Jdoors: Hijack This Log[RESOLVED]

[JDoors]

On a regular basis (every 60 minutes or so) my hard drive starts chugging away, taking so much CPU time I'm unable to do much until it's done (about a minute or so). I believe it's some kind of indexing going on rather than a Trojan or other malware as, in addition to security software such as a firewall and antivirus programs, I consistantly run several malware scan utilities that have almost never found anything (the last time they found anything at all, other than a cookie or similar minor problem, was probably over a year ago). Or it could be due to several different programs having "auto-update" enabled thereby regularly checking for updates.

So, is it Windows? Or something from McAfee? Or Earthlink?

Does the Windows defrag utility do regular indexing to maintain a list of frequently used software? I have logging turned off in McAfee so there's no indexing or achiving going on. Earthlink has more stuff going on than I like, but I have NO idea if it is the cause. In Windows '98 there's no useful process list or monitor to see what's hogging my system resources.

------

Logfile of HijackThis v1.99.1

Scan saved at 9:33:20 AM, on 4/19/06

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE

C:\WINDOWS\SYSTEM\LVCOMS.EXE

C:\PROGRAM FILES\INKLINE GLOBAL\MODEM BOOSTER\MODEMBTR.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE

C:\SBPCI\CTMIX32.EXE

C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE

C:\PROGRAM FILES\TCLOCK2\TCLOCK2.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE

C:\WINDOWS\CDPLAYER.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ELNKPUB.DLL

O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ESCAMBLK.DLL

O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\PROTCTIE.DLL

O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\UNINSTTB.DLL

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [Modem Booster] C:\PROGRAM FILES\INKLINE GLOBAL\MODEM BOOSTER\ModemBtr.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe

O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart

O4 - Startup: TClock2.lnk = C:\Program Files\Tclock2\tclock2.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: + &Download Express: download this file - C:\PROGRAM FILES\DOWNLOAD EXPRESS\Add_Url.htm

O8 - Extra context menu item: EarthLink Google Search - res://C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\SEARCHUI.DLL/search.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...555/mcfscan.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

[Dragon]

how much ram is in your computer? your log is clean, but with the number of programs your running at startup this takes Memory resources. Because of this it could be using the Windows Swap partition due to lack of Ram available.

Windows doesn't release the unused Ram very well, so I would recommend using Ramsmart by rubberducky. This is not a free program, but it does have a trial period to use and see if tha makes a difference at all.

Otherwise it could be Windows indexing at work, disk defrag does not do any indexing until it is ran, recommended once a month on WinXP.

[JDoors]

Danged if I can remember if it's 256 or 512, I imagine I wouldn't be running at all if it were only 256M.

Considering fully 1/3 of the startup programs are McAfee related I'm not sure what I'd be willing to shut down (yeah, it's a hog, but I have valid reasons for using it). You know how much you begin to rely on the little utilities (like the clock add-on -- Use it all the time). I never use the McAfee IE toolbar so I'll figure out how to shut 'er down (Hmm, it's not actually showing in IE, I must have removed it already, but it still loads? Think it's safe to use a startup manager to just turn 'er off? [edit] Or is that entry just stating what's available to load via the IE view menu? That wouldn't be much of a hog, just a single menu entry that wouldn't even use memory 'til I viewed the menu ... [/edit]).

A couple of things will run & remain in memory when I need them, like STILMON and QTTASK, and since I usually wind up needing them there's little point in NOT running them. They'd just load again.

Don't know what this does, far as I know I don't have "radio" anything [edit] Nevermind, websearch tells me it's the Windows media player plug-in, use that every day too[/edit]:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

The other stuff I use religiously.

The swap file ... Hmm. That does occasionally need to purge or index or perform other maintenance or whatever it does. The type of chugging isn't what I'm familiar with when the swapfile is called for (for example, it's not necessarily when I call up something that needs memory, I could be anywhere, doing anything, it's more time-related than activity related -- or so it appears).

A little sluething -- actually I got angry when the drive grabbed control -- I used Ctrl+Alt+Del to "stop" the chugging (Windows freezes until you do something with the dialog). I've done it before with nothing unusual found or indicated, but once I got a MLSRV [not responding] and another time TSKPNL [not responding], BOTH are Earthlink programs. However, once I escaped from the End Program dialog the system (and those programs) ran fine, they were NOT frozen (must be some kind of interaction with stopping Windows while those programs were attempting to do something ... aha!).

Grr, Earthlink software has been a pain like, forever. Poor installs, poor implementation, I bet that's the culprit. At least I'm reassured it's not malware, thanks.

Edited April 20, 2006 by JDoors

[Dragon]

hey Jdoors, anything that you want to remove from startup can be done easily from Hijack This. Just put a check next to the ones that you are comfortable with removing.

also something that didnt' catch my eye yesterday but did today is this entry.

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

this is the shopnav spyware, which it appears might have been installed along with earthlinks software. I will have to do a little more research on that one but this version is a internet optimizer.

[JDoors]

The name 'shopnav' spooked me, but I think you may be right about it being a part of the bloated Earthlink cra.... software. If DSL is down I can revert to dialup and it includes an 'accelerator,' and that would jive with your thought that it's part of an optimizer. Earthlink also includes (but I have disabled) 'tracking' software that's supposedly (if you trust them) used to optimize your connection (Fastlane, I believe it's called). Another possibility.

[edit] While performing usual maintenance and scrounging around over the years I've noticed Earthlink software doesn't always "report" itself properly. i.e., things like the name, date, etc. don't show up in programs that root that information out. So it wouldn't surprise me if it's from EL. [/edit]

If it's part of the accelerator technology I could disable it since even when DSL goes down, I just wait it out rather than using dialup. If it's part of the Fastlane technology, again, I could disable it since I have that turned off.

With Hijackthis I can 'remove' something temporarily for troubleshooting purposes, right? I haven't used it to turn anything off or on before, so if you believe I need to remove something give me a mini-tutorial on how to do it.

Thanks again!

Edited April 20, 2006 by JDoors

[Matt]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.