Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Dr Watson Postmortem Debugger [CLOSED]

Started by Sjtar , Aug 17 2005 09:20 AM

This topic is locked

#1
Sjtar

Posted 17 August 2005 - 09:20 AM

Member

Member
13 posts

Zonealarm keeps asking for access, I keep denying. I just want to get rid of this thing before it starts to cause damage. Thanks in advance. Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:20:06 AM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Winamp\winampa.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
tampabelle

Posted 18 August 2005 - 03:04 PM

Member 5k

Retired Staff
6,363 posts

Hi Sjtar,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

2. Remove Infections

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

ShowWnd.exe

(Search for this file using the Windows Search function)

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.

Also open Zone Alarm and check for the activity logs immediately after one such pop-up by it (which you deny). Make a note of the program which is creating the activity, whether it was incoming or outgoing and the IP address / url of where it was trying to connect

#3
Sjtar

Posted 20 August 2005 - 03:13 PM

Member

Topic Starter
Member
13 posts

Thanx a lot.......... Edwido didn't find anything, so I don't have a log to post. I did everything else you said, and everything SEEMS to be okay. Here's my current HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:13:01 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehSched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4
tampabelle

Posted 20 August 2005 - 03:16 PM

Member 5k

Retired Staff
6,363 posts

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Reboot the PC and post a fresh HJT log.

Also let me know how your PC is behaving !!!

#5
Sjtar

Posted 20 August 2005 - 03:27 PM

Member

Topic Starter
Member
13 posts

It was acting strange this morning. I couldn't double clik or right click on any icons. It wouldn't let me open up the start menu. I got it to open MSN messenger, but whenI tried to type message to someone, it took me to an emoticon menu. I rebooted, and the problem seemed to have gone away. I did what u asked, and here's the new log.

Logfile of HijackThis v1.99.1
Scan saved at 5:25:08 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by Sjtar, 20 August 2005 - 03:29 PM.

#6
tampabelle

Posted 20 August 2005 - 03:38 PM

Member 5k

Retired Staff
6,363 posts

BTW, you never told me about the Zonealarm log and what you found in that !!!!!!!!!!!!!

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.

#7
Sjtar

Posted 20 August 2005 - 04:28 PM

Member

Topic Starter
Member
13 posts

Waiting on the Panda scan, but looking through the Zone Alarm logs, the Dr Watson program kept trying to access the internet FROM my computer. It kept trying to visit the same IP address...............

ZoneAlarm Pro has blocked an outgoing communication from your computer to port 80 on a remote computer whose IP address is 208.185.174.66.

It kept trying to access that IP on various different ports. It's also important to add that it somehow *approved* itself in ZoneAlarm Pro. It showed up as a highly trusted program, which I of course did not approve, nor know about. I'll update this post when the ActiveScan is done.

Edited by Sjtar, 20 August 2005 - 04:32 PM.

#8
Sjtar

Posted 20 August 2005 - 04:56 PM

Member

Topic Starter
Member
13 posts

ActiveScan log:

Incident Status Location

Adware:adware/savenow No disinfected Windows Registry

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 6:57:17 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ntvdm.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by Sjtar, 20 August 2005 - 04:57 PM.

#9
tampabelle

Posted 20 August 2005 - 05:23 PM

Member 5k

Retired Staff
6,363 posts

Hi Sjtar,

The IP address 208.185.174.66 is that of

Abovenet Communications, Inc
150 S. 1st Street, Ste 289
San Jose
CA 95113
US

Any idea if that is your ISP ????

#10
Sjtar

Posted 20 August 2005 - 05:47 PM

Member

Topic Starter
Member
13 posts

Nope, sure isn't. I live in Georgia, and we're with Bellsouth DSL. :tazz:

Edited by Sjtar, 20 August 2005 - 05:49 PM.

#11
tampabelle

Posted 20 August 2005 - 06:01 PM

Member 5k

Retired Staff
6,363 posts

Can you check some logs for me -

Any log / txt files in the folder - C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson

and specifically this one - C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

Abovenet Communications seems to be a genuine site

#12
Sjtar

Posted 20 August 2005 - 06:11 PM

Member

Topic Starter
Member
13 posts

Found both files...

one is drwtsn32.log and is 5,896 kb of text!!! the other is the user.dmp file which we can not open..

#13
Sjtar

Posted 20 August 2005 - 06:12 PM

Member

Topic Starter
Member
13 posts

#14
Sjtar

Posted 20 August 2005 - 06:35 PM

Member

Topic Starter
Member
13 posts

I look through the log... 90% f the log looks like this over and over again...
not sure if they are EXCATLY the same but here is a full section of it...

Application exception occurred:
App: C:\Program Files\AIM\aim.exe (pid=3240)
When: 8/15/2005 @ 17:44:12.964
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: DRAGONFLY
User Name: Owner
Terminal Session Id: 0
Number of Processors: 2
Processor Type: x86 Family 15 Model 4 Stepping 4
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Multiprocessor Free
Registered Organization:
Registered Owner: jeremie ******

*----> Task List <----*
0 System Process
4 System
624 smss.exe
688 csrss.exe
716 winlogon.exe
760 services.exe
772 lsass.exe
928 Ati2evxx.exe
964 svchost.exe
1052 svchost.exe
1148 svchost.exe
1232 svchost.exe
1344 svchost.exe
1480 spoolsv.exe
1736 Ati2evxx.exe
1848 Explorer.EXE
1992 ehRecvr.exe
2016 ehSched.exe
168 mcdetect.exe
196 mcshield.exe
252 mctskshd.exe
324 ehtray.exe
412 jusched.exe
432 shwiconem.exe
460 mcagent.exe
484 IntelAudioStudio.exe
524 zHotkey.exe
536 PDVDServ.exe
604 atiptaxx.exe
652 mcvsshld.exe
672 oasclnt.exe
656 winampa.exe
692 rfagent.exe
1004 mcvsescn.exe
1208 AOLSP Scheduler.exe
1196 PRISMXL.SYS
1276 iTunesHelper.exe
1308 qttask.exe
1756 BigFix.exe
2720 ehmsas.exe
2808 ntvdm.exe
2864 iPodService.exe
3036 dllhost.exe
3336 alg.exe
2796 mcvsftsn.exe
2624 msmsgs.exe
3240 aim.exe
3980 Winamp.exe
2092 wscntfy.exe
1504 IEXPLORE.EXE
1696 drwtsn32.exe

*----> Module List <----*
(0000000000400000 - 000000000040f000: C:\Program Files\AIM\aim.exe
(0000000000d90000 - 0000000000d9d000: C:\Program Files\AIM\xmlparse.dll
(0000000000ec0000 - 0000000000ed1000: C:\WINDOWS\system32\MSVCIRT.dll
(0000000000f30000 - 0000000000f5c000: C:\Program Files\AIM\rtvideo.dll
(00000000010b0000 - 0000000001375000: C:\WINDOWS\system32\xpsp2res.dll
(0000000001bd0000 - 0000000001be9000: c:\progra~1\mcafee.com\vso\McVSSkt.dll
(0000000001c10000 - 0000000001c1b000: C:\Program Files\RFA\AgentH.dll
(0000000001c20000 - 0000000001c26000: C:\WINDOWS\HKNTDLL.dll
(0000000003cf0000 - 0000000003d78000: C:\WINDOWS\system32\shdoclc.dll
(0000000003fa0000 - 0000000004147000: C:\WINDOWS\system32\macromed\flash\Flash.ocx
(000000000ffd0000 - 000000000fff8000: C:\WINDOWS\system32\rsaenh.dll
(0000000010000000 - 0000000010014000: C:\Program Files\AIM\xmltok.dll
(0000000012000000 - 0000000012032000: C:\Program Files\AIM\ATE32.dll
(0000000012080000 - 00000000120a0000: C:\Program Files\AIM\ateima32.dll
(0000000012180000 - 00000000121b0000: C:\Program Files\AIM\oscore.dll
(0000000012300000 - 0000000012307000: C:\Program Files\AIM\oscres.dll
(0000000012980000 - 0000000012af1000: C:\Program Files\AIM\aimres.dll
(0000000014800000 - 000000001483d000: C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
(000000001c000000 - 000000001c006000: C:\Program Files\AIM\idlemon.dll
(0000000020000000 - 000000002001b000: C:\Program Files\AIM\AIM_xmlp.dll
(0000000030000000 - 0000000030023000: C:\Program Files\AIM\DUNZIP32.dll
(0000000040000000 - 0000000040023000: C:\Program Files\AIM\Xprt.dll
(0000000040040000 - 0000000040048000: C:\Program Files\AIM\Xpcs.dll
(0000000040080000 - 0000000040086000: C:\Program Files\AIM\Xptl.dll
(000000004d550000 - 000000004d638000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.DxmRtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
(000000005ad70000 - 000000005ada8000: C:\WINDOWS\system32\uxtheme.dll
(000000005b6f0000 - 000000005b74a000: C:\WINDOWS\system32\termmgr.dll
(000000005b860000 - 000000005b8b4000: C:\WINDOWS\system32\NETAPI32.dll
(00000000629c0000 - 00000000629c9000: C:\WINDOWS\system32\LPK.DLL
(0000000063980000 - 0000000063998000: C:\Program Files\AIM\sb.dll
(00000000662b0000 - 0000000066308000: C:\WINDOWS\system32\hnetcfg.dll
(0000000066e50000 - 0000000066e90000: C:\WINDOWS\system32\iepeers.dll
(000000006c6d0000 - 000000006c6e2000: C:\WINDOWS\system32\dpnhupnp.dll
(000000006d430000 - 000000006d43a000: C:\WINDOWS\system32\ddrawex.dll
(0000000071a50000 - 0000000071a8f000: C:\WINDOWS\system32\mswsock.dll
(0000000071a90000 - 0000000071a98000: C:\WINDOWS\System32\wshtcpip.dll
(0000000071aa0000 - 0000000071aa8000: C:\WINDOWS\system32\WS2HELP.dll
(0000000071ab0000 - 0000000071ac7000: C:\WINDOWS\system32\WS2_32.dll
(0000000071ad0000 - 0000000071ad9000: C:\WINDOWS\system32\WSOCK32.dll
(00000000722b0000 - 00000000722b5000: C:\WINDOWS\system32\sensapi.dll
(0000000072d10000 - 0000000072d18000: C:\WINDOWS\system32\msacm32.drv
(0000000072d20000 - 0000000072d29000: C:\WINDOWS\system32\wdmaud.drv
(0000000073000000 - 0000000073026000: C:\WINDOWS\system32\WINSPOOL.DRV
(0000000073300000 - 0000000073367000: c:\windows\system32\vbscript.dll
(00000000736b0000 - 00000000736b7000: C:\WINDOWS\system32\msdmo.dll
(0000000073760000 - 00000000737a9000: C:\WINDOWS\system32\DDRAW.dll
(0000000073bc0000 - 0000000073bc6000: C:\WINDOWS\system32\DCIMAN32.dll
(0000000073dd0000 - 0000000073ece000: c:\windows\system32\MFC42.DLL
(0000000073f10000 - 0000000073f6c000: C:\WINDOWS\system32\dsound.dll
(00000000746c0000 - 00000000746e7000: C:\WINDOWS\system32\msls31.dll
(00000000746f0000 - 000000007471a000: C:\WINDOWS\system32\msimtf.dll
(0000000074720000 - 000000007476b000: C:\WINDOWS\system32\MSCTF.dll
(0000000074810000 - 000000007497d000: C:\WINDOWS\system32\quartz.dll
(0000000074d90000 - 0000000074dfb000: C:\WINDOWS\system32\USP10.dll
(00000000754d0000 - 0000000075550000: C:\WINDOWS\system32\CRYPTUI.dll
(00000000755c0000 - 00000000755ee000: C:\WINDOWS\system32\msctfime.ime
(0000000075a70000 - 0000000075a91000: C:\WINDOWS\system32\MSVFW32.dll
(0000000075c50000 - 0000000075cbe000: c:\windows\system32\jscript.dll
(0000000075cf0000 - 0000000075d81000: C:\WINDOWS\system32\MLANG.dll
(0000000075e90000 - 0000000075f40000: C:\WINDOWS\system32\SXS.DLL
(0000000075f40000 - 0000000075f51000: C:\WINDOWS\system32\devenum.dll
(0000000076390000 - 00000000763ad000: C:\WINDOWS\system32\IMM32.dll
(00000000763b0000 - 00000000763f9000: C:\WINDOWS\system32\comdlg32.dll
(00000000767f0000 - 0000000076817000: C:\WINDOWS\system32\schannel.dll
(0000000076980000 - 0000000076988000: C:\WINDOWS\system32\LINKINFO.dll
(0000000076990000 - 00000000769b5000: C:\WINDOWS\system32\ntshrui.dll
(00000000769c0000 - 0000000076a73000: C:\WINDOWS\system32\USERENV.dll
(0000000076b20000 - 0000000076b31000: C:\WINDOWS\system32\ATL.DLL
(0000000076b40000 - 0000000076b6d000: C:\WINDOWS\system32\WINMM.dll
(0000000076c30000 - 0000000076c5e000: C:\WINDOWS\system32\WINTRUST.dll
(0000000076c90000 - 0000000076cb8000: C:\WINDOWS\system32\IMAGEHLP.dll
(0000000076d60000 - 0000000076d79000: C:\WINDOWS\system32\Iphlpapi.DLL
(0000000076e80000 - 0000000076e8e000: C:\WINDOWS\system32\rtutils.dll
(0000000076e90000 - 0000000076ea2000: C:\WINDOWS\system32\rasman.dll
(0000000076eb0000 - 0000000076edf000: C:\WINDOWS\system32\TAPI32.dll
(0000000076ee0000 - 0000000076f1c000: C:\WINDOWS\system32\RASAPI32.DLL
(0000000076f20000 - 0000000076f47000: C:\WINDOWS\system32\DNSAPI.dll
(0000000076f60000 - 0000000076f8c000: C:\WINDOWS\system32\WLDAP32.dll
(0000000076fb0000 - 0000000076fb8000: C:\WINDOWS\System32\winrnr.dll
(0000000076fc0000 - 0000000076fc6000: C:\WINDOWS\system32\rasadhlp.dll
(0000000076fd0000 - 000000007704f000: C:\WINDOWS\system32\CLBCATQ.DLL
(0000000077050000 - 0000000077115000: C:\WINDOWS\system32\COMRes.dll
(0000000077120000 - 00000000771ac000: C:\WINDOWS\system32\OLEAUT32.dll
(00000000771b0000 - 0000000077256000: C:\WINDOWS\system32\WININET.dll
(0000000077260000 - 00000000772fe000: C:\WINDOWS\system32\urlmon.dll
(00000000773d0000 - 00000000774d2000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
(00000000774e0000 - 000000007761d000: C:\WINDOWS\system32\ole32.dll
(0000000077760000 - 00000000778cc000: C:\WINDOWS\system32\SHDOCVW.dll
(0000000077920000 - 0000000077a13000: C:\WINDOWS\system32\setupapi.dll
(0000000077a80000 - 0000000077b14000: C:\WINDOWS\system32\CRYPT32.dll
(0000000077b20000 - 0000000077b32000: C:\WINDOWS\system32\MSASN1.dll
(0000000077b40000 - 0000000077b62000: C:\WINDOWS\system32\Apphelp.dll
(0000000077bd0000 - 0000000077bd7000: C:\WINDOWS\system32\midimap.dll
(0000000077be0000 - 0000000077bf5000: C:\WINDOWS\system32\MSACM32.dll
(0000000077c00000 - 0000000077c08000: C:\WINDOWS\system32\VERSION.dll
(0000000077c10000 - 0000000077c68000: C:\WINDOWS\system32\msvcrt.dll
(0000000077c70000 - 0000000077c93000: C:\WINDOWS\system32\msv1_0.dll
(0000000077d40000 - 0000000077dd0000: C:\WINDOWS\system32\USER32.dll
(0000000077dd0000 - 0000000077e6b000: C:\WINDOWS\system32\ADVAPI32.dll
(0000000077e70000 - 0000000077f01000: C:\WINDOWS\system32\RPCRT4.dll
(0000000077f10000 - 0000000077f56000: C:\WINDOWS\system32\GDI32.dll
(0000000077f60000 - 0000000077fd6000: C:\WINDOWS\system32\SHLWAPI.dll
(0000000077fe0000 - 0000000077ff1000: C:\WINDOWS\system32\secur32.dll
(000000007c340000 - 000000007c396000: C:\WINDOWS\system32\MSVCR71.dll
(000000007c800000 - 000000007c8f4000: C:\WINDOWS\system32\kernel32.dll
(000000007c900000 - 000000007c9b0000: C:\WINDOWS\system32\ntdll.dll
(000000007c9c0000 - 000000007d1d4000: C:\WINDOWS\system32\SHELL32.dll
(000000007d4a0000 - 000000007d786000: C:\WINDOWS\system32\mshtml.dll

*----> State Dump for Thread Id 0xa70 <----*

eax=7ffdf000 ebx=00000000 ecx=00000000 edx=00000010 esi=1221254f edi=0012fabc
eip=1221254f esp=0012fa58 ebp=0012fa80 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202

function: <nosymbols>
No prior disassembly possible
1221254f ?? ???
12212551 ?? ???
12212553 ?? ???
12212555 ?? ???
12212557 ?? ???
12212559 ?? ???
1221255b ?? ???
1221255d ?? ???
1221255f ?? ???
FAULT ->1221254f ?? ???
Error 0x00000001
12212551 ?? ???
12212553 ?? ???
12212555 ?? ???
12212557 ?? ???
12212559 ?? ???
1221255b ?? ???
1221255d ?? ???
1221255f ?? ???
12212561 ?? ???
12212563 ?? ???

*----> Stack Back Trace <----*
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ole32.dll -
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\AIM\aim.exe
ChildEBP RetAddr Args to Child
0012fa54 77d48734 00020562 00000086 00000000 0x1221254f
0012fa80 77d48816 1221254f 00020562 00000086 USER32!GetDC+0x6d
0012fae8 77d4b4c0 00000000 1221254f 00020562 USER32!GetDC+0x14f
0012fb3c 77d4b50c 00669848 00000086 00000000 USER32!DefWindowProcW+0x184
0012fb64 7c90eae3 0012fb74 00000018 00669848 USER32!DefWindowProcW+0x1d0
0012fbb4 77d49402 0012fc08 00020558 00000400 ntdll!KiUserCallbackDispatcher+0x13
0012fbe0 77518cc3 0012fc08 00020558 00000400 USER32!PeekMessageW+0x167
0012fc2c 77518c8d 00020558 77518ace 0017e4e8 ole32!PropVariantClear+0x849
0012fc58 774ffc66 00000000 00000000 0012fca8 ole32!PropVariantClear+0x813
0012fc78 774ff211 00000000 00400000 0017e4e8 ole32!OleInitialize+0x59c
0012fc90 774fee78 0012fca8 00000000 0012fcc4 ole32!CoInitializeEx+0x2b6
0012fcac 004037bc 7c80b529 00150b27 00000000 ole32!CoUninitialize+0x52
0012feb0 00000000 00000000 00000000 00000000 aim+0x37bc

*----> Raw Stack Dump <----*
000000000012fa58 34 87 d4 77 62 05 02 00 - 86 00 00 00 00 00 00 00 4..wb...........
000000000012fa68 00 00 00 00 4f 25 21 12 - cd ab ba dc 00 00 00 00 ....O%!.........
000000000012fa78 bc fa 12 00 4f 25 21 12 - e8 fa 12 00 16 88 d4 77 ....O%!........w
000000000012fa88 4f 25 21 12 62 05 02 00 - 86 00 00 00 00 00 00 00 O%!.b...........
000000000012fa98 00 00 00 00 00 00 00 00 - 62 05 02 00 02 01 00 00 ........b.......
000000000012faa8 14 00 00 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000012fab8 10 00 00 00 00 00 00 00 - d8 fa 12 00 01 00 00 00 ................
000000000012fac8 00 00 00 00 00 00 00 00 - 9c fa 12 00 7c f6 12 00 ............|...
000000000012fad8 2c fb 12 00 67 04 d7 77 - 30 88 d4 77 00 00 00 00 ,...g..w0..w....
000000000012fae8 3c fb 12 00 c0 b4 d4 77 - 00 00 00 00 4f 25 21 12 <......w....O%!.
000000000012faf8 62 05 02 00 86 00 00 00 - 00 00 00 00 00 00 00 00 b...............
000000000012fb08 5c 98 66 00 01 00 00 00 - 00 00 00 00 08 fc 12 00 \.f.............
000000000012fb18 02 01 00 00 00 00 00 00 - 00 00 00 00 10 fb 12 00 ................
000000000012fb28 7c f6 12 00 b0 ff 12 00 - 67 04 d7 77 d0 b4 d4 77 |.......g..w...w
000000000012fb38 ff ff ff ff 64 fb 12 00 - 0c b5 d4 77 48 98 66 00 ....d......wH.f.
000000000012fb48 86 00 00 00 00 00 00 00 - 00 00 00 00 4f 25 21 12 ............O%!.
000000000012fb58 fa 19 91 7c 00 00 00 00 - 00 00 00 00 b4 fb 12 00 ...|............
000000000012fb68 e3 ea 90 7c 74 fb 12 00 - 18 00 00 00 48 98 66 00 ...|t.......H.f.
000000000012fb78 86 00 00 00 00 00 00 00 - 00 00 00 00 4f 25 21 12 ............O%!.
000000000012fb88 73 b4 d4 77 e9 93 d4 77 - a8 93 d4 77 08 fc 12 00 s..w...w...w....

*----> State Dump for Thread Id 0xea8 <----*

eax=00c70000 ebx=00d7fef8 ecx=00000000 edx=7c90eb94 esi=00000000 edi=7ffd9000
eip=7c90eb94 esp=00d7fed0 ebp=00d7ff6c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\wdmaud.drv -
ChildEBP RetAddr Args to Child
00d7ff6c 7c809c86 00000002 00d7ffa4 00000000 ntdll!KiFastSystemCallRet
00d7ff88 72d2312a 00000002 00d7ffa4 00000000 kernel32!WaitForMultipleObjects+0x18
00d7ffb4 7c80b50b 00000000 00000000 00150000 wdmaud!midMessage+0x348
00d7ffec 00000000 72d230e8 00000000 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
0000000000d7fed0 ab e9 90 7c f2 94 80 7c - 02 00 00 00 f8 fe d7 00 ...|...|........
0000000000d7fee0 01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000000d7fef0 00 00 00 00 00 00 00 00 - 6c 01 00 00 60 01 00 00 ........l...`...
0000000000d7ff00 2a 26 80 7c 18 ff d7 00 - 00 26 80 7c 30 25 80 7c *&.|.....&.|0%.|
0000000000d7ff10 00 00 00 00 00 00 00 00 - 14 00 00 00 01 00 00 00 ................
0000000000d7ff20 00 00 00 00 00 00 00 00 - 10 00 00 00 90 bb 56 85 ..............V.
0000000000d7ff30 c4 bb 56 85 00 90 fd 7f - 00 90 fd 7f 00 e0 fd 7f ..V.............
0000000000d7ff40 00 00 00 00 00 00 00 00 - f8 fe d7 00 dc ff d7 00 ................
0000000000d7ff50 02 00 00 00 ec fe d7 00 - ff ff ff ff dc ff d7 00 ................
0000000000d7ff60 f3 99 83 7c 90 95 80 7c - 00 00 00 00 88 ff d7 00 ...|...|........
0000000000d7ff70 86 9c 80 7c 02 00 00 00 - a4 ff d7 00 00 00 00 00 ...|............
0000000000d7ff80 ff ff ff ff 00 00 00 00 - b4 ff d7 00 2a 31 d2 72 ............*1.r
0000000000d7ff90 02 00 00 00 a4 ff d7 00 - 00 00 00 00 ff ff ff ff ................
0000000000d7ffa0 00 00 15 00 6c 01 00 00 - 60 01 00 00 02 00 00 00 ....l...`.......
0000000000d7ffb0 00 00 ff ff ec ff d7 00 - 0b b5 80 7c 00 00 00 00 ...........|....
0000000000d7ffc0 00 00 00 00 00 00 15 00 - 00 00 00 00 00 e0 fd 7f ................
0000000000d7ffd0 00 b6 5b 86 c0 ff d7 00 - 28 94 97 85 ff ff ff ff ..[.....(.......
0000000000d7ffe0 f3 99 83 7c 18 b5 80 7c - 00 00 00 00 00 00 00 00 ...|...|........
0000000000d7fff0 00 00 00 00 e8 30 d2 72 - 00 00 00 00 00 00 00 00 .....0.r........
0000000000d80000 c8 00 00 00 4f 01 00 00 - ff ee ff ee 02 10 00 00 ....O...........

*----> State Dump for Thread Id 0xeb4 <----*

eax=71ac25ae ebx=c0000000 ecx=000125ac edx=77d40000 esi=00000000 edi=71a87558
eip=7c90eb94 esp=010aff7c ebp=010affb4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr Args to Child
010affb4 7c80b50b 71a67aa3 0012f654 7c90ee18 ntdll!KiFastSystemCallRet
010affec 00000000 71a5d5af 001a26b0 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
00000000010aff7c 1b e3 90 7c 09 d6 a5 71 - 20 02 00 00 bc ff 0a 01 ...|...q .......
00000000010aff8c b0 ff 0a 01 a4 ff 0a 01 - 50 d6 a5 71 54 f6 12 00 ........P..qT...
00000000010aff9c 18 ee 90 7c b0 26 1a 00 - 00 00 00 00 1c 00 00 00 ...|.&..........
00000000010affac 00 00 a5 71 d0 26 f7 00 - ec ff 0a 01 0b b5 80 7c ...q.&.........|
00000000010affbc a3 7a a6 71 54 f6 12 00 - 18 ee 90 7c b0 26 1a 00 .z.qT......|.&..
00000000010affcc 00 d0 fd 7f 00 d6 5b 86 - c0 ff 0a 01 d8 05 ea 85 ......[.........
00000000010affdc ff ff ff ff f3 99 83 7c - 18 b5 80 7c 00 00 00 00 .......|...|....
00000000010affec 00 00 00 00 00 00 00 00 - af d5 a5 71 b0 26 1a 00 ...........q.&..
00000000010afffc 00 00 00 00 4d 5a 90 00 - 03 00 00 00 04 00 00 00 ....MZ..........
00000000010b000c ff ff 00 00 b8 00 00 00 - 00 00 00 00 40 00 00 00 ............@...
00000000010b001c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000010b002c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000010b003c c0 00 00 00 0e 1f ba 0e - 00 b4 09 cd 21 b8 01 4c ............!..L
00000000010b004c cd 21 54 68 69 73 20 70 - 72 6f 67 72 61 6d 20 63 .!This program c
00000000010b005c 61 6e 6e 6f 74 20 62 65 - 20 72 75 6e 20 69 6e 20 annot be run in
00000000010b006c 44 4f 53 20 6d 6f 64 65 - 2e 0d 0d 0a 24 00 00 00 DOS mode....$...
00000000010b007c 00 00 00 00 69 12 d1 da - 2d 73 bf 89 2d 73 bf 89 ....i...-s..-s..
00000000010b008c 2d 73 bf 89 ee 7c e1 89 - 2c 73 bf 89 ee 7c e5 89 -s...|..,s...|..
00000000010b009c 2c 73 bf 89 52 69 63 68 - 2d 73 bf 89 00 00 00 00 ,s..Rich-s......
00000000010b00ac 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> State Dump for Thread Id 0xee0 <----*

eax=76fc139a ebx=71ac408c ecx=7ffda000 edx=71ac403c esi=00000338 edi=00000000
eip=7c90eb94 esp=0241ff20 ebp=0241ff84 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\WS2_32.dll -
ChildEBP RetAddr Args to Child
0241ff84 7c802542 00000338 ffffffff 00000000 ntdll!KiFastSystemCallRet
0241ff98 71abd174 00000338 ffffffff 0012ed54 kernel32!WaitForSingleObject+0x12
0241ffb4 7c80b50b 00000338 0012ed54 7c90ee18 WS2_32!getnameinfo+0xb03
0241ffec 00000000 71abd149 00a759a8 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
000000000241ff20 c0 e9 90 7c db 25 80 7c - 38 03 00 00 00 00 00 00 ...|.%.|8.......
000000000241ff30 00 00 00 00 a8 59 a7 00 - 38 6c a7 00 8c 40 ac 71 [email protected]
000000000241ff40 14 00 00 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000241ff50 10 00 00 00 80 00 00 00 - 7c ff 41 02 00 90 fd 7f ........|.A.....
000000000241ff60 00 a0 fd 7f 00 00 00 00 - 17 00 00 00 34 ff 41 02 ............4.A.
000000000241ff70 18 ee 90 7c dc ff 41 02 - f3 99 83 7c 08 26 80 7c ...|..A....|.&.|
000000000241ff80 00 00 00 00 98 ff 41 02 - 42 25 80 7c 38 03 00 00 ......A.B%.|8...
000000000241ff90 ff ff ff ff 00 00 00 00 - b4 ff 41 02 74 d1 ab 71 ..........A.t..q
000000000241ffa0 38 03 00 00 ff ff ff ff - 54 ed 12 00 18 ee 90 7c 8.......T......|
000000000241ffb0 a8 59 a7 00 ec ff 41 02 - 0b b5 80 7c 38 03 00 00 .Y....A....|8...
000000000241ffc0 54 ed 12 00 18 ee 90 7c - a8 59 a7 00 00 a0 fd 7f T......|.Y......
000000000241ffd0 00 b6 5b 86 c0 ff 41 02 - c8 0c 0d 86 ff ff ff ff ..[...A.........
000000000241ffe0 f3 99 83 7c 18 b5 80 7c - 00 00 00 00 00 00 00 00 ...|...|........
000000000241fff0 00 00 00 00 49 d1 ab 71 - a8 59 a7 00 00 00 00 00 ....I..q.Y......
0000000002420000 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000002420010 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000002420020 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000002420030 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000002420040 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000002420050 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> State Dump for Thread Id 0x86c <----*

eax=000000fb ebx=01a6e750 ecx=0019caf8 edx=00000000 esi=7fffffff edi=ffffffff
eip=7c90eb94 esp=0372fad0 ebp=0372fb0c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mswsock.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\WININET.dll -
ChildEBP RetAddr Args to Child
0372fb0c 71a55fa7 000004e4 000004e8 00000000 ntdll!KiFastSystemCallRet
0372fc00 71ab2e67 00000001 0372fe80 0372fc78 mswsock+0x5fa7
0372fc50 771d714f 00000001 0372fe80 0372fc78 WS2_32!select+0xa7
0372ffac 771d9283 0372ffec 7c80b50b 01a6dbb8 WININET!GetUrlCacheEntryInfoExW+0x892
0372ffb4 7c80b50b 01a6dbb8 7727a646 01a6d8a0 WININET!InternetSetStatusCallback+0x1d7
0372ffec 00000000 771d9276 01a6dbb8 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
000000000372fad0 c0 e9 90 7c 33 40 a5 71 - e4 04 00 00 01 00 00 00 ...|[email protected]........
000000000372fae0 f8 fa 72 03 b0 fb 72 03 - 80 fe 72 03 a0 fb 72 03 ..r...r...r...r.
000000000372faf0 1c c2 a6 79 e2 a1 c5 01 - ff ff ff ff ff ff ff 7f ...y............
000000000372fb00 50 e7 a6 01 00 00 00 00 - 00 00 00 00 00 fc 72 03 P.............r.
000000000372fb10 a7 5f a5 71 e4 04 00 00 - e8 04 00 00 00 00 00 00 ._.q............
000000000372fb20 04 00 00 00 7c fd 72 03 - 88 59 a7 00 78 fc 72 03 ....|.r..Y..x.r.
000000000372fb30 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000372fb40 01 00 00 00 80 0f 05 fd - ff ff ff ff 00 00 a7 00 ................
000000000372fb50 00 00 00 00 10 00 00 00 - 40 fb 72 03 00 00 00 00 [email protected].....
000000000372fb60 00 00 01 00 05 00 00 00 - 00 00 15 00 08 01 00 00 ................
000000000372fb70 34 fc 72 03 18 ee 90 7c - b4 fb 72 03 1c 00 00 00 4.r....|..r.....
000000000372fb80 50 e7 a6 01 bc fb 72 03 - 78 fc 72 03 7c fd 72 03 P.....r.x.r.|.r.
000000000372fb90 00 00 00 00 a0 fb 72 03 - 00 00 00 00 00 00 00 00 ......r.........
000000000372fba0 80 0f 05 fd ff ff ff ff - 01 00 00 00 00 00 01 00 ................
000000000372fbb0 e8 04 00 00 19 00 00 00 - 50 3f 1e 00 04 fc 72 03 ........P?....r.
000000000372fbc0 18 ee 90 7c 70 05 91 7c - ff ff ff ff 6d 05 91 7c ...|p..|....m..|
000000000372fbd0 88 99 80 7c 00 00 15 00 - 00 00 00 00 9b 99 80 7c ...|...........|
000000000372fbe0 3c 97 23 77 4f d1 00 00 - 24 fb 72 03 0c 15 aa 71 <.#wO...$.r....q
000000000372fbf0 40 fc 72 03 c8 71 a7 71 - 68 2e a5 71 ff ff ff ff @.r..q.qh..q....
000000000372fc00 50 fc 72 03 67 2e ab 71 - 01 00 00 00 80 fe 72 03 P.r.g..q......r.

*----> State Dump for Thread Id 0xf24 <----*

eax=000000c0 ebx=00000000 ecx=7c800000 edx=00000000 esi=0012c5a4 edi=02080000
eip=7c90eb94 esp=0382ff9c ebp=0382ffb4 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr Args to Child
0382ffb4 7c80b50b 00000000 02080000 0012c5a4 ntdll!KiFastSystemCallRet
0382ffec 00000000 7c92798d 00000000 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
000000000382ff9c 5c d8 90 7c d4 79 92 7c - 01 00 00 00 ac ff 82 03 \..|.y.|........
000000000382ffac 00 00 00 00 00 00 00 80 - ec ff 82 03 0b b5 80 7c ...............|
000000000382ffbc 00 00 00 00 00 00 08 02 - a4 c5 12 00 00 00 00 00 ................
000000000382ffcc 00 40 fd 7f 00 d6 5b 86 - c0 ff 82 03 00 54 55 85 .@....[......TU.
000000000382ffdc ff ff ff ff f3 99 83 7c - 18 b5 80 7c 00 00 00 00 .......|...|....
000000000382ffec 00 00 00 00 00 00 00 00 - 8d 79 92 7c 00 00 00 00 .........y.|....
000000000382fffc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383000c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383001c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383002c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383003c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383004c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383005c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383006c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383007c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383008c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000383009c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000038300ac 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000038300bc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000000038300cc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> State Dump for Thread Id 0xf38 <----*

eax=03beff00 ebx=03befee0 ecx=03befeb8 edx=7c90eb94 esi=00000000 edi=7ffd9000
eip=7c90eb94 esp=03befeb8 ebp=03beff54 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr Args to Child
03beff54 7c809c86 00000002 03beffa8 00000000 ntdll!KiFastSystemCallRet
03beff70 771b18fe 00000002 03beffa8 00000000 kernel32!WaitForMultipleObjects+0x18
03beffb0 771cda2d 7c80b50b 019d05f8 7c9106eb WININET+0x18fe
03beffec 00000000 771cda22 019d05f8 00000000 WININET!InternetLockRequestFile+0x13d9

*----> Raw Stack Dump <----*
0000000003befeb8 ab e9 90 7c f2 94 80 7c - 02 00 00 00 e0 fe be 03 ...|...|........
0000000003befec8 01 00 00 00 00 00 00 00 - 14 ff be 03 eb 06 91 7c ...............|
0000000003befed8 f8 05 9d 01 00 05 9d 01 - 18 05 00 00 20 05 00 00 ............ ...
0000000003befee8 90 90 23 77 a8 90 23 77 - 14 00 00 00 01 00 00 00 ..#w..#w........
0000000003befef8 00 00 00 00 00 00 00 00 - 14 00 00 00 01 00 00 00 ................
0000000003beff08 00 00 00 00 00 00 00 00 - 10 00 00 00 00 5d 1e ee .............]..
0000000003beff18 ff ff ff ff e4 fe be 03 - 00 90 fd 7f 00 d0 fa 7f ................
0000000003beff28 f3 99 83 7c 14 ff be 03 - e0 fe be 03 00 26 80 7c ...|.........&.|
0000000003beff38 02 00 00 00 d4 fe be 03 - ff ff ff ff dc ff be 03 ................
0000000003beff48 f3 99 83 7c 90 95 80 7c - 00 00 00 00 70 ff be 03 ...|...|....p...
0000000003beff58 86 9c 80 7c 02 00 00 00 - a8 ff be 03 00 00 00 00 ...|............
0000000003beff68 30 75 00 00 00 00 00 00 - b0 ff be 03 fe 18 1b 77 0u.............w
0000000003beff78 02 00 00 00 a8 ff be 03 - 00 00 00 00 30 75 00 00 ............0u..
0000000003beff88 24 fc 92 03 a8 5b a7 00 - 03 01 00 00 00 00 00 00 $....[..........
0000000003beff98 00 00 00 00 00 00 00 00 - 20 05 00 00 5b 07 15 00 ........ ...[...
0000000003beffa8 18 05 00 00 20 05 00 00 - ec ff be 03 2d da 1c 77 .... .......-..w
0000000003beffb8 0b b5 80 7c f8 05 9d 01 - eb 06 91 7c 24 fc 92 03 ...|.......|$...
0000000003beffc8 f8 05 9d 01 00 d0 fa 7f - 00 d6 5b 86 c0 ff be 03 ..........[.....
0000000003beffd8 50 e4 54 85 ff ff ff ff - f3 99 83 7c 18 b5 80 7c P.T........|...|
0000000003beffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 22 da 1c 77 ............"..w

*----> State Dump for Thread Id 0xf84 <----*

eax=7d586c9b ebx=0019bfcc ecx=0000000d edx=7c9106eb esi=000003b4 edi=00000000
eip=7c90eb94 esp=0289ff08 ebp=0289ff6c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mshtml.dll -
ChildEBP RetAddr Args to Child
0289ff6c 7c802542 000003b4 ffffffff 00000000 ntdll!KiFastSystemCallRet
0289ff80 7d66a4ac 000003b4 ffffffff ffffffff kernel32!WaitForSingleObject+0x12
0289ffa4 7d586cd6 7c910732 7d586ca8 0289ffec mshtml+0x1ca4ac
0289ffb4 7c80b50b 02a60410 ffffffff 7c910732 mshtml+0xe6cd6
0289ffec 00000000 7d586c9b 02a60410 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
000000000289ff08 c0 e9 90 7c db 25 80 7c - b4 03 00 00 00 00 00 00 ...|.%.|........
000000000289ff18 00 00 00 00 54 04 a6 02 - 10 04 a6 02 cc bf 19 00 ....T...........
000000000289ff28 14 00 00 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000289ff38 10 00 00 00 d0 02 a3 02 - 8c 8b d4 77 00 90 fd 7f ...........w....
000000000289ff48 00 70 fd 7f 00 00 00 00 - 00 00 00 00 1c ff 89 02 .p..............
000000000289ff58 fb cd 50 7d dc ff 89 02 - f3 99 83 7c 08 26 80 7c ..P}.......|.&.|
000000000289ff68 00 00 00 00 80 ff 89 02 - 42 25 80 7c b4 03 00 00 ........B%.|....
000000000289ff78 ff ff ff ff 00 00 00 00 - a4 ff 89 02 ac a4 66 7d ..............f}
000000000289ff88 b4 03 00 00 ff ff ff ff - ff ff ff ff 10 04 a6 02 ................
000000000289ff98 10 04 a6 02 00 00 00 00 - ff ff ff ff b4 ff 89 02 ................
000000000289ffa8 d6 6c 58 7d 32 07 91 7c - a8 6c 58 7d ec ff 89 02 .lX}2..|.lX}....
000000000289ffb8 0b b5 80 7c 10 04 a6 02 - ff ff ff ff 32 07 91 7c ...|........2..|
000000000289ffc8 10 04 a6 02 00 70 fd 7f - 00 b6 5b 86 c0 ff 89 02 .....p....[.....
000000000289ffd8 10 1c 8b 85 ff ff ff ff - f3 99 83 7c 18 b5 80 7c ...........|...|
000000000289ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 9b 6c 58 7d .............lX}
000000000289fff8 10 04 a6 02 00 00 00 00 - 41 63 74 78 20 00 00 00 ........Actx ...
00000000028a0008 01 00 00 00 30 19 00 00 - 7c 00 00 00 00 00 00 00 ....0...|.......
00000000028a0018 20 00 00 00 00 00 00 00 - 14 00 00 00 01 00 00 00 ...............
00000000028a0028 03 00 00 00 34 00 00 00 - bc 00 00 00 01 00 00 00 ....4...........
00000000028a0038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

*----> State Dump for Thread Id 0x8b4 <----*

eax=00000000 ebx=00000000 ecx=0021edc0 edx=0147fde4 esi=00150e50 edi=00000000
eip=7c90eb94 esp=0147fe1c ebp=0147ff80 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: ntdll!KiFastSystemCallRet
7c90eb89 90 nop
7c90eb8a 90 nop
ntdll!KiFastSystemCall:
7c90eb8b 8bd4 mov edx,esp
7c90eb8d 0f34 sysenter
7c90eb8f 90 nop
7c90eb90 90 nop
7c90eb91 90 nop
7c90eb92 90 nop
7c90eb93 90 nop
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
7c90eb95 8da42400000000 lea esp,[esp]
7c90eb9c 8d642400 lea esp,[esp]
7c90eba0 90 nop
7c90eba1 90 nop
7c90eba2 90 nop
7c90eba3 90 nop
7c90eba4 90 nop
ntdll!KiIntSystemCall:
7c90eba5 8d542408 lea edx,[esp+0x8]
7c90eba9 cd2e int 2e

*----> Stack Back Trace <----*
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr Args to Child
0147ff80 77e76c22 0147ffa8 77e76a3b 00150e50 ntdll!KiFastSystemCallRet
0147ff88 77e76a3b 00150e50 00000000 00000000 RPCRT4!I_RpcBCacheFree+0x5ea
0147ffa8 77e76c0a 00186b38 0147ffec 7c80b50b RPCRT4!I_RpcBCacheFree+0x403
0147ffb4 7c80b50b 01b72ac8 00000000 00000000 RPCRT4!I_RpcBCacheFree+0x5d2
0147ffec 00000000 77e76bf0 01b72ac8 00000000 kernel32!GetModuleFileNameA+0x1b4

*----> Raw Stack Dump <----*
000000000147fe1c 99 e3 90 7c 03 67 e7 77 - 4c 02 00 00 70 ff 47 01 ...|.g.wL...p.G.
000000000147fe2c 00 00 00 00 90 c0 a1 01 - 54 ff 47 01 60 01 60 c0 ........T.G.`.`.
000000000147fe3c 00 ac b4 a7 00 00 00 00 - 38 3c 41 85 00 00 00 00 ........8<A.....
000000000147fe4c 00 ab b4 a7 00 b3 5b 86 - ed a6 54 80 00 00 04 00 ......[...T.....
000000000147fe5c 80 02 00 00 ff ff ff 03 - 3f 58 00 00 c8 f5 2e 81 ........?X......
000000000147fe6c 00 00 00 00 fc 3c 88 c0 - 20 8f 22 86 40 e5 79 f7 .....<.. ."[email protected].
000000000147fe7c 00 00 00 00 66 b2 4f 80 - ac ab b4 a7 90 e3 33 85 ....f.O.......3.
000000000147fe8c 00 00 00 00 00 00 00 00 - 00 00 00 00 90 e3 33 85 ..............3.
000000000147fe9c 89 29 52 80 43 4d 6e 80 - 28 ac b4 a7 27 44 6e 80 .)R.CMn.(...'Dn.
000000000147feac 00 0d db ba 00 00 00 00 - 43 4d 6e 80 e8 c1 02 c0 ........CMn.....
000000000147febc 00 00 00 00 14 00 00 00 - 00 00 00 00 00 00 00 00 ................
000000000147fecc 00 00 00 00 00 00 00 00 - a0 1d 43 85 ff df 83 05 ..........C.....
000000000147fedc 3d 58 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 =X..............
000000000147feec 1f 00 00 00 ff ff ff ff - 40 e5 79 f7 00 00 00 00 [email protected].....
000000000147fefc 10 44 6e 80 74 24 5b 85 - 28 ac b4 a7 00 00 00 00 .Dn.t$[.(.......
000000000147ff0c 27 44 6e 80 08 00 00 00 - 46 02 00 00 39 2b 50 80 'Dn.....F...9+P.
000000000147ff1c 48 23 5b 85 d8 22 5b 85 - 6c ad 4f 80 44 24 5b 85 H#[.."[.l.O.D$[.
000000000147ff2c d8 22 5b 85 80 ff 47 01 - 99 66 e7 77 4c ff 47 01 ."[...G..f.wL.G.
000000000147ff3c a9 66 e7 77 ed 10 90 7c - 70 4b b1 01 c8 2a b7 01 .f.w...|pK...*..
000000000147ff4c 00 a2 2f 4d ff ff ff ff - 00 5d 1e ee ff ff ff ff ../M.....]......

Edited by Sjtar, 20 August 2005 - 06:39 PM.

#15
tampabelle

Posted 20 August 2005 - 07:20 PM

Member 5k

Retired Staff
6,363 posts

Yes Dr Watson is part of Mircosoft Windows. It is not the problem but it tries to capture any problems on your PC. Usually this is the last thing people see when the PC has issues and therefore assume that it is the problem.

Usually the interference of infection results in Dr Watson popping up and lceaning up the infection resolves the issue. In some few cases it is the left over impact of the infection which needs to be set right and these are the cases where we need to dig deeper.

Application exception occurred:
App: C:\Program Files\AIM\aim.exe (pid=3240)
When: 8/15/2005 @ 17:44:12.964
Exception number: c0000005 (access violation)

This is the interesting part.

Can you check the log file to see if this is the error which gets repeated ???

In case it is not, then we will have to dig deeper. In such a case, please use the file attachment feature at the time of replying, to attch the big log. I will download and scrutinise it.