Please Help with HiJack This

[Lee]

HELP!!

I was hving some problems on my computer.  Internet explorer would just crash and the computer was a little slow.  I did some scans and did not find anything.  So, I followed the instructions from

http://www.thetechguide.com/forum/index.php?showtopic=19928

and my computer took a turn for the worse.

I am not a computer expert, so I will describe what I can.  I ran the sequence as lay out in the above post, and it during the scan, ewido crashed, so I had to restart it.  I then did the drives seperately, I have a local drive and backup drive.  This seemed to work until I restarted, as the computer was very very slow.  Beyond jus tbeing slow, my desktop look had changed.  Most important, there were no longer two hard drives being read.  It was only one.  The back, which was my C drive was now the local drive as well.  It appears that some how, something combined the drives.


Any help would be greatly appreciated

[guestolo]

I'll need to see a Hijackthis log

Can you download hijackthis from my signature below and save it too a permanent folder on your drive

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important

[Lee]

Thanks in advance for the help.  Here is the log file.  The C drive which is the backup, is not being recognized as a drive, which happened after I ran scans in safe mode. The F Drive is my local drive.  In case you need to know, I  have Windows Media Center on the computer

Again, thanks.

Logfile of HijackThis v1.99.1
Scan saved at 8:19:14 PM, on 9/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\CTsvcCDA.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\WINDOWS\ehome\RMSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\ehome\ehtray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
F:\WINDOWS\BCMSMMSG.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Program Files\Windows Media Player\wmplayer.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Admin\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [diagent] "F:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Extender Resource Monitor.lnk = F:\WINDOWS\eHome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122236642640
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

[guestolo]

I would help to know what Ewido removed in safe mode
If it is involved with anything
Unless you can show me the contents of the Quarantine list

Since I don't know what the original problem was
I can't be much help, just try and steer you the right way hopefully

Is the drive recognized in the bios?

Also, take a look at this link
http://support.microsoft.com/default.aspx?...;307844&sd=tech

[Lee]

I looked in Ewido, nothing in gurantee list.  Shoud I start it in safe mode and check it then.  The Ewido log that I have says nothing was found.  Again, these were done in seperate pieces.  

I am not sure of the BIOS reading of the other drive, how do I check? The computer recognizes a drive - it is in the my computer options .  When I double click on it, it asks me if I want to format.

[Lee]

Macafee windows popped up that
JS/Exploit-HelpXsite Trojan has been detected

I cannot quarintine or delete

[guestolo]

You may want to direct this too a hardware forum
As that seems to be your problem

What concerns me is the following
You installed a second drive for backup
Is it on the same IDE chain as the first drive
Is the drive XP is installed on set as Master and the second drive as Slave
Or is it a newer motherboard and both set to Cable Select?

Why XP on the F: drive
Do you have a multiboot system?
Normally your OS will be installed to the C:drive

Did you format the new drive>>Choose NTFS

Edit>>Where is the file that McAfee is pegging, what location and the name please
Not the name of the trojan, but the name of the file

[Lee]

The drive is in the same IDE chain.  XP is on the master.  

I replaced the original master drive some time ago and continued to use the same backup.  When I loaded XP onto the new drive, it named itself F.  I new it is usually on the C drive, but since the computer was functioning fine, I figured why mess with it.  Again, the set up has been fine like this for a few months.  

I tried to get the file location for the trojan, but I only got a partial as I am doing it from memory, it was on the F drive, in a sub folder of documents and settings.  I did a Virus scan, and nothing came up.  MaAfee gave me a pop-up to say it was there.  I did some research and from what I can tell, the trojan is not an issue with an XP update that I installed, although, I would still like to get rid of it

Any suggestions on how to find it?

[guestolo]

The bad file is most likely in your temp folder

Reboot into safe mode again

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files

Reboot back to Normal mode

How's everything?

[Guest]

Thanks for the help, sorry for the delay, was traveling on business since Wednesday.  The cleanup helped with the desktop icons, but the computer is still slow.

When I did a drive diagnostic I got Primary IDE Drive 1 Fail Return - Code 7.  I have no idea what that means.

The best way I can describe what I think is going on is that the drives are crossed somehow from running Ewido or HiJack This, and that now XP thinks it must run from both drives?  I don't know how else to decribe it.  Any further suggestions woul;d be greatly apppreciated.

Thanks again for your help guestolo

[Lee]

Sorry, was not logged in, the last post is from me

Lee

[guestolo]

I still think you should post this in a hardware forum

I still believe you should go back into your computer
On the Primary IDE drive is where you have hooked both your drives
from what I understand

See if the following is true
The drive that XP is installed to is set to Master
Check the jumpers>>>Try putting it to the end of the IDE chain

The backup drive>>Check the jumpers, is set to Slave
Hook to the center of the chain