[MichelleB99]

OOPS, I should correctly state that after running AVG once and getting the trojan, it's run twice with NO detected files. Not running with detected files. Big difference! I haven't been running anything else to scan like I was before...should I be?

I also wanted to ask about all of the programs that I've downloaded...findqoologic, spybot,adaware,fixaurora,winsockfx,killbox,nailfix,kaspersky,cwshredder,ewido,cleanup....should I leave them all on my desktop?

I also researched the hijack attempt from the firewall...if I'm reading it correctly, it's assuming McAfee is trying to hijack my email. And since I blocked it, it's taking that as a bad thing. So maybe it's not as bad as I thought?

Anyhow, here's the log. I'm keeping fingers crossed!

Logfile of HijackThis v1.99.1
Scan saved at 3:47:59 PM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ScanSoft\Pagis\Monitor.exe
C:\Program Files\ScanSoft\Pagis\Ereg\REMIND32.EXE
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\Michelle Bain\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\Pagis\Ereg\REMIND32.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Pagis Schedule Monitor.lnk = C:\Program Files\ScanSoft\Pagis\Monitor.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolo...larkActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119994519875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F461205D-ABDC-42FE-B2E2-AFD4600B905E} (MASHControl Class) - http://www.amiuptoda...,0,0,7/mash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[Advertisements]

Hi Michelle,

Let me guess - you are having some issues with your PC. It must be very slow !!!!!!

That is because you have two Anti-Virus programs running !!!!

I would strongly recomment that you uninstall one of them. Try uninstalling McAfee. In case you dont like AVG, then you can always install it back !!!!

Same applies for the Firewall !!!!!!!!!!

Let me know what you decide

[tampabelle]

Hi Michelle,

Let me guess - you are having some issues with your PC. It must be very slow !!!!!!

That is because you have two Anti-Virus programs running !!!!

I would strongly recomment that you uninstall one of them. Try uninstalling McAfee. In case you dont like AVG, then you can always install it back !!!!

Same applies for the Firewall !!!!!!!!!!

Let me know what you decide

[tampabelle]

Reg the programs you downloaded -

I also wanted to ask about all of the programs that I've downloaded...findqoologic, spybot,adaware,fixaurora,winsockfx,killbox,nailfix,kaspersky,cwshredder,ewido,cl
eanup....should I leave them all on my desktop?


Keep Spybot, Adaware, Ewido and CleanUp.

The others you can delete.

Please note that since you downloaded the trial version of Ewido, it wont update the signatures once the trial period is over. So everytime you want to run a Ewido scan, you will need to update the signatures manually. There are a few more features which wont be available but overall it is a good product to keep !!!

[MichelleB99]

Good evening Tampabelle! Sorry it's taken me a few days to respond. I've uninstalled all of McAfee to the best of my ability, but when I went to do Firewall, it processed and said I had to restart to complete, and I didn't right then, and when I did restart it, it was still in my programs in control panel, but now will not let me complete uninstall. Keeps telling me that Instal.log is missing? I'm guessing I'll need to contact McAfee for assistance.

My computer seems to be coming out of its slump and regaining speed, but I just have a few questions/concerns to run past you to ensure we are in the clear:

1) Occassionally getting error message "Digital line detected (PBX), please verify that your phone line from your computer is directly connected to a standard analog modem or fax line." I'd never had this message before all of these issues. Our hookup is cable and I'm not even sure there's a phone line back there anymore? We don't have a fax, either.

2) Just want to run past you several of the flags I'm still getting from Sygate (I've blocked all of them for the time being, let me know if I shouldn't):

a) NDIS user mode I/O Driver (ndisuio.sys) is being contacted from remote machine...pagead2.googlesyndication.com....

b) Messenger (MSMSGS.EXE) is trying to connect to the network.....

c) Sonic Update Mgr (sgtray.exe) trying to connect to the network...

d) C\:Documents and Settings\Michelle Bain\Local Settings\Temp\205717215342 (Mcinfo.exe) trying to connect to McAfee....I'm thinking this has something to do with Firewall but why in my temp folder?


3) Still getting that message about the Generic Host process (win 32)...I didn't see if/where you answered me on that before.

Ok, I think that's all for now. Thanks again for all of your help. Hope you had a nice weekend.

[tampabelle]

Hi Michelle,


Did you have some success in removing McAfee ???

Please visit McAfee's site. They have detailed instructions on how to completely uninstall the software.


Regrading your Queries -

1. It is a check which most of the ISPs do when the computer switches on. This is because Digital lines carry a higher voltage than the analog lines. An analog modem connected to a digital line would get fried !!!!! I would suggest that you check with your ISP also as to whether this file can be safely removed -

C:\Program Files\Digital Line Detect\DLG.exe

If so then rename the file as DLG.ex_. (If there is no extension visible, then Please click on Tools ---> Folder Options in the Windows Explorer menu bar. In the Pop up window, click on View tab. Uncheck the box next to "Hide extensions for known file types". Once you complete renaming the file, please check the box again to hide extensions of file types).

2) Just want to run past you several of the flags I'm still getting from Sygate (I've blocked all of them for the time being, let me know if I shouldn't):

a) NDIS user mode I/O Driver (ndisuio.sys) is being contacted from remote machine...pagead2.googlesyndication.com....

This is an important system file. Do not delete it. Let it connect to the Net or block it, is optional. Chances are that while surfing, you are getting this message from your Firewall, meaning that your webpage is referring to that site.


b) Messenger (MSMSGS.EXE) is trying to connect to the network.....

This is a Windows process. Not critical but is used by computers to message each other. You can disable this but then you wont be able to exchange messages with other computers on a network !!!! uninstalling it wont affect your ability to connect to the internet.

c) Sonic Update Mgr (sgtray.exe) trying to connect to the network...

System Tray icon and background monitoring task for Veritas Storage Guard which in most cases gets installed as part of Backup Exec Desktop or Backup Exec Desktop Pro (as well as some of the other Veritas backup products). When running in the background, Storage Guard alerts you when you have not done a backup of your data for a while. Also, if you decide to do a backup you can do it straight from the System Tray icon

d) C\:Documents and Settings\Michelle Bain\Local Settings\Temp\205717215342 (Mcinfo.exe) trying to connect to McAfee....I'm thinking this has something to do with Firewall but why in my temp folder?

Most of the softwares download the updates and other files to the temp folder and then install them. Once you uninstall McAfee, you wont have this issue.

[MichelleB99]

Hi Tampabelle. No I haven't had luck with McAfee. I have to call them tomorrow anyways to get a refund on my programs, so hopefully they can give me some direction.

Thanks for all of your input and answers to my confusing questions. I've decided to leave everything as it is and allow the files to access. One question, though. I still didn't see where you answered #3, and I'm still getting that error message quite a bit:

3) Still getting that message about the Generic Host process (win 32)...I didn't see if/where you answered me on that before.

Do I need to worry about that?

Other than that, my system seems to be all better now. How often should I continue to run scans?

[tampabelle]

Hi Michelle,


If you go to the website of McAfee and search for the uninstall instructions then you would have the detailed set of such instructions !! You need not have somebody online / on phone to uninstall it completely.

As far as frequency of scans is concerned, there is a trade off between caution and convenience. So do scans at a frequency that you are comfortable with. However, anytime you suspect any unwarranted behaviour, like pop-ups etc., run the scans immediately.

A whole host of programs and softwares use the svchost.exe process to execute themselves. One of the processes is the windows updates are done by use of this file.

Since you have the Firewall installed, you can log the activities of the firewall i.e. all the activities it blocks or allows !! Generate a log for about 30-60 minutes. Have a look at the log. If you dont feel comfortable or are unfamiliar with some process then post the log here. I will have a look at it.

[tampabelle]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.