Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have File In Task Manager Called Mcm.exe


  • Please log in to reply
8 replies to this topic

#1 HonoredShadow

HonoredShadow

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 21 April 2007 - 03:16 PM

Hi im new here and was wondering if i could have some help?

I have noticed i have got a program running in taskmamger called MCM.exe.

I have searched the web and it is a malicious program. I need to delele and stop it loading in when i start up. Any ideas?

I have run AVG, Spybot and Adaware (all up to date) but none of them have found it.

I have checked msconfig for MCM but see nothing. I have also checked services.msc but see nothing under MCM. I understand it might mean Microsoft service management or something like that but i dont see it called that either.

Please, please, please I am desperate!


Thanks.

Edited by HonoredShadow, 21 April 2007 - 03:27 PM.


BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:38 PM

Posted 21 April 2007 - 03:29 PM

Are you running McAfee for your security?

most of mcafee programs and services begin with mc for the file name. run a full system search, including hidden and system files for MCM exe to find the location on your hard drive. please reply with the full path to this file, if found.

Edited by oldf@rt, 21 April 2007 - 03:29 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 HonoredShadow

HonoredShadow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 21 April 2007 - 03:36 PM

I am only using AVG free for anti virus. No other. As for the path to the .exe, I have no idea. It appears in task manager (never used to see it).

I have searched my entire hard drive for MCM.exe and find nothing. I have done a web search on it and came up with very little. Just that it is malware or something.

I have cleared my
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

I just dont know how to find where it is or to remove it.

Thanks for any assistance.

Edited by HonoredShadow, 21 April 2007 - 03:41 PM.


#4 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:38 PM

Posted 21 April 2007 - 03:42 PM

Found it definitely listed as malware (Backdoor Trojan) my recommendation would be to submit a hijack this log, here is the starting point:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#5 HonoredShadow

HonoredShadow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 21 April 2007 - 03:50 PM

Thanks for your help. I ran a couple more of those virus checkers and came up with nothing.

I downloaded and installed hijackthis and created a log:

Logfile of Trend Micro HijackThis v2.0.0

(BETA)
Scan saved at 21:43:19, on 21/04/2007
Platform: Windows XP SP2 (WinNT

5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program

Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindService.exe
C:\Program

Files\Logitech\MouseWare\system\em_exec.

exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\WLAN\802.11b+g USB

WLAN\ZDWlan.exe
C:\Program Files\ControlMK\ControlMK.exe
C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla

Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN

Messenger\msnmsgr.exe
C:\Program Files\MSN

Messenger\usnsvc.exe
C:\Documents and

Settings\Sy\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://google.icq.com/search/search_fram

e.php
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft

Internet Explorer
O1 - Hosts: 127.0.0.4 www.vparivalka.com
O1 - Hosts: 127.0.0.4 iframeprofit.com
O1 - Hosts: 127.0.0.4

www.iframeprofit.com
O1 - Hosts: 127.0.0.4 topsearch10.com
O1 - Hosts: 127.0.0.4

www.topsearch10.com
O1 - Hosts: 127.0.0.4 statscash.biz
O1 - Hosts: 127.0.0.4 www.statscash.biz
O1 - Hosts: 127.0.0.4 vxiframe.biz
O1 - Hosts: 127.0.0.4 www.vxiframe.biz
O1 - Hosts: 127.0.0.4 crazy-toolbar.com
O1 - Hosts: 127.0.0.4 www.crazy-

toolbar.com
O1 - Hosts: 127.0.0.4 topcash.biz
O1 - Hosts: 127.0.0.4 www.topcash.biz
O1 - Hosts: 127.0.0.4 loadcash.biz
O1 - Hosts: 127.0.0.4 www.loadcash.biz
O1 - Hosts: 127.0.0.4 txiframe.biz
O1 - Hosts: 127.0.0.4 www.txiframe.biz
O1 - Hosts: 127.0.0.4 procounter.biz
O1 - Hosts: 127.0.0.4 www.procounter.biz
O1 - Hosts: 127.0.0.4 advadmin.biz
O1 - Hosts: 127.0.0.4 www.advadmin.biz
O1 - Hosts: 127.0.0.4 trafficbest.net
O1 - Hosts: 127.0.0.4

www.trafficbest.net
O1 - Hosts: 127.0.0.4 besthvac.com
O1 - Hosts: 127.0.0.4 www.besthvac.com
O1 - Hosts: 127.0.0.4 traff4.com
O1 - Hosts: 127.0.0.4 www.traff4.com
O1 - Hosts: 127.0.0.4 ambush-script.com
O1 - Hosts: 127.0.0.4 www.ambush-

script.com
O1 - Hosts: 127.0.0.4 beehappyy.biz
O1 - Hosts: 127.0.0.4 www.beehappyy.biz
O1 - Hosts: 127.0.0.4 tracktraff.cc
O1 - Hosts: 127.0.0.4 www.tracktraff.cc
O1 - Hosts: 127.0.0.4 allcount.net
O1 - Hosts: 127.0.0.4 www.allcount.net
O1 - Hosts: 127.0.0.4 onedayoffer.biz
O1 - Hosts: 127.0.0.4

www.onedayoffer.biz
O1 - Hosts: 66.98.148.65

auto.search.msn.com
O1 - Hosts: 66.98.148.65

auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper

.dll
O2 - BHO: (no name) - {53707962-6F74-

2D53-2644-206D7942484F} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-

D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_01

\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-

48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Logitech Utility]

Logi_MwX.Exe
O4 - HKLM\..\Run: [Tweak UI]

RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CtxfiReg]

CTXFIREG.EXE
O4 - HKLM\..\Run: [CTHelper]

CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp]

CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client]

"C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1

\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSC

onfig.exe /auto
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StartCCC] C:\Program

Files\ATI Technologies\ATI.ACE\Core-

Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

/RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User

'Default user')
O4 - Startup: ControlMK.lnk = C:\Program

Files\ControlMK\ControlMK.exe
O4 - Global Startup: 802.11b+g USB

Wireless LAN Utility.lnk = C:\Program

Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
O6 -

HKCU\Software\Policies\Microsoft\Interne

t Explorer\Control Panel present
O8 - Extra context menu item: E&xport to

Microsoft Excel - res://C:\PROGRA~1

\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_01

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25

-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

(file missing)
O9 - Extra 'Tools' menuitem: Windows

Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe (file

missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-

9952547D5715} (Creative Software

AutoUpdate) -

http://www.creative.com/su/ocx/15015/CTS

UEng.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-

04F4EACC2F3B} (InstallShield Setup

Player 2K2) -

http://sib1.od2.com/common/Member/Client

Install/10.20.0002/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-

FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdat

e/v6/V5Controls/en/x86/client/wuweb_site

.cab?1125703179609
O16 - DPF: {CAFEEFAC-0014-0001-0002-

ABCDEFFEDCBA} (Java Runtime Environment

1.4.1_02) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-

46B766368D29} (Creative Software

AutoUpdate Support Package) -

http://www.creative.com/su/ocx/15016/CTP

ID.cab
O22 - SharedTaskScheduler: Browseui

preloader - {438755C2-A8BA-11D1-B96B-

00A0C90312E1} - C:\WINDOWS\System32

\browseui.dll
O22 - SharedTaskScheduler: Component

Categories cache daemon - {8C7461EF-

2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI

Technologies Inc. - C:\WINDOWS\system32

\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner

- C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Auto HotKey Poller -

Unknown owner - C:\WINDOWS\system32

\winpol.exe (file missing)
O23 - Service: AVG7 Alert Manager Server

(Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service

(Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic

Controls Ltd. - C:\WINDOWS\SYSTEM32

\crypserv.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel

32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) -

Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony

Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG -

C:\Program Files\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero

AG - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Unknown

owner - C:\Program Files\Common

Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End

Service - Sony Corporation - C:\Program

Files\Common Files\Sony

Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service

(SPTISRV) - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service

(SSScsiSV) - Sony Corporation -

C:\Program Files\Common Files\Sony

Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service

(StarWindService) - Rocket Division

Software - C:\Program Files\Alcohol

Soft\Alcohol 120

\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown

owner - C:\Program

Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet

Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9106 bytes

#6 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:38 PM

Posted 21 April 2007 - 04:14 PM

Please re post your log here: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

one of the hijack this team members will help you as soon as possible.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#7 HonoredShadow

HonoredShadow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 21 April 2007 - 04:34 PM

Thanks for your help

#8 HonoredShadow

HonoredShadow
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 21 April 2007 - 04:57 PM

It looks like i may have it sorted but i would like to ask you a question if i can.

At the beginning of the log, there is a bunch of hosts. Are these add sites or something? Surely I can tick them and delete with hijackthis?

#9 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:38 PM

Posted 22 April 2007 - 12:00 AM

Have you posted the hijack this log?, If you have, please wait for one of the hijack this team members to help you. I do not recommend that you make any changes until they have a chance to review the log. Based on what I know you have a serious problem with malware, I think it would be best to wait until one of the members replies to your post.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users