Showing results for 
Show  only  | Search instead for 
Did you mean: 


Running Windows XP Home Ed SP2. All applicable Windows updates are installed and up to date. Last update was IE 7. I am running McAffee Security Center Version 7.1 Build 7.1.137 running latest Dat Files. A full system scan with McAffee finds nothing. A system scan with AdAware Personal with latest defenitons find nothing. Spybot with latest defenitions finds nothing. Max Secure Spyware Detector V 2.0 with latest defenitons finds the spyware and claims to delete it. Max Secure names the spyware as Backdoor.Agent ( no letters follow the name). After logging on to IE or a subsequent machine reboot the same 9 entries are found once again. Without logging on to IE or turing off the machine the spyware seems to remain deleted. I have tried Symantec FxAgent B and it finds nothing. I have tried McAffee Stinger stng260 and it finds nothing. I have run Vondu Fix and it finds nothing. I have run AVG free edition and it finds nothing. I have disabled system restore scaned with it on and off and scaned in safe mode nothing else even finds the bug. The files that are found by Spyware Detector are registry keys and registry values "hkey_users\s-1-5-21-3642844096-3599889653-
The following is the log from the Spyware Detector Max Secure Software.
[02/01/07 21:53:58] In Fire_Done_Loading
[02/01/07 21:53:59] LoadAllUsersKey SuccessFully
[02/01/07 21:54:23] Start scan event received in Scan: C:,
[02/01/07 21:54:23] In Thread StartScanning
[02/01/07 21:54:25] Start scan event received in _Scan!
[02/01/07 21:54:25] Start Cookie Scan
[02/01/07 21:54:25] Finished Scanning
[02/01/07 21:54:26] Start Process Scan
[02/01/07 21:54:37] Finished Scanning
[02/01/07 21:54:38] Start File Scan
[02/01/07 21:54:43] Signature DB Initialized
[02/01/07 21:54:43] Start scanning Filelist DB for drive:
[02/01/07 21:55:29] Finished scanning Filelist DB for drive:
[02/01/07 21:55:29] Memory freed successfully!
[02/01/07 21:55:29] Signature DB UnInitialized
[02/01/07 21:55:29] Memory freed successfully!
[02/01/07 21:55:29] Signature DB UnInitialized
[02/01/07 21:55:29] Finished Scanning
[02/01/07 21:55:29] Start Folder Scan
[02/01/07 21:55:30] Finished Scanning
[02/01/07 21:55:30] Start RegData Scan
[02/01/07 21:55:30] Finished Scanning
[02/01/07 21:55:30] Start RegVal Scan
[02/01/07 21:55:31] Finished Scanning
[02/01/07 21:55:32] Start RegKey Scan
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\S-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore\"Type"
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore\Type\:3
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore\"Flags"
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore\Flags\:0
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore\"Count"
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore\Count\:7
[02/01/07 21:55:32] ## SpyFound Name: Backdoor.Agent, Worm: HKEY_USERS\s-1-5-21-3642844096-3599889653-1580133970-1006\software\microsoft\windows\currentversion\ext\stats\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\iexplore\"Time"
[02/01/07 21:55:33] Finished Scanning
[02/01/07 21:55:33] Start COM RegKey Scan
[02/01/07 21:55:33] Finished Scanning
[02/01/07 21:55:35] Start BHO Scan
[02/01/07 21:55:35] Finished Scanning
[02/01/07 21:55:36] Start Toolbar Scan
[02/01/07 21:55:36] Finished Scanning
[02/01/07 21:55:36] Start MenuExtension Scan
[02/01/07 21:55:36] Finished Scanning
[02/01/07 21:55:36] Start Activex Scan
[02/01/07 21:55:36] Finished Scanning
[02/01/07 21:55:36] Start SSODL Scan
[02/01/07 21:55:37] Finished Scanning
[02/01/07 21:55:37] Start Shared Task Scheduler Scan
[02/01/07 21:55:37] Finished Scanning
[02/01/07 21:55:37] Start AppInitDll Scan
[02/01/07 21:55:37] Finished Scanning
[02/01/07 21:55:37] Start Services Scan
[02/01/07 21:55:37] Finished Scanning
[02/01/07 21:55:37] Start Special SpyScan
[02/01/07 21:55:37] Internet Optimizer found
[02/01/07 21:55:37] Before CheckForKeyKey
[02/01/07 21:55:37] Before CheckforWinFixer
[02/01/07 21:55:37] Before CheckforWinHound
[02/01/07 21:55:37] Before CheckforSpyAxe: SpyAxe
[02/01/07 21:55:37] Before CheckforSpyAxe: SpywareAxe
[02/01/07 21:55:37] Before CheckforPsGuard
[02/01/07 21:55:37] Before CheckforSpyStrike
[02/01/07 21:55:37] Before CheckforSpyFalcon
[02/01/07 21:55:37] Before CheckForWinAntiVirus
[02/01/07 21:55:37] Before CheckforWinAntiSpyware
[02/01/07 21:55:37] Before CheckForSpywareQuake
[02/01/07 21:55:38] Before CheckForAdwarePopups
[02/01/07 21:55:38] Before CheckForTargetSaver
[02/01/07 21:55:38] Before CheckForAntiSpywareSoldier
[02/01/07 21:55:39] Before CheckForVirusBlast
[02/01/07 21:55:39] Before CheckForAntiVirusGolden
[02/01/07 21:55:39] Before CheckForVirusBurst
[02/01/07 21:55:39] Checking forVirusBurst.Variant
[02/01/07 21:55:40] Before CheckForIEBar
[02/01/07 21:55:40] Before CheckForAdwareBorlan
[02/01/07 21:55:40] Before CheckForTrojan
[02/01/07 21:55:40] Before CheckForStarware
[02/01/07 21:55:40] Before CheckForProAgent
[02/01/07 21:55:40] Before CheckForProRAT
[02/01/07 21:55:40] Before CheckForCydoor
[02/01/07 21:55:40] Finished special spyware scan
[02/01/07 21:55:40] Finished Special SpyScan
[02/01/07 21:55:40] Start RegFix Scan
[02/01/07 21:55:41] Finish RegFix Scan
[02/01/07 21:55:41] Finished Scan: Cookie=5396, Process=48, FileNFolder=144112, Registry=58167, WormsFound=10, SpecialWorms=0
[02/01/07 21:55:41] End Thread StartScanning

I currently have the laptop under firewall lock down. Both my desktop and laptop utilize the same spyware and anti virus programs. Only the laptop seems to be infected. Both share the same OS with same updates.
I have attached a copy of HJT log just in case that it may help.

Logfile of HijackThis v1.99.1
Scan saved at 7:14:31 PM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C20698-2276-4472-AB24-33B0977D2695}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C20698-2276-4472-AB24-33B0977D2695}: NameServer =,
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee Application Installer Cleanup (0019501170468630) (0019501170468630mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\001950~1.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
3 Replies

RE: Backdoor.Agent

Backdoor Agent could be any of hundreds of similar worms and it's possible that as only Spyware Detector detects it that it is harmless, on the other hand it's best to be sure about it.

We can't analyse HJT logs here. Post them at any of the following forums:


I have Windows XP Professional with service pack 2 on my desktop at work. I am the system administrator and owner because I'm my own boss. I also have three firewalls. One of those is suppose to include the McAfee security suite on my computer.

I also have McAfee Security Suite installed.

McAfee was suppose to be protecting me from malware because the problem occurred after McAfee was installed.

The problem? My computer runs just fine until I connect to the internet, then my computer gets hijacked by McAfee Shield or whatever it is that is infecting my computer. The hard drive is constantly busy, and when I open task manager, McAfee Shield is using 80% CPU power for no obvious reason. It's gotten to the point that I just have to unplug the darn thing to shut it off, because it won't shut down. Cannot find the virus or the cause either, though I have certainly tried. McAfee cannot find viruses/malware either. I wonder if McAfee has limited protection against infected Java script files on the internet?

Fortunately this is the only computer I have had problems with McAfee on. I have three computer and McAfee is on all of them.

Unfortunately I will have to have my computer professionally cleaned before it can go back online, because McAfee was obviously not protecting it. I hope I will not have to scrap the system and start over from scratch. :eek:

RE: backdoor.jpg

Old thread + duplicate posting - locking

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community