Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log for a comp. infected with VX2 and ABI network.


  • Please log in to reply
14 replies to this topic

#1 dongottiex

dongottiex

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 02 July 2005 - 04:48 PM

Hey anyone who can help,
I haven't posted in a while because everything has been running smoothly, however just yesterday I got hit with a bunch of spyware that I can't seem to get rid of. I have a program in my add/remove list which says it's from 'The ABI Network' and it won't allow me to delete it. Since I've noticed this I have been unable to complete a full scan with either Ad-aware or Spyware doctor. The ad-aware freezes up and SD gets to about 93% then says it encountered an error and then stops completely. Additionally, my computer has frozen up when it never used to and also it is running very slowly. I was able to remove some abvious mal-ware through my HJT but I would like to get some further help since I still have issues with the ABI program. I don't want to remove anything I shouldn't so I thought someone here could help me out. Your response to my last problem a few months ago was great and I fixed everything but I require some assistance once again. Here is my logfile for HJT.
THANK YOU


Logfile of HijackThis v1.99.1
Scan saved at 5:23:21 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
c:\windows\system32\hrtptsj.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [bjcxcya] c:\windows\system32\hrtptsj.exe r
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA06333-4646-42EE-BABE-716F7D29B2B0}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AF1A3-D3F8-426E-BDFE-D602E819E677}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O18 - Filter: text/html - {9DB880DC-ECB5-4240-A812-2046B27C9B74} - blank
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 AM

Posted 02 July 2005 - 10:25 PM

Hello dongottiex,

The ad-aware freezes up and SD gets to about 93% then says it encountered an error and then stops completely


Try running Spybot and Adaware SE in the Safe Mode.

Are you running the latest versions of those, as they both have been updated last month.
You should be running Adaware SE ver. 1.06r1 and Spybot 1.4

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.




Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 July 2005 - 09:09 PM

I attempted to run Adaware and Spyware Doctor in safe mode and I got the same results as before. The adaware locked up while scanning my temp files, and the Spyware Doctor gets the following message:
'Error in dll.Scan_Start:Access violation at address 00B9596B. Read of address 6F635155'
After clicking out of this error window I am able to fix/remove the files SD found before it got the error however I am unable to complete a full scan on either removal program. Mcafee virus scan found 9 corrupt files most of which were a part of 'abetterinternet'. I had Mcafee take care of what it found then ran HJT in safe mode. Here is my logfile. Any help/advice will be much appreciated. Thank you for your time, and keep up the great work you guys are doing here in this forum.

Logfile of HijackThis v1.99.1
Scan saved at 9:18:43 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mljuzrh] c:\windows\system32\ffzilz.exe r
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA06333-4646-42EE-BABE-716F7D29B2B0}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AF1A3-D3F8-426E-BDFE-D602E819E677}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O18 - Filter: text/html - {9DB880DC-ECB5-4240-A812-2046B27C9B74} - blank
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 AM

Posted 05 July 2005 - 09:20 PM

Hello dongottiex,

Lets try some other scanners, they may do a complete scan of you system. :thumbsup:

SD gets to about 93% then says it encountered an error and then stops completely.


Are you sure it is stopped and not still scanning? It may be it is just scanning some big files.
Let it run a few minutes to see if it continues with the scan.

*****************************************

Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to. Save the log file by clicking on "Save HTML-Report".

*****************************************

I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the
Trend Micro Housecall Online virus scanner (Beta)
or
Panda Scan Online virus scanner

Let it fix whatever it finds. Tell me the names and locations of the files it cannot delete.

*****************************************

The Hijackthis log you submitted was done in the Safe Mode, and does not show all the running processes.

Please boot to the Normal Mode and submit a fresh log.

Edited by SifuMike, 05 July 2005 - 09:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 06 July 2005 - 01:26 AM

Thank you for your fast response and I am very grateful for your help in this matter.
I wanted to let you know that the computer that is infected is not hooked up to the internet while I am running HJT. I don't think that it matters but I wanted to let you know in case there was a reason it did. I don't want any new malware added to my system so I am accessing your site on my desktop which has no infections as opposed to my laptop which is the device in question.
Here is my new log. This is done in normal mode.

Logfile of HijackThis v1.99.1
Scan saved at 2:03:00 AM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA06333-4646-42EE-BABE-716F7D29B2B0}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AF1A3-D3F8-426E-BDFE-D602E819E677}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Also, the Ad-Aware just freezes and i let it go for an hour to no avail in case it was still running but scanning a big file like you suggested. The Spyware doctor runs for a little and then I receive the error message i posted earlier and then it stops itself. No big files to cause lag, it just ends the scan prematurely. Once again, thanks in advance for your help.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 AM

Posted 06 July 2005 - 01:23 PM

Before I proeed any further, I want you to go to the Internet do these two scans.

Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to. Save the log file by clicking on "Save HTML-Report".

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the
Trend Micro Housecall Online virus scanner (Beta)
or
Panda Scan Online virus scanner

Let it fix what it finds. If it cannot delete a file, let me know the name an location.

***************************************************

the Ad-Aware just freezes and i let it go for an hour to no avail in case it was still running but scanning a big file like you suggested.



Since you said Ad-aware freezes, I asked you to let Spybot run a longer time and see if it completes. It sometimes takes a long time analyzing several big files.

Please post the logs from your Spybot 1.4 last scan, as I it may tell me the why you are having a problem.

You can get the log by opening Spybot 1.4> select Mode> Advanced > Tools> View Report> copy and paste the report to your reply.

BTW, are you running the latest version of Adaware and Spybot? You should be running Adaware SE 1.06.r1 and Spybot 1.4


After you have done the above, please post a new Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 06 July 2005 - 05:40 PM

Panda Scan Log:
Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\DOCUME~1\ME\LOCALS~1\Temp\DrTemp
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\ME\Local Settings\Temp\D2976\abiuninst.exe
Virus:Trj/Downloader.BFR Disinfected C:\Program Files\Internet Explorer\wa.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\ffzilz.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\hyvlpmk.exe

does 'no disinfected' mean it didn't clean it?
The spybot log i got from 'view log' was massive and i did not kow if you wanted everything or just what it found on last scan so here is whay it found on last scan:
Just two problems. One was an advertising toolbar and the other was associated with Opera (my now default browser)

Both Spybot and Ad-Aware are up to date versions.


Here is my most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:37:35 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Opera\Opera.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA06333-4646-42EE-BABE-716F7D29B2B0}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AF1A3-D3F8-426E-BDFE-D602E819E677}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 AM

Posted 06 July 2005 - 05:41 PM

Please post the log from your Spybot 1.4 last scan, as I it may tell me the why you are having a problem.
Need to see everything, but just the top 50 lines or so and it may tell something about the errors you are receiving.

Edited by SifuMike, 06 July 2005 - 06:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 06 July 2005 - 06:56 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:40:27 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



When I turned the computer back on after doing everything from before I got a mscifapp.exe - Application Error window that said the following:
"The instruction out '0x0058342a' refrenced memory @ '0x005c0ac8'. The memory could not be 'read'. Click OK to terminate the program Click Cancel to debug the program."

I was unable to do anything when I clicked X to close the window and just ignore it and clicking both 'OK' and 'cancel' resulted in nothing happening as well. The window is still open. I was able to get it closed twice by going into task manager and ending the running process but another one just popped up in a few seconds. Also i noticed a large number of running processes in my task manager. 68 to be exact. A majority of which were the same mscifapp.exe Network Service. The HJT log shows them as well. I don't know what happened. Thank you for everything you have done so far. I'm sure you'll be able to help me with this too.

I will next be posting my Spybot log since it is way too long.

#10 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 06 July 2005 - 06:58 PM

Spybot log up to right before -Uninstall List-


--- Search result list ---


--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB883939
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB890923
/ Outlook Express 6 / SP1: Windows XP Hotfix - KB897715
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows XP / SP2: Windows XP Hotfix - KB823182
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB824105
/ Windows XP / SP2: Windows XP Hotfix - KB825119
/ Windows XP / SP2: Windows XP Hotfix - KB828035
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB833987
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB837001
/ Windows XP / SP2: Windows XP Hotfix - KB838989
/ Windows XP / SP2: Windows XP Hotfix - KB839645
/ Windows XP / SP2: Windows XP Hotfix - KB840315
/ Windows XP / SP2: Windows XP Hotfix - KB840374
/ Windows XP / SP2: Windows XP Hotfix - KB840987
/ Windows XP / SP2: Windows XP Hotfix - KB841356
/ Windows XP / SP2: Windows XP Hotfix - KB841533
/ Windows XP / SP2: Windows XP Hotfix - KB841873
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix - KB871250
/ Windows XP / SP2: Windows XP Hotfix - KB873376
/ Windows XP / SP2: Windows XP Hotfix - KB891711
/ Windows XP / SP2: Security Update for Windows XP (KB896426)
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328213
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329048
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329909
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q331953
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811789
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q813862
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815485
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q816979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q816981
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q816982
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817606
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)


--- Startup entries list ---
Located: HK_LM:Run, ATIModeChange
command: Ati2mdxx.exe
file: C:\WINDOWS\system32\Ati2mdxx.exe
size: 28672
MD5: fae95d6d7651b5629c4e19adbc9a3863

Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 335872
MD5: 71d3ad3edc01508db4819355fb28e434

Located: HK_LM:Run, Dell QuickSet
command: C:\Program Files\Dell\QuickSet\quickset.exe
file: C:\Program Files\Dell\QuickSet\quickset.exe
size: 610304
MD5: 9a8198476b752dc0a9bad943a5ee6525

Located: HK_LM:Run, MCAgentExe
command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
file: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 278528
MD5: c9a041d6e5211ca48aeba3ac1987d837

Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
file: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
size: 180224
MD5: c7d0c96ad30cfafc37f621c75fad6252

Located: HK_LM:Run, MPFExe
command: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
file: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 950272
MD5: c14da446ebbd90e15fb617bc70e0ebd8

Located: HK_LM:Run, MPSExe
command: c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
file: c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628fdd432a743ca18025ecb11bba9b

Located: HK_LM:Run, MSKAGENTEXE
command: C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
file: C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
size: 126976
MD5: e1f528147ab89cbce6595e361be99efa

Located: HK_LM:Run, MSKDetectorExe
command: C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
file: C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe
size: 1111040
MD5: bae1b6bbe248ffa7f11b82329e40237d

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, SpySweeper
command: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
file: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3073536
MD5: 2e0fe2bb1db0fdcb8a64790a3a57bdf4

Located: HK_LM:Run, VirusScan Online
command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 196608
MD5: 944982c9b57c8bcc58f4001a62cd503f

Located: HK_LM:Run, VSOCheckTask
command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
size: 143360
MD5: d527afe3bed159802f84fee4118b995a

Located: HK_CU:Run, Creative Detector
command: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
file:

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: 414de7cf9d3f19c3ea902f1bb38ec116

Located: HK_CU:Run, MSKAGENTEXE
command: C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
file: C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
size: 126976
MD5: e1f528147ab89cbce6595e361be99efa

Located: HK_CU:Run, PopUpStopperFreeEdition
command: "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
file: C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
size: 524288
MD5: e436db5d972bdbb83aed402f9024602e

Located: HK_CU:Run, Spyware Doctor
command: "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
file: C:\Program Files\Spyware Doctor\swdoctor.exe
size: 1466368
MD5: 2cfefa6afbdb3d0bd760514f539277aa

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 2/12/2005 2:26:42 PM
Date (last access): 7/6/2005 7:17:56 PM
Date (last write): 3/2/2001 1:02:04 PM
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1

{227B8AA8-DAF2-4892-BD1D-73F568BCB24E} (McBrwHelper Class)
BHO name:
CLSID name: McBrwHelper Class
description: McAfee's Privacy Service
classification: Legitimate
known filename: mcbrhlpr.dll
info link: http://www.mcafee.com/myapps/mps/default.asp
info source: TonyKlein
Path: c:\PROGRA~1\mcafee.com\mps\
Long name: McBrHlpr.dll
Short name:
Date (created): 6/13/2005 6:33:30 PM
Date (last access): 7/6/2005 7:17:56 PM
Date (last write): 5/24/2005 4:52:20 PM
Filesize: 147456
Attributes: archive
MD5: 02C34A872CD9B2703925B607F0C19CDA
CRC32: 81C80F94
Version: 7.1.1.46

{3EC8255F-E043-4cae-8B3B-B191550C2A22} (McAfee PopupKiller)
BHO name: McAfee PopupKiller
CLSID name: McAfee Privacy Service Popup Blocker
Path: c:\program files\mcafee.com\mps\
Long name: PopupKiller.dll
Short name: POPUPK~1.DLL
Date (created): 6/13/2005 6:33:32 PM
Date (last access): 7/6/2005 7:17:56 PM
Date (last write): 5/24/2005 4:51:46 PM
Filesize: 126976
Attributes: archive
MD5: 6A070A5A8D0DDA507E2DD685546EB48B
CRC32: 114419E8
Version: 7.1.1.46

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 7/1/2005 5:30:42 PM
Date (last access): 7/6/2005 7:17:56 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
BHO name:
CLSID name: PCTools Site Guard
Path: C:\PROGRA~1\SPYWAR~1\tools\
Long name: iesdsg.dll
Short name:
Date (created): 12/20/2004 12:38:38 PM
Date (last access): 7/6/2005 7:39:34 PM
Date (last write): 12/20/2004 12:38:38 PM
Filesize: 272384
Attributes: archive
MD5: BD4D7FEEA076DA052CEE6797B380D19D
CRC32: 87FF8B90

{B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
BHO name:
CLSID name: PCTools Browser Monitor
Path: C:\PROGRA~1\SPYWAR~1\tools\
Long name: iesdpb.dll
Short name:
Date (created): 1/21/2005 2:32:54 PM
Date (last access): 7/6/2005 7:39:34 PM
Date (last write): 1/21/2005 2:32:54 PM
Filesize: 330752
Attributes: archive
MD5: 3B7CB997EFA322BEDB5ECC61EA5DD918
CRC32: B5648085
Version: 3.0.0.237



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://www.pandasoftware.com/activescan/as5/asinst.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 4/11/2005 12:20:22 PM
Date (last access): 7/6/2005 5:53:30 PM
Date (last write): 4/11/2005 12:20:22 PM
Filesize: 118784
Attributes: archive
MD5: 36259D36E842FCF12B3D2F3766E7529F
CRC32: F62E6268
Version: 57.6.0.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 380 ( 4) \SystemRoot\System32\smss.exe
PID: 436 ( 380) \??\C:\WINDOWS\system32\csrss.exe
PID: 472 ( 380) \??\C:\WINDOWS\system32\winlogon.exe
PID: 836 ( 472) C:\WINDOWS\system32\services.exe
size: 101376
MD5: E3DF4A0252D287C44606EE55355E1623
PID: 848 ( 472) C:\WINDOWS\system32\lsass.exe
size: 11776
MD5: B2B6BA905D0E3F8A32A0EB3B4051807B
PID: 1020 ( 836) C:\WINDOWS\System32\Ati2evxx.exe
size: 323584
MD5: D38BD6065EEC1F6EAF98CD853F482388
PID: 1048 ( 836) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1112 ( 836) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1344 ( 836) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1368 ( 836) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 1644 ( 836) C:\WINDOWS\system32\spoolsv.exe
size: 51200
MD5: 9B4155BA58192D4073082B8FC5D42612
PID: 1744 ( 836) C:\WINDOWS\System32\CTsvcCDA.EXE
size: 44032
MD5: 3C8B6609712F4FF78E521F6DCFC4032B
PID: 1776 ( 836) c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
size: 131072
MD5: D40357F1BA41905355B599228357495D
PID: 1800 ( 836) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 1816 ( 836) C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
size: 552960
MD5: 1D9206BF3F60E6F6A4811A3FF5FA1240
PID: 1844 ( 836) C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
size: 956928
MD5: 615B8879E69A644B788DB09F26D67D2B
PID: 1988 ( 836) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: 0F7D9C87B0CE1FA520473119752C6F79
PID: 2004 ( 836) C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
size: 1706496
MD5: 8C4160B52E28C75042F5A9ADAC0D2556
PID: 204 ( 836) C:\WINDOWS\System32\wdfmgr.exe
size: 38912
MD5: C81B8635DEE0D3EF5F64B3DD643023A5
PID: 296 ( 836) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
size: 225401
MD5: 269DFC7D130AD858F2A4B71319FDCFC5
PID: 1792 ( 472) C:\WINDOWS\system32\Ati2evxx.exe
size: 323584
MD5: D38BD6065EEC1F6EAF98CD853F482388
PID: 148 (1920) C:\WINDOWS\Explorer.EXE
size: 1004032
MD5: A82B28BFC2E4455FE43022A498C0EF0A
PID: 616 ( 148) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 335872
MD5: 71D3AD3EDC01508DB4819355FB28E434
PID: 660 ( 148) C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 196608
MD5: 944982C9B57C8BCC58F4001A62CD503F
PID: 700 ( 660) c:\program files\mcafee.com\agent\mcagent.exe
size: 278528
MD5: C9A041D6E5211CA48AEBA3AC1987D837
PID: 708 ( 660) c:\progra~1\mcafee.com\vso\mcvsescn.exe
size: 471097
MD5: C9AE1C7570883EED7F6F81B7AC9ECFF7
PID: 776 ( 148) C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 956 ( 148) C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
size: 126976
MD5: E1F528147AB89CBCE6595E361BE99EFA
PID: 1392 ( 148) C:\Program Files\Dell\QuickSet\quickset.exe
size: 610304
MD5: 9A8198476B752DC0A9BAD943A5EE6525
PID: 1208 ( 148) C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 950272
MD5: C14DA446EBBD90E15FB617BC70E0EBD8
PID: 1200 ( 148) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3073536
MD5: 2E0FE2BB1DB0FDCB8A64790A3A57BDF4
PID: 1528 ( 148) C:\Program Files\Spyware Doctor\swdoctor.exe
size: 1466368
MD5: 2CFEFA6AFBDB3D0BD760514F539277AA
PID: 1380 ( 148) C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
size: 524288
MD5: E436DB5D972BDBB83AED402F9024602E
PID: 1580 ( 148) C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
size: 98304
MD5: 9311B87ADC091DC4DDD027EEB7C00176
PID: 2064 ( 148) C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: 414DE7CF9D3F19C3EA902F1BB38EC116
PID: 2436 (1048) C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
size: 495616
MD5: D775AB6EE4BC657ADF0F7C90C5FC282D
PID: 2876 (1048) C:\WINDOWS\System32\wbem\wmiprvse.exe
size: 203776
MD5: C9EDBB99823E767C5B366A212A45D2B1
PID: 3524 (1048) C:\WINDOWS\System32\wbem\wmiprvse.exe
size: 203776
MD5: C9EDBB99823E767C5B366A212A45D2B1
PID: 608 (1112) C:\WINDOWS\System32\wuauclt.exe
size: 124184
MD5: EBF1AB7E4FC05CABF2F4680D2A45F827
PID: 3132 ( 148) C:\Program Files\Opera\Opera.exe
size: 78336
MD5: ABA9A95C0E3A44F1B2BAEEC6B4E8C36B
PID: 2732 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3712 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 676 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1460 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2364 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3760 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3784 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3800 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3808 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3836 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3832 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3912 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3924 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3504 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3968 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3976 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 600 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1920 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1488 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3356 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2384 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2168 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2408 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1248 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1328 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1864 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1676 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3888 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3668 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2940 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2524 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1388 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2552 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2564 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3488 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2600 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2496 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2608 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3056 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1576 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2644 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3416 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2704 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3408 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2856 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2680 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3380 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2676 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2668 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2720 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3428 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3424 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2656 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 1184 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2424 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3236 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2332 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2788 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2792 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2784 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 892 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2080 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3936 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3696 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3628 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3212 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2396 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2360 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 2468 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 652 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3192 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 4060 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3848 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3796 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 3776 (1344) c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 274432
MD5: 84628FDD432A743CA18025ECB11BBA9B
PID: 796 ( 148) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 7/6/2005 7:55:55 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MC_LAYERED MSAFD Tcpip [TCP/IP]
GUID: {4B97D3FD-3836-41BF-AA17-B975D2D68B83}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 1: MC_LAYERED MSAFD Tcpip [UDP/IP]
GUID: {DD009EAC-4016-4C3F-8A8E-7C699D01499B}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 2: MC_LAYERED MSAFD Tcpip [RAW/IP]
GUID: {DEBAC861-8F7A-4E33-A167-25499D05AF00}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 3: MC_LAYERED RSVP UDP Service Provider
GUID: {14A83498-B3E0-4F05-BE2A-89DB717EEAA1}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 4: MC_LAYERED RSVP TCP Service Provider
GUID: {4AC6340D-BBAA-4231-84EA-42A21BBFE095}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 5: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}] SEQPACKET 4
GUID: {8D4F89D8-A936-48C4-9465-51043B4F4EB2}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 6: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}] DATAGRAM 4
GUID: {507A918B-2688-42A4-804A-26F7D7F8558B}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 7: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{B76AF1A3-D3F8-426E-BDFE-D602E819E677}] SEQPACKET 3
GUID: {9BCB7C36-C398-4825-AD7C-43EA21843E2B}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 8: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{B76AF1A3-D3F8-426E-BDFE-D602E819E677}] DATAGRAM 3
GUID: {15BA7D0E-775A-44FE-B8BD-D4F528E6B578}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 9: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{2EA06333-4646-42EE-BABE-716F7D29B2B0}] SEQPACKET 0
GUID: {930043ED-6FB3-41A9-818E-05E3EFC4E958}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 10: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{2EA06333-4646-42EE-BABE-716F7D29B2B0}] DATAGRAM 0
GUID: {E7014FF7-325E-4E89-975D-26C2FE66A7A5}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 11: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{54E6728C-7FBE-4813-9180-6DEE11878796}] SEQPACKET 1
GUID: {8B9ABD90-F292-4F6F-9B07-632388D47B15}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 12: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{54E6728C-7FBE-4813-9180-6DEE11878796}] DATAGRAM 1
GUID: {EA775D87-E55F-42CE-B0A4-0FBF3AFA9EA4}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 13: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1382A90-83F0-483D-8FFA-93F73BAA8345}] SEQPACKET 2
GUID: {D2D9B92A-3919-4DAD-91E9-889B19B6A79C}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 14: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1382A90-83F0-483D-8FFA-93F73BAA8345}] DATAGRAM 2
GUID: {78768FD9-615B-4EFA-8484-1616CCA42E39}
Filename: C:\WINDOWS\System32\mclsp.dll

Protocol 15: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 16: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 17: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 18: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 19: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B76AF1A3-D3F8-426E-BDFE-D602E819E677}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B76AF1A3-D3F8-426E-BDFE-D602E819E677}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2EA06333-4646-42EE-BABE-716F7D29B2B0}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2EA06333-4646-42EE-BABE-716F7D29B2B0}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip_{54E6728C-7FBE-4813-9180-6DEE11878796}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{54E6728C-7FBE-4813-9180-6DEE11878796}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1382A90-83F0-483D-8FFA-93F73BAA8345}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1382A90-83F0-483D-8FFA-93F73BAA8345}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 30: McAfee.com Layered Provider
GUID: {BEAA9090-2D12-11D4-9B80-00C04FF40D52}
Filename: C:\WINDOWS\System32\mclsp.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

#11 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 06 July 2005 - 06:59 PM

disregard this post

Edited by dongottiex, 06 July 2005 - 07:02 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 AM

Posted 06 July 2005 - 09:20 PM

Hello dongottiex,

When I turned the computer back on after doing everything from before I got a mscifapp.exe - Application Error window that said the following:
"The instruction out '0x0058342a' refrenced memory @ '0x005c0ac8'. The memory could not be 'read'. Click OK to terminate the program Click Cancel to debug the program."

I was unable to do anything when I clicked X to close the window and just ignore it and clicking both 'OK' and 'cancel' resulted in nothing happening as well. The window is still open. I was able to get it closed twice by going into task manager and ending the running process but another one just popped up in a few seconds. Also i noticed a large number of running processes in my task manager. 68 to be exact. A majority of which were the same mscifapp.exe Network Service. The HJT log shows them as well. I don't know what happened.


The many enties you see

c:\PROGRA~1\mcafee.com\mps\mscifapp.exe

is your McAfee.com Privacy Service. It looks like it turned into a rogue program.

Go to your Task Manager and kill all mscifapp running tasks.

I would uninstall Privacy Service until we have your computer clean.

Be advised, you have to be logged in as Adminsitrator to Uninstall it.

How do I Uninstall Privacy Service? (version 4.x or 7.x)


*******************************************


does 'no disinfected' mean it didn't clean it?


Yes, it means Panda could not clean it. We will do it manually.


*******************************************

We are going to kill a service that is a trojan.

Click Start>Run, type services.msc into the Open editbox and click the Ok button.
Locate the System Startup Service service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.
Close the Services window

*******************************************

Click Start>Run, type cmd into the Open editbox and click the Ok button.

Copy/paste the line below into the Command Prompt window and press the Enter key:
sc delete SvcProc

Close the Command Prompt window

*******************************************


How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



While in Safe Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.


Did you intentionally install PartyPoker? If not, then "fix" it.
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe


If this Domain does not belong to your Internet Service Provider, or your firms network, these entries should be fixed. Do you know the Internet Provider or Domain '69.50.176.196,195.225.176.110'? If not, fix this entry.
You can call you Internet Provider to find if it your domain.


O17 - HKLM\System\CCS\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EA06333-4646-42EE-BABE-716F7D29B2B0}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76AF1A3-D3F8-426E-BDFE-D602E819E677}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{008BA07C-FF6E-41C9-9E0E-0BF56FA007E4}: NameServer = 69.50.176.196,195.225.176.110


O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\svcproc.exe <==file
C:\WINDOWS\system32\ffzilz.exe <==file
C:\WINDOWS\system32\hyvlpmk.exe <==file
C:\Documents and Settings\ME\Local Settings\Temp\D2976\abiuninst.exe <==file
C:\DOCUME~1\ME\LOCALS~1\Temp\DrTemp <==file

*******************************************


Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

*******************************************


Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 06 July 2005 - 09:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 07 July 2005 - 11:13 AM

WOW! Thanks again for your prompt response. I was able to do most of what you told me to do however there were a few complications.
I was good up until the section where you wanted me to go file hunting. I got two but had a little touble.
I could not find the following files on my computer:
C:\WINDOWS\svcproc.exe
C:\DOCUME~1\ME\LOCALS~1\Temp\DrTemp

And when attempting to access Documents and settings folder my computer would get a 'Windows Explorer' error and would be forced to close. This would occur just by clicking on the file just once, i never even could open it. However, once I loaded up the CCleaner program you recomended to me and ran it i was then able to access the folder. I guess CCleaner got rid of the file because it was not there anymore, and I was able to open without an error. So I thought everything was all good and restarted to get you a fresh HJT log. To my suprise on the restart that damn mscifapp.exe error kept coming up and I had a large amount of that file running in my processes like last time. I un-installed the Privacy service like you told me to the first time. I guess I should have not skipped that step. I feel silly now, since you told me to do something and I was suprised to see something happen eventhough I didn't do a step. Everything seems to be ok as of yet and here is my newest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:58 PM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I noticed the svchost.exe stll running a few times in the log. Do i still need to do something about that?
Thanks once more for everything you have done and for your excellent advice. If you are ever in New York I gotta buy you a beer or somthing.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:03 AM

Posted 07 July 2005 - 06:04 PM

Hello dongottiex,

You should contact McAffee Privacy Service 7 support forum
http://forums.mcafeehelp.com/viewforum.php?f=53 and they may be able to walk you through a solution to your problem.

I have a program in my add/remove list which says it's from 'The ABI Network' and it won't allow me to delete it.


Is 'The ABI Network' gone from the add/remove list?


I was able to do most of what you told me to do however there were a few complications.
I was good up until the section where you wanted me to go file hunting. I got two but had a little touble.
I could not find the following files on my computer:
C:\WINDOWS\svcproc.exe
C:\DOCUME~1\ME\LOCALS~1\Temp\DrTemp


That is OK, as those files are not in your log. CCleaner removed the temp files in Documents and Settings. :thumbsup:


I noticed the svchost.exe stll running a few times in the log. Do i still need to do something about that?


No, as it is normal to have many instances of svchost.exe running at one time.

The log looks clean! :flowers: Good job on the cleanup! :trumpet:

Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again.

A newer version of Service Pack is available. Service Packs (SP2) increase the safety of your system. Visit Microsoft's windows update site
to download the newest version of the Service Pack (SP2).

If you are on dialup and do not want to spend hours doing the download, then you can order the free SP2 CD from MS. http://www.microsoft.com/windowsxp/downloa...us/default.mspx

Edited by SifuMike, 07 July 2005 - 06:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 07 July 2005 - 09:58 PM

ABI network is gone from my add/remove list, and the Mcafee problem has been solved. The only issue so far has been that my comp. locked up when loading Limewire so i guess I'm not gonna be using that anymore. Also occasionally Mcafee finds a file that is a trojan and cleans it then asks me if I want to run a scan. I think a remnance of one of the malwares is still here. I also did a full scan with adaware and spyware doctor and they got rid of whatever they found, which was only like 4 files. I'm pretty sure I'm all set, other then the random freezing of my computer but its managable. Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users