Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Very Strange Goings-on, Can You Assist?

  • Please log in to reply
1 reply to this topic

#1 mtnmaninvan


  • Members
  • 1 posts
  • Local time:01:06 AM

Posted 08 January 2007 - 03:13 PM

Hi there I've been having some very strange situations happening in the past recent weeks, It seems that all of my web brosing is being copied, i'm suffering suddened reboots, I/M's are being crashed or lost on a regular basis. when downloading anything from the web I have a black c-prompt window open up and it gives a message stating that a copy is being sent to the windows 16-bit system and saved passwords are being reset without my knoledge. I have done a bit of checking with the resultys of registry mechanic's results and it would appear that I'm infected but as a newbie I'm somewhat at a loss. scans using Registry Mechanic, Mcafee Total Protection No-adware and the Freedom Security bundle that comes with my ISP Service all show nothing more than a few tracking cookies or invalid registry paths so I'm appealing to those with far more experience...can you help? I'm at my wits end!!! Thanks in advance. Here is my log..

Logfile of HijackThis v1.99.1
Scan saved at 11:50:49 AM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\Program Files\SiteAdvisor\4979\SiteAdv.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\SiteAdvisor\4979\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TELUS eCare\bin\mad.exe
C:\Documents and Settings\bleep\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll (filesize 1107544 bytes, MD5 5A655C35377718EFC48E46A03F5F1457)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (filesize 853672 bytes, MD5 250D787A5712D7768DDC133B3E477759)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (filesize 440056 bytes, MD5 BC7A3C412FE12F471603473294CEEEBE)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll (filesize 67136 bytes, MD5 AD5B26C086B0A6DBD221135BA201CC0F)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (filesize 2133056 bytes, MD5 21DBD36987339A871211E4E0552FFB76)
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll (filesize 185896 bytes, MD5 2875685690CA21F3BE07BF326EA103AC)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll (filesize 1107544 bytes, MD5 5A655C35377718EFC48E46A03F5F1457)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (filesize 2133056 bytes, MD5 21DBD36987339A871211E4E0552FFB76)
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exeC:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MskAgentexe] "C:\Program Files\McAfee\MSK\MskAgent.exe" (filesize 161360 bytes, MD5 3608A271D2E0C4D6F34ED0834F6386ED)
O4 - HKLM\..\Run: [MWLExe] "C:\Program Files\Mcafee\MWL\MWLGui.exe" /Start (filesize 1304176 bytes, MD5 AE8CF6C61F6754F1C37153353F74D7C2)
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS (filesize 2021608 bytes, MD5 FCD1717D844F05A612D4F53DCEC708C5)
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\4979\SiteAdv.exe" (filesize 35992 bytes, MD5 6A4C65612DB8B61C21A86308EFDE3536)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" (filesize 49263 bytes, MD5 3AA5D60B77CE19B1F2521F532AB986E7)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (filesize 4662776 bytes, MD5 3A756D4066CC3BB8426EB08ABB6B5B10)
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe (filesize 217088 bytes, MD5 9F603BB59AE0D9F60D0AEA44367E6806)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (filesize 440056 bytes, MD5 BC7A3C412FE12F471603473294CEEEBE)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (filesize 440056 bytes, MD5 BC7A3C412FE12F471603473294CEEEBE)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll (filesize 1107544 bytes, MD5 5A655C35377718EFC48E46A03F5F1457)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dllC:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeC:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exeC:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeC:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exec:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exec:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exeC:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exeC:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exeC:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeC:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exeC:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\4979\SAService.exeC:\Program Files\SiteAdvisor\4979\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)



#2 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:04:06 AM

Posted 17 January 2007 - 06:29 PM

Hello mtnmaninvan and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

Can you give me a little more information.

- what exactly is happening that to indicate that the web browsing is being copied and is there any information regarding where it is being copied to?

- the sudden reboots and program crashes would indicate a driver issue. Was any new software or any updates done just prior to this starting to occur?

- the 16-bit subsystem is a sub-system in Windows that runs underneath the 32-bit Windows system. Downloaded files sent there could be done so by any download managers that are installed. Are there any programs installed that monitor or assist with web downloads?

- can you post the information from Registry Mechanic that indicates what type of infection is present? Registry Mechanic is basically a registry cleaner that looks for missing data and removes the references to it. As far as I know it does not have the capability to identify infections or malware.

It sounds like there are some driver or registry issues that are causing these problems. With a little more information I can point you to the correct forum for assistance.


I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users