7 Replies Latest reply: Jun 30, 2011 12:05 PM by dmhh1mcf RSS

    Tired of being hacked/infected


      The short version:

      In the past 6 months I've had to do a complete reinstall of computer software 3 times because
      some A hole has chosen not to be a positive member of society and keeps hacking/infecting
      my computer.

      Yesterday after reinstall I noticed  some of the same behavior already, suspicious registry entries
      for Mcafee, error code 2  when using the shredder function.  Eventually this will lead to to certain
      parts of web pages not loading, then the web site wont load at all and I will get a " res://ieframe.dll/dnserror.htm#
      that pops up in the address bar.

      Late May early June I called Mcafee and spoke to someone on their customer service line about the
      error code 2 while using the shredder function.  The explained I would have to pay for customer service
      I said no way and was allowed a "one time" free call.  A tech did something but no remote access was

      I'am tired of the Mcafee program not protecting my computer.  Hear is the Hijack log after downloading mcafee on my
      fresh install.

      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\McAfee\Supportability\MVT\MvtApp.exe
      C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
      O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110628141345.dll
      O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
      O4 - HKCU\..\Run: [McAfee McItInfo] C:\Users\CDMH1\AppData\Local\Temp\mcitinfo_1309288520.exe /itinsfin:C:\Users\CDMH1\AppData\Local\Temp\mcininfo_1309288521.ini
      O4 - HKCU\..\Run: [DelayShred] "c:\progra~1\mcafee\mqs\ShrCL.EXE" /P5 /q "C:\Users\CDMH1\AppData\Local\MICROS~1\Windows\TEMPOR~1\Low"
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
      O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
      O15 - Trusted Zone: http://*.mcafee.com
      O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      O23 - Service: McAfee Application Installer Cleanup (0165031309288433) (0165031309288433mcinstcleanup) - McAfee, Inc. - C:\Users\CDMH1\AppData\Local\Temp\016503~1.EXE
      O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
      O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
      O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
      O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
      O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
      O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
      O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
      O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
      O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
      O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
      O23 - Service: McAfee Online Backup (MOBK370backup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBK370backup.exe
      O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe


      I know I'm not suppose to post my log here however mcafee is suppose to protect my computer.  Which of the above
      entries are legitimate.  I aasume that all the 04's are not suppose to be there, and the extra R1/RO of IE can go ago.
      Are the IE labeled default_ the real ones?

      Appreciate any help!

        • 1. Re: Tired of being hacked/infected

          It looks OK to me however I'm not qualified to read a Hijackthis log, the forums that specialise in that would be best suited to advising you.  See the lower area of this document:  https://community.mcafee.com/docs/DOC-2168


          No protection software in the world is going to stop everything out there, so don't even think that.


          Keep Windows (including any parts of it you may not use) and all your software totally up to date at all times and keep some extra anti-malware tools handy and updated just in case.  There are some listed in that document.


          Not too sure about that Shredder error, I guess it depends on  what you are trying to shred.  You don't give any details on your operating system, service pack or versions of installed McAfee products.


          Technical Support Chat are the only people that can analyse those sort of errors anyway.   If you don't get staisfaction with the first contact ask for an escalation.


          Shredder is really only meant as a supplement to the tools that Windows already possesses for doing cleanups.


          The only 100% sure way of staying infection free is to do some soul searching as to surfing habits, downloading and careless clicking....that's the number one enemy.

          • 2. Re: Tired of being hacked/infected



            Thanks for the reply!


            I understand everything  can be hacked/infected.  But three times with all the same type of behavior?


            From the last incident only went to  a hand full of websites, all legite.  Before going anywhere would update Mcafee and MVT.


            Gateway with vista updated to windows 7 Pro


            McAfee Internet Security


            Will check out posting log, was hopping somone with true McAfee background would advise.

            • 3. Re: Tired of being hacked/infected

              I know it's very frustrating when it happens.   I too am hoping someone from support chips in here.


              You might consider applying SP1 to your Win 7 by the way.  There's some help with that here:  https://community.mcafee.com/docs/DOC-2205

              • 4. Re: Tired of being hacked/infected

                The Hijack This log entries do not show anything much out of the ordinary.


                Be careful with the O4 entries -

                This section corresponds to certain registry keys and startup folders that are used to automatically start an application when Windows starts. O4 keys are the HJT entries that the majority of programs use to autostart, so particular care must be used when examining these keys.


                Your Windows 7 installation is showing mctadmin.exe in the RunOnce section. According to one of the people on Microsoft Technet (HERE) -

                Mctadmin.exe is used to add or remove local content in a Local Pack to the current user's profile. It is part of Microsoft® Windows® Operating System. It’s a system and hidden file. Mctadmin.exe is usually located in the %SYSTEM% folder.


                I never seen these two entries for mctadmin.exe in any of my startups and My win7 is working properly. So I think it's safe to remove these two entries from your computer.


                Re the settings you have for Shredder -

                O4 - HKCU\..\Run: [DelayShred] "c:\progra~1\mcafee\mqs\ShrCL.EXE" /P5 /q "C:\Users\CDMH1\AppData\Local\MICROS~1\Windows\TEMPOR~1\Low"


                Okay, "/P5" means 5 passes to shred files, which is going to slow you down somewhat if you're shredding large numbers of files. Unless you have sensitive content to get rid of you can probably drop that to 3 passes or even less. But "DelayShred" I haven't seen before. Perhaps that's an option I don't have in my McAfee installation.


                As for IE, the Default settings are the fallback. In your case they're the same as the actual settings, so no worries there.


                The "dnserror" in the address bar sounds like a possible problem with your cache. If it happens purge your browser cache, delete all temp files and cookies, and bring up (if you can do this in Win7) a command window and enter "ipconfig /flushdns" to purge the DNS Resolver cache.

                • 5. Re: Tired of being hacked/infected



                  I thought I would check the log entries before downloading the some 90 updates for windows.







                  Thanks for the reply!


                  The "delay shred" entry is what seems to be the reoccuring entry.  I  have deleted in the past and have to keep deleting it. (also in safe mode).  Shredding  temp internet files with

                  comp setting.


                  When I have used the shred function in the past sometimes I will get error code 2, or unable to shred file not available,   and then that is where  I find the "delay shred" entry with



                  The "dnserror" in the bar is the end result when things go south.  I tried windows article 967897 which includes:  compatibility view,clear ssl state,verify date & time, delete history,

                  run with no add ons, reset IE,check hard drive errors, and also  have tried the flush command.  Thats when I gave up  and did a reinstall.

                  • 6. Re: Tired of being hacked/infected

                    Okay, download the 90+ updates and see if the dns problem persists. If it does, go to Microsoft Update and look on the left-hand side for an entry that says Check your Update History. Go back quite a long way, and look for any downloads that are marked as Failed (a red 'X' instead of a green Check mark).


                    Can you also say which browser(s) you get the dnerror message in?

                    • 7. Re: Tired of being hacked/infected



                      Thanks you for the further suggestions!


                      Have to say it's to late.  Already hacked/ infected.  The non positive member of society has shown us their

                      skill set and  can not access Mcafee community web site.  Can go to Mcafee but every time I try to access

                      the community tab I get the dns error. 


                      I  believe its a perfect time  for someone within Mcafee to  step forward with this teach able moment and

                      show us their skill set. so no one else has to go through this. 


                      With my limited knoweldge of computers/internet  this had to happen when I downloaded Mcafee and or the

                      handfull of time's I accessed the internet to post here.


                      On a back up computer with limited access.


                      Apprreciate your efforts!