PC trouble, am I in trouble here? (1 Viewer)

[Marc_E]

I recently noticed in the event log of activity (McAfee Privacy service) that my computer has relentlessly tried to access a particular website which when I try to go directly to it, does not come up 'page may have been removed'. The log shows attempts 100-200 times a day. My spyware seek and destroy doesn't show me something that pops out (says a lot of backweb stuff). What should I do? Could it be transmitting my info? How do I stop this and get rid of it? I have temporarily pulled the plug on the PC so it does not access the web.

Thanks in advance for any advice.
Marc

 

[Mike LS]

Have you tried any other spyware removers? Adaware etc?

If not, give some other free programs a try and see if they find anything.

Have you done a full virus scan since you noticed this activity?

You can also run a scan with a program called hijackthis (do a google search) and post the log on a forum such as tech-forums.net (there's a sub forum especially for these logs) and someone will check it for suspicious entries.

Also, does your privacy suite include a firewall? If so, and assuming it's set up correctly, it should be blocking all attempts to send any info to this site, so you shouldn't have anything to worry about while you search for the culprit.

If you don't have a firewall, download a free one like Zone Alarm and let it do it's thing for now. It'll keep you from having to yank the network cable when you're not using it.

 

[SethH]

You might dig through the processes that are running and look them up. If you do a quick google search on the proccesses you don't recognize you should come up with sites that identify those processes. Someone may have installed a rouge program on your computer. Also, make sure that your computer has all the Windows updates and update your anti-virus and run that.

 

[Sami Kallio]

Also, run full tests from http://www.pcpitstop.com

You get info on running processes among other things. Just click on the "Windows" subfolder to see what your processes are.

 

[Marc_E]

cool, thanks for those responses. The strange thing is that if you try to go to the site it is not there.

Looking up hijackthis...
Yes, I do have firewall. Can I specifically block that site?
I did a virus scan when I noticed it and got 1 infected file, quarantined and deleted.
Marc

 

[Mike_J_Potter]

I would also try running a program called active ports on the pc. This will show you all the programs that have ports open on the pc and where they are connected to or trying to connect to. Find the one in the list that is trying to go out to that site then google the program name. Here is the link.

http://www.download.com/3000-2085-10...age&tag=button

 

[Marc_E]

It got worse....
Now evertime I open IE, I can't get my homepage. Instead I get this page 'www.todaywarnings.com' with some links to spyware and such type programs for removal. I have tried blocking it in every way I can think. I do not think it is accessing a site but loading an html document somewhere on my pc. This is making me freakin nuts!

 

[SethH]

Have you been able to use HiJackThis? That usually takes care of things like you just mentioned. Honestly, if it keeps getting worse, you might just consider backing everything up and reformatting.

 

[Marc_E]

here is my log
Logfile of HijackThis v1.99.1
Scan saved at 6:40:58 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32CTsvcCDA.exe
C:WINDOWSSystem32gearsec.exe
c:program filesmcafee.comagentmcdetect.exe
cROGRA~1mcafee.comagentmctskshd.exe
CROGRA~1McAfee.comPERSON~1MpfService.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSSystem32MsPMSPSv.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSExplorer.EXE
Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32DSentry.exe
CROGRA~1mcafee.comagentmcagent.exe
Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe
Crogram FilesCreativeSBLiveDiagnosticsdiagent.exe
Crogram FilesMcAfee.comVSOmcvsshld.exe
Crogram FilesCommon FilesDellEUSWSupport.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb0 4.exe
c:progra~1mcafee.comvsomcvsescn.exe
Crogram FilesDellSupportAlertbinNotifyAlert.exe
C:WINDOWSkdxKHost.exe
Crogram FilesLogitechMouseWaresystemem_exec.exe
Crogram FilesiTunesiTunesHelper.exe
Crogram FilesQuickTimeqttask.exe
Crogram FilesiPodbiniPodService.exe
C:WINDOWSSystem32svchost.exe
Crogram FilesCommon FilesRealUpdate_OBrealsched.exe
CROGRA~1mcafee.commpsmscifapp.exe
Crogram FilesViewpointViewpoint ManagerViewMgr.exe
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
C:WINDOWSSystem32spoolDRIVERSW32X863E_S4I2P 1.EXE
Crogram FilesJavajre1.5.0_06binjusched.exe
Crogram FilesWinampwinampa.exe
CROGRA~1McAfee.comPERSON~1MpfTray.exe
Crogram FilesScanSoftOmniPage15.0Opware15.exe
Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe
Crogram FilesCAeTrust Internet Security Suitecaissdt.exe
CROGRA~1PANICW~1POP-UP~1POPUPS~1.EXE
CROGRA~1McAfee.comPERSON~1MpfAgent.exe
CROGRA~1SCREEN~1OCR.exe
Crogram FilesScanSoftOmniPage15.0OpAgent.exe
Crogram FilesDigital Line DetectDLG.exe
Crogram FilesPepidPepidMgr.exe
Crogram FilesSony HandheldHOTSYNC.EXE
C:WINDOWSsystem32cisvc.exe
C:WINDOWSsystem32cidaemon.exe
C:WINDOWSsystem32cidaemon.exe
cROGRA~1mcafee.comvsomcshield.exe
cROGRA~1mcafee.comvsoOasClnt.exe
Crogram FilesCAeTrust Internet Security SuiteeTrust PestPatrol Anti-SpywarePPActiveDetection.exe
c:program filesmcafee.comvsomcmnhdlr.exe
c:program filesmcafee.comsharedmghtml.exe
Crogram FilesInternet Exploreriexplore.exe
Crogram FilesInternet Exploreriexplore.exe
Cocuments and SettingsMarcDesktopfoldersHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://start.earthlink.net
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.boston.com/
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.comcast.net/
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://login.passport.net/uilogin.srf?id=2"); (Cocuments and SettingsMarcApplication DataMozillaProfilesdefaultt96rlfj2.sltprefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (Cocuments and SettingsMarcApplication DataMozillaProfilesdefaultt96rlfj2.sltprefs.j s)
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:WINDOWSsystem32hp247D.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:progra~1mcafee.comvsomcvsshl.dll
O4 - HKLM..Run: [ATIPTA] Crogram FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [diagent] "Crogram FilesCreativeSBLiveDiagnosticsdiagent.exe" startup
O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
O4 - HKLM..Run: [DVDSentry] C:WINDOWSSystem32DSentry.exe
O4 - HKLM..Run: [MoneyStartUp10.0] "Crogram FilesMicrosoft MoneySystemActivation.exe"
O4 - HKLM..Run: [MCAgentExe] cROGRA~1mcafee.comagentmcagent.exe
O4 - HKLM..Run: [MCUpdateExe] CROGRA~1mcafee.comagentmcupdate.exe
O4 - HKLM..Run: [AdaptecDirectCD] "Crogram FilesRoxioEasy CD Creator 5DirectCDDirectCD.exe"
O4 - HKLM..Run: [VirusScan Online] Crogram FilesMcAfee.comVSOmcvsshld.exe
O4 - HKLM..Run: [DwlClient] Crogram FilesCommon FilesDellEUSWSupport.exe
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb0 4.exe
O4 - HKLM..Run: [VSOCheckTask] "CROGRA~1McAfee.comVSOmcmnhdlr.exe" /checktask
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..Run: [kdx] C:WINDOWSkdxKHost.exe
O4 - HKLM..Run: [iTunesHelper] Crogram FilesiTunesiTunesHelper.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [TkBellExe] "Crogram FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [MPSExe] cROGRA~1mcafee.commpsmscifapp.exe /embedding
O4 - HKLM..Run: [ViewMgr] Crogram FilesViewpointViewpoint ManagerViewMgr.exe
O4 - HKLM..Run: [mmtask] Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmmtask.exe
O4 - HKLM..Run: [EPSON PictureMate] C:WINDOWSSystem32spoolDRIVERSW32X863E_S4I2P 1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavajre1.5.0_06binjusched.exe
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [OASClnt] Crogram FilesMcAfee.comVSOoasclnt.exe
O4 - HKLM..Run: [WinampAgent] Crogram FilesWinampwinampa.exe
O4 - HKLM..Run: [MPFExe] CROGRA~1McAfee.comPERSON~1MpfTray.exe
O4 - HKLM..Run: [FineReader7NewsReaderPro] "Crogram FilesABBYY FineReader 7.0 Professional EditionABBYYNewsReader.exe"
O4 - HKLM..Run: [SSBkgdUpdate] "Crogram FilesCommon FilesScansoft SharedSSBkgdUpdateSSBkgdupdate.exe" -Embedding -boot
O4 - HKLM..Run: [Opware15] "Crogram FilesScanSoftOmniPage15.0Opware15.exe"
O4 - HKLM..Run: [OpScheduler] "Crogram FilesScanSoftOmniPage15.0OpScheduler.exe"
O4 - HKLM..Run: [ISUSPM Startup] CROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [ISUSScheduler] "Crogram FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [PDF3 Registry Controller] "Crogram FilesScanSoftOmniPage15.0PDFConverter3\Registr yController.exe"
O4 - HKLM..Run: [CaISSDT] "Crogram FilesCAeTrust Internet Security Suitecaissdt.exe"
O4 - HKLM..Run: [eTrustPPAP] "Crogram FilesCAeTrust Internet Security SuiteeTrust PestPatrol Anti-SpywarePPActiveDetection.exe"
O4 - HKCU..Run: [Ultimate Popup Killer] Crogram FilesUltimate Popup KillerPopupkiller.exe
O4 - HKCU..Run: [PopUpStopperProfessional] "CROGRA~1PANICW~1POP-UP~1POPUPS~1.EXE"
O4 - HKCU..Run: [Screen OCR] CROGRA~1SCREEN~1OCR.exe
O4 - HKCU..Run: [OpAgent] "Crogram FilesScanSoftOmniPage15.0OpAgent.exe" /agent
O4 - HKCU..Run: [updateMgr] Crogram FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: HotSync Manager.lnk = Crogram FilesSony HandheldHOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Crogram FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Launch Pepid Manager.lnk = Crogram FilesPepidPepidMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = Crogram FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = Crogram FilesMicrosoft OfficeOffice10OSA.EXE
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: Convert for CLIÉ - Crogram FilesSonyImage Convertermenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://CROGRA~1MICROS~2Office10EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://Crogram FilesScanSoftOmniPage15.0PDFConverter3IEShellE xt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.5.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.5.0_06binssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSSystem32Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - Crogram FilesMicrosoft MoneySystemmnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/game...s/y/sdt1_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.rosebrand.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLMSystemCCSServicesTcpip..{7D2BA7A2-BE75-44E5-9073-0B2A738B6F70}: NameServer = 207.69.188.185,207.69.188.186
O23 - Service: Ati HotKey Poller - Unknown owner - C:WINDOWSSystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSSYSTEM32ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSSystem32CTsvcCDA.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:WINDOWSSystem32gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - Crogram FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - Crogram FilesiPodbiniPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:program filesmcafee.comagentmcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - cROGRA~1mcafee.comvsomcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - cROGRA~1mcafee.comagentmctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - CROGRA~1McAfee.comAgentmcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - CROGRA~1McAfee.comPERSON~1MpfService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:WINDOWSSystem32NMSSvc.exe
O23 - Service: Pml Driver - HP - C:WINDOWSsystem32HPHipm09.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - CROGRA~1COMMON~1SONYSH~1AVLibSptisrv.exe

 

[Marc_E]

Can I uninstall and re-install Iexplorer?

 

[SethH]

Nope, unfortunately there is no way to uninstall IE. You might consider moving to Firefox and see if that solves some of your problems.

Nothing jumps out at me from your log, but you should post it on the HJT forum as I'm certainly not an expert with this program.

Another option: assuming you're using XP, you could use the System Restore function to go back a couple weeks and see if that helps.

 

[Marc_E]

update, spyware doctor took care of my homepage hijacking. Odd, I used 2 other spyware programs who both claim I was clean and yet spyware doctor came up with 48 high risk trojans and such on my PC.
I think the original problem of accessing the webpage still exists.
Is rolling back my PC with the restore function a good idea? What are the ramifications?
Marc

 

[SethH]

Spyware and anti-virus programs all operate very differently from one another and often find things that others will miss. I have Norton AV on my computer but will frequently scan with online scanners to make sure I'm clean. I also use 3 different spyware programs regularly.

Read up some on Windows restore. I've used it before and never had any troubles. For me, the worst case scenario has been that it didn't help me, but I've never lost anything doing it.

 

[Art C]

Download and run microsoft antispy that will take care
of anything trying to hijack ie