Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - srich2004


  • Please log in to reply
17 replies to this topic

#1 srich2004

srich2004

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 07 January 2005 - 08:13 PM

Hey guys, I'm keeping my fingers crossed that someone here can cure my computer woes. Yesterday, I found out that I had a spyware program on my computer named "WebHancer" - so I downloaded the new Microsoft Windows Anti-Spyware program, it found WebHancer and deleted it. Unfortunately ever since, I can't connect to the internet, and I keep getting an error message saying that I'm missing a component called "SPORDER.dll". I tried following the directions on WebHancer's site to regain my internet connectivity (re-install WebHancer, then remove it using the "Add/Remove" program in the Control Panel, reboot, etc) with no luck whatsoever. So in conclusion, here I am with a brand new computer (only 2 weeks old!) and no way to get onto the internet...very frustrating stuff.

Below is my HijackThis Log - any help to get my computer back on track so I don't have to use my girlfriend's computer just to use the internet (like I'm doing now) would be unbelievably appreciated. Thanks in advance!

Logfile of HijackThis v1.99.0
Scan saved at 4:27:00 PM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RioMSC.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

Edited by srich2004, 07 January 2005 - 08:48 PM.


BC AdBot (Login to Remove)

 


m

#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 08 January 2005 - 05:06 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 08 January 2005 - 05:54 PM

I'm back.

The internet connectivity problem was caused by an incorrect removal of WebHancer...which is a known problem. I've seen other reports that the new Microsoft product has caused this problem.

You can read about it here:

www.cexx.org/webhancer.htm

The fix for your connection problem (but not the malware infections) is here:

http://www.cexx.org/lspfix.htm


Once you get your system back on-line, please create a fresh HijackThis log and paste it into a reply to this message.

I'll be auttomatically notified and will follow up with fix instructions for the malware on your system.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 srich2004

srich2004
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 08 January 2005 - 06:57 PM

Thanks for getting back to me daveai, I really appreciate it. Unfortunately, I did a google search before I posted on this website, and found the exact same site that you just linked me to...and sadly, I've already tried everything you suggested in your post a few times (the LSP-Fix) with no luck - in fact, after reading your reply I just went back to my computer and tried the LSP-Fix again just to make sure I wasn't doing it wrong the past 10 times, and still no internet connection.

I'm not sure how familiar you are with the LSP-Fix program, but when I ran it on my computer, all I had in the "Keep" box were mswsock.dll Tcpip, mclsp.dll (Protocol handler), and rsvpsp.dll (Protocol handler) - there was nothing in the "Remove" box. I clicked finish anyway, and rebooted and I was still receiving the SPORDER.dll error...and unfortunately, still no internet access.

Anything advice on what to try next would be greatly appreciated - thanks again!

#5 srich2004

srich2004
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 08 January 2005 - 10:13 PM

I just noticed that another member (Johnny305SR) is having a very similar problem to the one I'm having (post titled: "HJT Log - Johnny"...currently on Page 3 of this forum). Should I follow the advice given to him, or should I wait for directions more specific to my situation? Thanks for any feedback!

Edited by srich2004, 08 January 2005 - 10:16 PM.


#6 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 08 January 2005 - 10:40 PM

My advice is to wait. for me to do some more investigation.

I'll do some more digging for you, and responsd shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#7 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 08 January 2005 - 11:26 PM

Okay, I'm back.

I took a look at the fix Grinler is working on with Johnny305SR.

There are some similarities, but your problems are not identical.

Let's do this...Grinler is one of the top experts, so we'll follow along a step or two behind, as long as things look the same.

This is a very new problem, since the Microsoft beta only came out yesterday.

Grinler is apt to find the connectivity fix before I will, and when he does, we'll see that and learn how to do it.

So...I've included the HijackThis steps for your system below, but do not think they will fix the connectivity problem. They do need to be run however.


Meanwhile, I'll continue to search some of the other anti-malware forums to see what more I can learn about how others are fixing this problem caused by the new Microsoft beta software.


Here are your HJT based steps, which need to be run but I do not expect to fix the connectivity problem.

1 -- Next, use Control Panel > Add/Remove Programs to remove any of the following malware that you find:

SideStep


2 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


3 -- Reboot into Safe Mode (How do I boot into "Safe" mode?), then use Windows Explorer to delete the following lists of program files and folders, if they still exist.

C:\Program Files\MyWaySA\ <-- this folder

C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll <-- this file


Please let me know about any problems with the file/folder deletes.

4 -- If you can download and transport Spybot Search and Destroy to your system, I would appreciate seeing an Advanced Spybot log.

To download and configure Spybot: Please see How to use Spybot to remove Spyware for instructions on how to download, install and then use this software

To create the log I want: Please see 'Saving Advanced Log Reports' at http://www.net-integration.net/index.php?p...pybotsd#reports



Lastly for your careful consideration the write-up at http://www.cexx.org/webhancer.htm tells us:

WebHancer's suggested removal method is to make sure WebHancer is installed, and remove it using Windows' Add/Remove Software feature as described at the bottom of WebHancer's installation page. If you have already deleted WebHancer components, the company suggests that you download (or get a friend to download, due to the connectivity problem!) their Customer Companion, fully install it, then use Add/Remove Programs to uninstall.

WebHancer can also be safely removed by pest-removal software such as Spybot Search&Destroy and AD-Aware. These and similar programs are listed on the Pest Removers page.

Do nothing with this until we 'talk' at least once more.

Here's why:

Frankly...I will never trust the agents who infected a system in the first place. An expert I respect refers to it as 'entering the lair of the beast' :flowers:

BUT, it sometimes works. I've seen re-intall followed by Add/Remove Programs based removals work with OTHER infections (not with this one).

Since this is a new infection, and since you seem somewhat anxious to get it behind you, and since your system is fairly new...you might just choose to be a pioneer.

On the other hand...have you ever heard the old saying that 'discretion is the better part of valor?' :thumbsup:

Again, consider it but do nothing until we talk again.

Once you do the fix steps, please send me a fresh HijackThis log and the Spybot report if you can get it.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#8 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 09 January 2005 - 02:47 AM

I'm back.

I see where Johnny305SR was able to do a System Restore, which recovered his sporder.dll file.

So a question for you is do you have a restore point set from before you ran the Microsoft beta software?

If yes, then restoring back to that point may get your internet working. Then we can proceed to clean up the malware using manual methods.

Let me know
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#9 srich2004

srich2004
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 09 January 2005 - 11:52 AM

Daveai, thank you so much for your time and effort on my behalf - it is incredibly appreciated. I will print these instructions, do exactly as you said, and get back to you ASAP. The System Restore thing is a great idea, but unfortunately, I don't have a restore point saved before the problem began (if I ever get my computer fixed, I'll make sure to make a restore point so this won't happen again!) And since I'm one to live on the wild side - I did try to re-install WebHancer and remove it the proper way, but even after that I'm still getting a SPORDER.dll error and no internet connectivity.

So, I'm to follow your instructions - I'll be back once I'm done. Thanks again for all of your help daveai.

#10 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 09 January 2005 - 06:09 PM

Thanks

I'm in discussions about your connectivity problem.

Please describe your internet connection to me...dial-up, cable, dsl, etc??

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#11 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 09 January 2005 - 06:43 PM

Okay...Grinler has posted a copy of the 'sporder.dll' file here:

http://www.bleepingcomputer.com/files/sporder.php

Please download this file and save it in your c:\windows\system32 directory. If the application still does not work properly you may want to reinstall the app that requires sporder.dll


Once you replace the file, please test your internet connection and tell me what the results are.

Thanks
daveai

Edited by daveai, 09 January 2005 - 10:09 PM.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#12 srich2004

srich2004
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 10 January 2005 - 01:03 PM

Daveai, I did everything that you asked except for two things: 1) Download Spybot S&D - because when I tried putting the program onto a floppy disk and bring it back to my computer, it said that the file was too big to fit on the disk. And 2) I just saw your post about the Sporder.dll file, so I'll make sure to download it and test it when I get back to my computer later on tonight - as soon as I do, I'll let you know the results.

But, I was able to do everything else that you asked me to do. Below is my new HJT Log. And I'll make sure to post again as soon as I download the Sporder.dll file to my computer. Thanks again for everything daveai.

Logfile of HijackThis v1.99.0
Scan saved at 7:56:28 AM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\RioMSC.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

#13 srich2004

srich2004
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 10 January 2005 - 01:11 PM

Sorry, and I forgot to add that I have a cable internet connection. Hope that info helps!

#14 srich2004

srich2004
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 10 January 2005 - 06:08 PM

Daveai, I replaced the SPORDER.dll like you asked - and I got my internet connection back!! Needless to say, I'm incredibly grateful for all your hard work & research on my behalf...I was beginning to think I was a lost cause. Now that I'm back online again, the first thing I did was download Spybot S&D, and below is the Advanced S&D Log that you asked for. Thanks again daveai, and let me know if there's anything else I need to do to protect my computer so something like this won't happen again. Thanks again!


--- Search result list ---
webHancer: System file (File, nothing done)
C:\WINDOWS\whAgent.inf

webHancer: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\webHancer

webHancer: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}

webHancer: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220669842-1591788263-3783861246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-01-04 Includes\Dialer.sbi
2005-01-04 Includes\Hijackers.sbi
2004-12-29 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-01-04 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-05 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2005-01-04 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB888310


--- Startup entries list ---
Located: HK_LM:Run, DwlClient
command: C:\Program Files\Common Files\Dell\EUSW\Support.exe
file: C:\Program Files\Common Files\Dell\EUSW\Support.exe
size: 323584
MD5: 27b68f137ed4c85ff92db98231bf11ed

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 118784
MD5: 07e2751e246bff288c76a86f9ecd9ac0

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 155648
MD5: 2454d762448b0bc5f2e9ee642804af8f

Located: HK_LM:Run, IntelMeM
command: C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
file: C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
size: 221184
MD5: bc02e491e88492b02363ce1b384ff7a7

Located: HK_LM:Run, MCAgentExe
command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
file: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 245760
MD5: 8b5a97e5c16db873092cf3d27b8145a6

Located: HK_LM:Run, McRegWiz
command: C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
file: C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
size: 139264
MD5: 6535f65c5155a6bfa342c7a92f264922

Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
file: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
size: 184320
MD5: 5c50f41e60a03146e029d5a408ebbc32

Located: HK_LM:Run, mmtask
command: C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
file: C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
size: 53248
MD5: 47a82048614f6f1d04e22486cb8be3c8

Located: HK_LM:Run, MMTray
command: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
file: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
size: 131072
MD5: 68b820ff598e7af75d504307f99c56a3

Located: HK_LM:Run, MPFExe
command: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
file: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 1327104
MD5: 4173164c2a679b4c62ac9bf2b2852c3d

Located: HK_LM:Run, MPSExe
command: C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding

Located: HK_LM:Run, PCMService
command: "C:\Program Files\Dell\Media Experience\PCMService.exe"
file: C:\Program Files\Dell\Media Experience\PCMService.exe
size: 290816
MD5: e02c0e78e5cfb01bf9d1866dba18b456

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: c341ccfbe98bc7df6e0b856bb9fc265a

Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
file: C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
size: 32881
MD5: ed85b344e6edc30c1bc57ec1a2a56bf3

Located: HK_LM:Run, VirusScan Online
command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 180224
MD5: fbf233e7b883cf00564409ba05812b21

Located: HK_LM:Run, VSOCheckTask
command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
size: 139264
MD5: ef4cca29ccae836416dc023c58b946dc

Located: HK_CU:Run, AIM
command: C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
file: C:\PROGRA~1\AIM\aim.exe
size: 67160
MD5: d160472d7a8dbadd35dfe34d525f1cbc

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1667584
MD5: b53343fe60a33ee765c2476d50d27b26

Located: Startup (common), America Online 9.0 Tray Icon.lnk
command: C:\Program Files\America Online 9.0\aoltray.exe
file: C:\Program Files\America Online 9.0\aoltray.exe
size: 156784
MD5: d3e103e5b79a6e8ba5b58e0a7c21523b



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 11/3/2003 12:17:44 PM
Date (last access): 1/10/2005 2:26:06 PM
Date (last write): 11/3/2003 12:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 0.6.0.0

{227B8AA8-DAF2-4892-BD1D-73F568BCB24E} (McBrwHelper Class)
BHO name:
CLSID name: McBrwHelper Class
description: McAfee's Privacy Service
classification: Legitimate
known filename: mcbrhlpr.dll
info link: http://www.mcafee.com/myapps/mps/default.asp
info source: TonyKlein
Path: c:\program files\mcafee.com\mps\
Long name: McBrHlpr.dll
Short name:
Date (created): 1/10/2005 2:39:50 PM
Date (last access): 1/10/2005 2:39:52 PM
Date (last write): 4/28/2003 4:38:36 PM
Filesize: 102400
Attributes: archive
MD5: 2C9F24BF82DF3E10A3464CE1A937C08E
CRC32: 1D0894AB
Version: 0.4.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 1:03:00 AM
Date (last access): 1/10/2005 2:45:50 PM
Date (last write): 5/12/2004 1:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 12/9/2004 11:28:42 AM
Date (last access): 1/10/2005 2:24:56 PM
Date (last write): 12/9/2004 11:28:42 AM
Filesize: 720896
Attributes: readonly archive
MD5: D4E9B7B696E8C40A0E5CB76621A03EE4
CRC32: 019AF69C
Version: 0.2.0.0



--- ActiveX list ---
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Path: C:\WINDOWS\Downloaded Program Files\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 11/12/2004 2:33:48 PM
Date (last access): 1/10/2005 2:51:56 PM
Date (last write): 11/12/2004 2:33:48 PM
Filesize: 346888
Attributes: archive
MD5: 40FC24CEF49EAF0EBC7C51C67F89A952
CRC32: C2CCDE24
Version: 0.1.0.0

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 4:10:30 AM
Date (last access): 1/10/2005 2:53:34 PM
Date (last write): 8/27/2003 4:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 0.11.0.0

{640B39C1-D713-464F-92C3-75BD972B95EE} ()
DPF name:
CLSID name:

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_03
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_03\bin\
Long name: NPJPI142_03.dll
Short name: NPJPI1~1.DLL
Date (created): 11/19/2003 3:48:18 PM
Date (last access): 1/10/2005 12:47:44 PM
Date (last write): 11/19/2003 3:48:12 PM
Filesize: 65650
Attributes: archive
MD5: 2AD31341BE41AC9B086128AD86A2B53F
CRC32: 081CFB35
Version: 0.1.0.4

{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_03
Path: C:\Program Files\Java\j2re1.4.2_03\bin\
Long name: NPJPI142_03.dll
Short name: NPJPI1~1.DLL
Date (created): 11/19/2003 3:48:18 PM
Date (last access): 1/10/2005 2:56:06 PM
Date (last write): 11/19/2003 3:48:12 PM
Filesize: 65650
Attributes: archive
MD5: 2AD31341BE41AC9B086128AD86A2B53F
CRC32: 081CFB35
Version: 0.1.0.4

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash.ocx
Short name:
Date (created): 8/4/2004 3:00:00 AM
Date (last access): 1/10/2005 2:44:14 PM
Date (last write): 6/9/2004 3:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 1/10/2005 2:56:04 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 144 (1976) C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
PID: 160 (1492) C:\PROGRA~1\AIM\aim.exe
PID: 164 (1492) C:\Program Files\McAfee.com\MPS\mscifapp.exe
PID: 172 (1492) C:\WINDOWS\system32\ctfmon.exe
PID: 184 (1492) C:\Program Files\Messenger\msmsgs.exe
PID: 200 (1492) C:\Program Files\America Online 9.0\aoltray.exe
PID: 232 (2016) c:\progra~1\mcafee.com\vso\mcvsescn.exe
PID: 336 (1492) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 356 ( 688) C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
PID: 404 ( 4) \SystemRoot\System32\smss.exe
PID: 620 ( 404) CSRSS.EXE
PID: 644 ( 404) \??\C:\WINDOWS\system32\winlogon.exe
PID: 688 ( 644) C:\WINDOWS\system32\services.exe
PID: 700 ( 644) C:\WINDOWS\system32\lsass.exe
PID: 816 ( 852) C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
PID: 852 ( 688) C:\WINDOWS\system32\svchost.exe
PID: 908 ( 688) SVCHOST.EXE
PID: 1052 ( 688) c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
PID: 1064 ( 688) C:\WINDOWS\System32\svchost.exe
PID: 1108 ( 688) SVCHOST.EXE
PID: 1148 ( 688) C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
PID: 1156 ( 688) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1184 ( 688) SVCHOST.EXE
PID: 1368 ( 852) c:\progra~1\mcafee.com\vso\mcvsftsn.exe
PID: 1492 (1440) C:\WINDOWS\Explorer.EXE
PID: 1600 ( 688) C:\WINDOWS\system32\LEXBCES.EXE
PID: 1636 ( 688) C:\WINDOWS\system32\spoolsv.exe
PID: 1644 (1600) C:\WINDOWS\system32\LEXPPS.EXE
PID: 1800 ( 688) C:\WINDOWS\system32\RioMSC.exe
PID: 1904 (1492) C:\WINDOWS\system32\hkcmd.exe
PID: 1924 (1492) C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
PID: 1932 (1492) C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PID: 1940 (1492) C:\Program Files\Dell\Media Experience\PCMService.exe
PID: 1948 (1492) C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
PID: 1960 (1492) C:\Program Files\Real\RealPlayer\RealPlay.exe
PID: 1976 (1492) C:\Program Files\Common Files\Dell\EUSW\Support.exe
PID: 1984 (1492) C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
PID: 2016 (1492) C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
PID: 2024 (1492) C:\PROGRA~1\mcafee.com\agent\mcagent.exe
PID: 2040 (1492) C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
PID: 2076 ( 688) wdfmgr.exe
PID: 2160 ( 688) C:\WINDOWS\system32\svchost.exe
PID: 2460 ( 852) C:\WINDOWS\system32\DllHost.exe
PID: 2516 (1492) C:\Program Files\Internet Explorer\iexplore.exe
PID: 2708 ( 688) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
PID: 3344 ( 688) ALG.EXE


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/10/2005 2:56:04 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://espn.go.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.dell4me.com/myway
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://espn.go.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s


--- Winsock Layered Service Provider list ---
Protocol 0: MC_LAYERED MSAFD Tcpip [TCP/IP]
GUID: {EC131FA1-11D5-4989-82BC-7799A63B839A}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 1: MC_LAYERED MSAFD Tcpip [UDP/IP]
GUID: {0FEAD63C-1506-4B1F-83E5-91A40AC179C1}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 2: MC_LAYERED MSAFD Tcpip [RAW/IP]
GUID: {4F93DE3D-47CB-4FB0-B25C-F52F82F41224}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 3: MC_LAYERED RSVP UDP Service Provider
GUID: {33484D23-691C-4749-9533-60664F209EFB}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 4: MC_LAYERED RSVP TCP Service Provider
GUID: {870FC1F8-9F17-4AD9-9339-A2233BE854B5}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 5: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{4D414C6F-E784-468E-9565-A2120E7DA0FE}] SEQPACKET 0
GUID: {9C48CCA0-517F-4D78-AD64-4DC9025F8C6C}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 6: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{4D414C6F-E784-468E-9565-A2120E7DA0FE}] DATAGRAM 0
GUID: {697E819D-F98D-466A-AEA9-D8B4ADC89C9F}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 7: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] SEQPACKET 1
GUID: {07F429E8-EAB5-4174-ABAD-59B4D8201C8A}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 8: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] DATAGRAM 1
GUID: {6E0E64CD-4A7B-4B56-8AB9-17EC1D7CEE0E}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 9: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] SEQPACKET 2
GUID: {B9ACEBEA-7559-4C17-8879-7C7A030D633E}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 10: MC_LAYERED MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] DATAGRAM 2
GUID: {4882779E-2B40-4399-B434-58A96738F477}
Filename: C:\WINDOWS\system32\mclsp.dll

Protocol 11: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 12: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 13: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 14: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 15: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4D414C6F-E784-468E-9565-A2120E7DA0FE}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4D414C6F-E784-468E-9565-A2120E7DA0FE}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: McAfee.com Layered Provider
GUID: {BEAA9090-2D12-11D4-9B80-00C04FF40D52}
Filename: C:\WINDOWS\system32\mclsp.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

#15 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 10 January 2005 - 09:19 PM

Great news :thumbsup:

I'll analyze the logs tonight and send a reply a little later, along with my suggestions for protecting your system in the future.

daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users