites HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Trojan.Drsnsrch HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Scan Results:
scan start: 6/13/2005 7:37:12 PM
scan stop: 6/13/2005 7:54:17 PM
scanned items: 75003
found items: 9
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner,
Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap
Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Transponder.Bolger multiple High
Known Bad Sites HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Known Bad Sites HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Trojan.Drsnsrch HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main |
Search Page High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
CustomizeSearch High
Trojan.Drsnsrch HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search |
SearchAssistant High
Other Sections:
Copyright © 2003-2005. Distributed by PC Tools. Legal Notice
sigs
Click to go back



I hope this helps...
  • 0

Advertisements


#2
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
I apologize for the delay getting to your log, the helpers here are very busy. If you are still having malware troubles, I will be glad to help.

You have a problem caused by installing Messenger Plus3 and agreeing to the 'sponsor software'.

To fix this you must first go to add/remove programs and uninstall "Messenger Plus 3"

If you insist on using "Messenger Plus 3" then you can reinstall it once your PC is clean, only without the "Sponsor Software"

Note: Sponsor Software = C2Media\LOP (parasite)

This is not a Microsoft or MSN product! Be aware that any update to "Messenger Plus" will cause the program to prompt you to install the "Sponsor Software".

Please post a new HJT log in this thread.
  • 0

#3
Jester143

Jester143

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
No worries. I am just glad you are here to help those who are computer illiterate like me. :tazz:

Ok, I uninstalled the Messenger Plus 3, then ran Spyware Doctor and Ad-Aware. After getting rid of the nasties, I rebooted and ran those two scans again.

Lastly, I ran HJT, as requested, and here is the log.

-Note- HJT has found Ssk.exe, but I cannot find it in a search. It has also found Nail, but again, I cannot locate it on my hard drive to delete it. Anyway, here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 12:29:21 AM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ICQ\Icq.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\sol.exe
C:\Documents and Settings\User\Desktop\Dave's junk\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdxdqcnoe...DCGR_3trbU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [bvsgfe] C:\WINDOWS\System32\bvsgfe.exe
O4 - HKLM\..\Run: [owa] C:\WINDOWS\system32\owa.exe
O4 - HKLM\..\Run: [mnmlast] c:\windows\system32\mvzays.exe r
O4 - HKLM\..\Run: [gpqiqj] c:\windows\system32\egtrxef.exe r
O4 - HKLM\..\Run: [jevwnlb] c:\windows\system32\zftapwm.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Seekbind] C:\DOCUME~1\User\APPLIC~1\SUPPOR~1\Boneamokarmy.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.boxsearch.net
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115385097841
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://sympatico.zon...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Jester142, are you sure you uninstalled Messenger Plus?

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download, install, and update the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT scan yet.
Download CCleaner and install, but do not run it yet.

Please download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)

Unzip it to the desktop but do NOT run yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:
  • Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
  • Select an option when the Windows Advanced Options menu appears, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Once in Safe Mode, please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.
  • Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run HijackThis, click Scan, and place a checkmark by the following item:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdxdqcnoe...DCGR_3trbU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [bvsgfe] C:\WINDOWS\System32\bvsgfe.exe
O4 - HKLM\..\Run: [owa] C:\WINDOWS\system32\owa.exe
O4 - HKLM\..\Run: [mnmlast] c:\windows\system32\mvzays.exe r
O4 - HKLM\..\Run: [gpqiqj] c:\windows\system32\egtrxef.exe r
O4 - HKLM\..\Run: [jevwnlb] c:\windows\system32\zftapwm.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [Seekbind] C:\DOCUME~1\User\APPLIC~1\SUPPOR~1\Boneamokarmy.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: *.boxsearch.net
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0002.exe
O20 - AppInit_DLLs: MsgPlusLoader.dll


Close all open windows except for HijackThis and click Fix Checked.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Surf Sidekick 3



Please delete these folders using Windows Explorer(if present):

C:\Program Files\SurfSideKick 3\
C:\Program Files\MessengerPlus! 3\

Please delete these files using Windows Explorer(if present):

ALCXMNTR.EXE (you will need to do a search for this file)
C:\WINDOWS\System32\bvsgfe.exe
C:\WINDOWS\system32\owa.exe
c:\windows\system32\mvzays.exe
c:\windows\system32\egtrxef.exe
c:\windows\system32\zftapwm.exe
C:\DOCUME~1\User\APPLIC~1\SUPPOR~1\Boneamokarmy.exe


Now, run CCleaner.
  • Uncheck "Cookies" under "Internet Explorer".
  • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#5
Jester143

Jester143

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok... the first problem I encountered was that my computer absolutely refused to boot into safe mode. I press F8 and get to where the words "Safe Mode" appear in blue, but after selecting the installation and hitting enter, I get a screen that says-

We apologize for the inconvenience, but Windows did not start successfully. A recent hardware or software change might have caused this.

It goes on to give the option of starting in safe mode, which brings me right back to this screen, or to start Windows normally. I decided to try your instructions in normal mode and see what advice you might have after.

I was unable to find any of the following files-

C:\WINDOWS\System32\bvsgfe.exe
C:\WINDOWS\system32\owa.exe
c:\windows\system32\mvzays.exe
c:\windows\system32\egtrxef.exe
c:\windows\system32\zftapwm.exe
C:\DOCUME~1\User\APPLIC~1\SUPPOR~1\Boneamokarmy.exe

Thank you so much for your time and effort.


Below, you will find the lgs you requested.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:27:22 PM, 6/21/2005
+ Report-Checksum: 220BF2BC

+ Date of database: 6/21/2005
+ Version of scan engine: v3.0

+ Duration: 35 min
+ Scanned Files: 63013
+ Speed: 29.96 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\User\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 6:03:33 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\User\Desktop\Dave's junk\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdxdqcnoe...DCGR_3trbU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [bvsgfe] C:\WINDOWS\System32\bvsgfe.exe
O4 - HKLM\..\Run: [owa] C:\WINDOWS\system32\owa.exe
O4 - HKLM\..\Run: [mnmlast] c:\windows\system32\mvzays.exe r
O4 - HKLM\..\Run: [gpqiqj] c:\windows\system32\egtrxef.exe r
O4 - HKLM\..\Run: [jevwnlb] c:\windows\system32\zftapwm.exe r
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Seekbind] C:\DOCUME~1\User\APPLIC~1\SUPPOR~1\Boneamokarmy.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115385097841
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://sympatico.zon...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Jester143, we need Safe Mode for this fix to work. Let's try it another way:

Start >> Run >> Msconfig.

Under the Boot.ini tab, place a check next to /safeboot. Click 'Ok' and you should boot to Safe Mode. Please run the fix again.
  • 0

#7
Jester143

Jester143

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Ok, I followed your instructions for booting into safe mode and now my computer will not boot at all.

When rebooting, I get the screen with the choices of booting into different modes-safe mode, safe mode with networking, safe mode with command prompt, last known good configuration and start Windows normally.

When making any of the choices, Windows attempts to load and a blue screen flashes- I was able to catch its content once- it says Windows is attempting to boot into safe mode- after which, I get a screen apologizing for the inconvenience, but Windows did not load properly- and it gives choices on how to boot- all of which lead back to this same window.

I spent hours trying to get it to boot in any mode with no luck- please help- got a house full of teenagers going through computer withdrawal.
  • 0

#8
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
I've asked for expert advice on this, it shouldn't take long to get an answer. I'll post as soon as I do.
  • 0

#9
Jester143

Jester143

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thank you. I thought I might be able to boot with the Windows XP CD, but this being a Compaq, they don't supply one. I shall patiently await your reply.
  • 0

#10
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Do you have a restore CD?
  • 0

Advertisements


#11
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Hi, sorry for the wait, this is a tough problem. I see you can access the net on another computer, which is good. Please download editbini.exe from http://www.terabyteu.../utilities.html and save it to a bootable MS-Dos floppy.

To create a bootable DOS floppy (using Windows XP):

1. Place diskette in the computer.
2. Open My Computer and right click the A: drive and click Format.
3. In the Format window check Create an MS-DOS startup disk.
4. Click Start

Next, extract (unzip) editbini.zip to the floppy drive. Then boot the computer we're working on from the floppy disk (you may have to set the BIOS to do so), and follow these instructions:

1) Run the program EDITBINI.EXE.

2) Select the HD with the NTFS partition.

3) Select the NTFS partition.

4) Edit out the line that includes this string: /safeboot

5) Press F10

6) Choose yes to save the changes (if that's what you want to do).

Then try to boot normally. If you have any questions, please ask before applying this procedure.
  • 0

#12
Jester143

Jester143

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
The laptop I am using has Windows ME. Will the boot disc made here still work for Windows XP? Also, I wouldn't have the first clue on how to set the BIOS.... I don't even really know what those are.*L* Sorry, but a lot of times, computers really flummox me.

Nix that. I checked and Windows ME does not have the option to create a boot disc when formatting. I shall see if I can use a university computer or something to create the disc. I would still like to know about those BIOS things.

Edited by Jester143, 28 June 2005 - 12:00 AM.

  • 0

#13
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Jester143, go here and download a Windows 98SE OEM bootdisk: http://www.bootdisk.com/bootdisk.htm. This program only runs under DOS and Windows 9x anyway.

It's likely your computer is already set to boot from floppy, try that first. If it doesn't work, then check in the BIOS.


You can access your BIOS by pressing a certain key (usually F1 or Del) when your computer starts to boot up, right after the first beep. There should be a message on the screen telling you which key it is.

Once in BIOS, look under 'BIOS Features' for 'Boot Sequence' and make sure Drive A is listed first. There are instructions for navigating the fields and changing values in the BIOS itself.

After that, boot from the floppy and run EDITBINI.EXE with the instructions above.
  • 0

#14
Jester143

Jester143

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Insipid, you are now officially my patron saint of computers. I am out of the boot-loop thanks to editbini.exe and finally running again. Four teenage daughters rejoice and sing your praises.

Trouble is... I still cannot seem to boot into safe mode, so the original problem remains. Should I just knuckle down and buy a Windows XP disc and reformat my hard drive or something?
  • 0

#15
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
No, don't even say the f-word--'format' :tazz:. And I've only asked one user to actually spend money, don't do that either, if you can help it. That being said, I wouldn't want to live without an install disk for my Operating System. You will need it sooner or later.

Please post a fresh HJT log and we'll work with what we have. In the meantime, I'll research the problem with Safe Mode.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP