McAfee Renamed Files. What's causing this?

[JerryRecords]

Recently I had run CCleaner, and i've noticed some of the startup items were renamed with some upper case letters, and their names were looking a little weird. Also, i've noticed the same names when i ran spybot. Some of these same files were renamed also, they're mostly from McAfee, and one from Yahoo Messenger (Yahoo Pager).

1. mcagent.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe -regserver

2. mclogsrv.exe

c:\PROGRA~1\mcafee\msc\mclogsrv.exe -regserver

3. McENUI

c:\PROGRA~1\mcafee\MSK\MskAgent.exe

4. C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

5. C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

6. c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

7. c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

8. C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

9.  C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

10. Yahoo Pager

C:\PROGRA~1\Yahoo!~1\YAHOOM~1.EXE


I tried blocking these entries because i thought they were infected. So, i did, then deleting some of these entries made the McAfee Privacy Service from malfunction. Everytime I booted my system up, the Tea Timer.exe from SpyBot would block mcagent.exe and some other .exe file. Therefore the red x icon would show up on the taskbar, stating my computer wasn't fully protected. I tried the fix button and nothing happened until i clicked the update icon. So, i went to the tea timer "settings" tab, and i unchecked the mcagent.exe file off the blocked list. so not it allowed the privacy service to fully install.
Now my only problem is the renamed files.

Ever since i've got the system, bout a year ago. It tried running some sort of program in the taskbar. You could see some activity on the taskbar like a black program tried to open. My thoughts would be it was something running in the background. This got worst within time, and now it locks up my system, it freezes my windows, and i could click nothin. All it does is makes a sound like if you pressed many keys all at once, simultaneously. I've also noticed in the taskbar many processes doubling up, using alot of CPU, and perhaps eating up my memory. I tried various utilities, Spybot Search & Destroy, McAfee Total Protection, a previous Symantec Antivitus (It's now unstalled, because their .exe file was renamed also, and i got mcafee instead thinking it would work), SpyDoctor (also had renamed .exe files), SpySweeper (does not detect anything), System Mechanic Pro 6 (no antivirus or firewall installed), and Yahoo AntiSpy.

None of these programs would have any hits except for SpyBot Search & Destroy 4.1. It came up with:

antivirus "disable notify",  or "override". I try fixing some of the problems, and it fixes them. After I reboot the system, i encounter the same errors only tho, i try running spybot again, and it does not return any hits. Why?
Is there anytthing i can do to take care of the renamed files? The yahoo, mcafee and some other local administrator files keep being infected.

-------------------SpyBot Search & Destroy Results Ver. 4.1------------------

--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

---------------------------------------------------------------------

Also, i did not disable the antivirus or firewall myself. I have re-imaged my system 7 times already, and everytime i've connected back to the internet to get the updates, i got infected again. This happened whenever i tried getting my utility programs again. I also, have the McAfee Security Center download and install the privacy service, everytime after i boot. Somehow it just wont install correctly and it'll just show an red x on the taskbar with a pop up balloon stating that it's not fully protected.

Here is my computer info. Hope this is useful, and someone could help me! I'm really tired of posting this somewhere else. I

Operating System: Windows XP Pro.

Memory: 504 MB RAM

Don't and haven't had any other operating system.

File System: NTFS

Broadband: MOdem



McAfee:

Security Center
Version: 7.1
Build: 7.1.134

VirusScan
Build: 11.1.124
Dat Version: 4906.0000
Engine Version: 5100.0194

Personal Firewall
Version: 8.1
Build: 8.1.123

Site Advisor:
Version: 2.1
Build: 2.1.4608

SpamKiller:
Version: 8.1
Build: 8.1.117
Content Version: 8.0.179.0

Privacy Service:
Vesion: 9.1
Build: 9.1.130

Wireless Network Security:
Version: 2.1
Build: 2.1.123

Easy Network:
Version: 1.1
Build: 1.1.110

Data Backup:
Version: 1.1
Build: 1.1.121

_________________________________________________

here's my hijackthis log as of 12-03-06

Logfile of HijackThis v1.99.1
Scan saved at 5:40:24 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64150&rc=1&ps=R&oc=47&mjv=5&mnv=0&bld=1608&cd=&dcc=&drc=&mo=&sid=&lang=en&loc=USA&opi=2&omj=5&omn=1&rsc=&kc=ppb%5E__oi%5E%5E%5E%5Ewdi%60wvdf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MskAgentexe] "C:\Program Files\McAfee\MSK\MskAgent.exe"
O4 - HKLM\..\Run: [MWLExe] "C:\Program Files\Mcafee\MWL\MWLGui.exe" /Start
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee Application Installer Cleanup (0235331165187131) (0235331165187131mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\023533~1.EXE
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor -   - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[GTO]

Hi JerryRecords. Welcome to the 2-Spyware.com forums!

First of all, neither of your files have been renamed. For instance, the file C:\PROGRA~1\mcafee\MSK\MskAgent.exe is exactly the same as C:\Program Files\McAfee\MSK\mskagent.exe. The Windows operating system is not case sensitive, so the file EXAMPLE.TXT is the same object as example.txt or example.TXT.

Now let's explain why the directory C:\PROGRA~1 is the same as C:\Program Files. In 1980s and early 1990s both DOS and Windows operating systems used the FAT16 file system. It did not allow filenames to have more than 8 characters. For instance, old systems could find the file file.exe, but couldn't find anything like thelongfilename.exe, so you had to type in a shortened filename like thelon~1.txt, where ~1 means that the filename is longer than 8 characters.

The modern NTFS file system (as well as FAT32) allows filenames to be much longer. However, a lot of applications, even the Windows operating system itself use older naming scheme.

As you can see, you shouldn't have deleted all those files. They were legitimate and definitely not infected just because theirs name were shown differently.


Your HijackThis log is clean. I don't think you're infected. Your problems might be caused by software malfunctions and compatibility issues. Just take a look at your system. You have several antiviruses and anti-spyware programs, while it is highly recommend to have only one spyware remover and one single antivirus. You can have more, but don't enable their active protection monitors!

[JerryRecords]

Now it makes a little sense. the only reason why i installed the other anti-spyware programs is because not everyone could keep up with the new threats that came out, some had new definitions that other companies (ie. Symantec, McAfee, Spysweeper) didn't have yet. Now I can't disable the startup items, they keep installing after i boot up again. Can i get a little guide on how to disable or delete the registry key for each of the start-up items? I'd appreciate it.

[GTO]

Hi JerryRecords.

You don't have to disable startup entries. All you have to do is to turn off real-time protection of programs you don't want to be active all the time. Try reading help files. Each of the programs have them. You will definitely find a solution there.

[JerryRecords]

seems that everytime i disabled my spyweeper's starup entry, it booted up nicely, and if i enabled it, restarted, that's when the mcafee showed the ""your computer's not protected balloon". I'm not able to find anythin related on the spysweeper real time protection. It got various shields but im not sure how to disable it. Is there anything that might work good with mcafee?