Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2287 Views 7 Replies Latest reply: Jun 30, 2011 12:05 PM by dmhh1mcf RSS
dmhh1mcf Newcomer 8 posts since
Jun 27, 2011
Currently Being Moderated

Jun 29, 2011 5:08 AM

Tired of being hacked/infected


The short version:

In the past 6 months I've had to do a complete reinstall of computer software 3 times because
some A hole has chosen not to be a positive member of society and keeps hacking/infecting
my computer.

Yesterday after reinstall I noticed  some of the same behavior already, suspicious registry entries
for Mcafee, error code 2  when using the shredder function.  Eventually this will lead to to certain
parts of web pages not loading, then the web site wont load at all and I will get a " res://ieframe.dll/dnserror.htm#
that pops up in the address bar.

Late May early June I called Mcafee and spoke to someone on their customer service line about the
error code 2 while using the shredder function.  The explained I would have to pay for customer service
I said no way and was allowed a "one time" free call.  A tech did something but no remote access was
done.

I'am tired of the Mcafee program not protecting my computer.  Hear is the Hijack log after downloading mcafee on my
fresh install.


C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\Supportability\MVT\MvtApp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110628141345.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [McAfee McItInfo] C:\Users\CDMH1\AppData\Local\Temp\mcitinfo_1309288520.exe /itinsfin:C:\Users\CDMH1\AppData\Local\Temp\mcininfo_1309288521.ini
O4 - HKCU\..\Run: [DelayShred] "c:\progra~1\mcafee\mqs\ShrCL.EXE" /P5 /q "C:\Users\CDMH1\AppData\Local\MICROS~1\Windows\TEMPOR~1\Low"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O15 - Trusted Zone: http://*.mcafee.com
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0165031309288433) (0165031309288433mcinstcleanup) - McAfee, Inc. - C:\Users\CDMH1\AppData\Local\Temp\016503~1.EXE
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: McAfee Online Backup (MOBK370backup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBK370backup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

 

I know I'm not suppose to post my log here however mcafee is suppose to protect my computer.  Which of the above
entries are legitimate.  I aasume that all the 04's are not suppose to be there, and the extra R1/RO of IE can go ago.
Are the IE labeled default_ the real ones?

Appreciate any help!

  • Ex_Brit Volunteer Moderator 59,592 posts since
    May 6, 2004
    Currently Being Moderated
    1. Jun 29, 2011 5:42 AM (in response to dmhh1mcf)
    Re: Tired of being hacked/infected

    It looks OK to me however I'm not qualified to read a Hijackthis log, the forums that specialise in that would be best suited to advising you.  See the lower area of this document:  https://community.mcafee.com/docs/DOC-2168

     

    No protection software in the world is going to stop everything out there, so don't even think that.

     

    Keep Windows (including any parts of it you may not use) and all your software totally up to date at all times and keep some extra anti-malware tools handy and updated just in case.  There are some listed in that document.

     

    Not too sure about that Shredder error, I guess it depends on  what you are trying to shred.  You don't give any details on your operating system, service pack or versions of installed McAfee products.

     

    Technical Support Chat are the only people that can analyse those sort of errors anyway.   If you don't get staisfaction with the first contact ask for an escalation.

     

    Shredder is really only meant as a supplement to the tools that Windows already possesses for doing cleanups.

     

    The only 100% sure way of staying infection free is to do some soul searching as to surfing habits, downloading and careless clicking....that's the number one enemy.


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Ex_Brit Volunteer Moderator 59,592 posts since
    May 6, 2004
    Currently Being Moderated
    3. Jun 29, 2011 7:33 AM (in response to dmhh1mcf)
    Re: Tired of being hacked/infected

    I know it's very frustrating when it happens.   I too am hoping someone from support chips in here.

     

    You might consider applying SP1 to your Win 7 by the way.  There's some help with that here:  https://community.mcafee.com/docs/DOC-2205


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Hayton Volunteer Moderator 4,601 posts since
    Sep 27, 2010
    Currently Being Moderated
    4. Jun 29, 2011 9:32 AM (in response to dmhh1mcf)
    Re: Tired of being hacked/infected

    The Hijack This log entries do not show anything much out of the ordinary.

     

    Be careful with the O4 entries -

    This section corresponds to certain registry keys and startup folders that are used to automatically start an application when Windows starts. O4 keys are the HJT entries that the majority of programs use to autostart, so particular care must be used when examining these keys.

     

    Your Windows 7 installation is showing mctadmin.exe in the RunOnce section. According to one of the people on Microsoft Technet (HERE) -

    Mctadmin.exe is used to add or remove local content in a Local Pack to the current user's profile. It is part of Microsoft® Windows® Operating System. It’s a system and hidden file. Mctadmin.exe is usually located in the %SYSTEM% folder.

     

    I never seen these two entries for mctadmin.exe in any of my startups and My win7 is working properly. So I think it's safe to remove these two entries from your computer.

     

    Re the settings you have for Shredder -

    O4 - HKCU\..\Run: [DelayShred] "c:\progra~1\mcafee\mqs\ShrCL.EXE" /P5 /q "C:\Users\CDMH1\AppData\Local\MICROS~1\Windows\TEMPOR~1\Low"

     

    Okay, "/P5" means 5 passes to shred files, which is going to slow you down somewhat if you're shredding large numbers of files. Unless you have sensitive content to get rid of you can probably drop that to 3 passes or even less. But "DelayShred" I haven't seen before. Perhaps that's an option I don't have in my McAfee installation.

     

    As for IE, the Default settings are the fallback. In your case they're the same as the actual settings, so no worries there.

     

    The "dnserror" in the address bar sounds like a possible problem with your cache. If it happens purge your browser cache, delete all temp files and cookies, and bring up (if you can do this in Win7) a command window and enter "ipconfig /flushdns" to purge the DNS Resolver cache.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,601 posts since
    Sep 27, 2010
    Currently Being Moderated
    6. Jun 29, 2011 3:15 PM (in response to dmhh1mcf)
    Re: Tired of being hacked/infected

    Okay, download the 90+ updates and see if the dns problem persists. If it does, go to Microsoft Update and look on the left-hand side for an entry that says Check your Update History. Go back quite a long way, and look for any downloads that are marked as Failed (a red 'X' instead of a green Check mark).

     

    Can you also say which browser(s) you get the dnerror message in?


    Volunteer Moderator  Leeds, UK
    No PM's please

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points