Spyware disabled McAfee Security

Hi, spyware-free for over 2 years on this Compaq SR1710NX running WinXP.
I have AT&T DSL and a few months ago they made me switch from CA they provided for security to McAfee (7-user variety specific for AT&T.) Not long after that McAfee seemed to run forever, always downloading and updating all the time. It would frequently put an icon in systray "Your computer is not protected." I would also get messages that I needed to reinstall the 7-user McAfee. Yet I'd click the M icon and it would show all was fine.

Around April 3 I was surfing happily in the evening when the computer just suddenly stopped dead. I thought (maybe just imagined it) that I saw a flash of light from the inside of the computer. I thought maybe hard drive suddenly died or power supply or motherboard blew. So I resurrected an old computer and put off working on this one. In May I opened case and motherboard looked totally OK. I tested power supply—OK. I pulled out SATA HD and looked at it—nothing unusual. So I decided to try plugging computer in again. It started up and ran checkdisk and said there was a bad file at 13000-something. It seemed to be back to its old self.

McAfee was slow and downloading and updating. But then I noticed in my Winpatrol program something suspicious and found that my antivirus was disabled, Realtime scanning disabled, spyware and PUP scanning disabled. IM scanning disabled, etc. McAfee was telling me I needed to reinstall. So I went back to the AT&T link where I originally downloaded McAfee and it let me download it easily just like before. After several days McAfee wasn’t protecting like it should and I decided I needed to check for spyware.

So I ran the Win XP cleaning procedure. Nothing showed in Superantispyware, so I do not have a log for it. Others are attached.

Let me know what I should do next. TIA

 

Addendum:
When I went into Safe Mode, systray showed the M Icon for McAfee, but then the M icon with an X thru it came up and hovering the mouse over it "Your computer is not protected."
Looking through the M center, it shows
"Virus protection is disabled."
When I tried to check the on checkbox, I get message that "The settings cannot be changed because of an error."
Spyware protection, system guard and script scanning protection are all on.
Firewall service is not running, and I am given no choice to turn it on.
Email and IM protection are on.

What do I do about the disabled virus protection and firewall in safe mode?

I have just one user acct (admin) besides the Administrator account that shows only in Safe Mode--set up 3 years ago. I was going to go in and create a limited account and password protect all the accounts.

 

Thanks for your help. I have downloaded the newer versions and I reran the scans--see attached.
I got lost in the Dr Web Cure-it procedure on what I was supposed to do when the scan completed. The scan took nearly 4 and 1/2 hours! At one point (D drive 392981) it hung up for five to ten minutes and I thought it was not going to ever start back. CPU usage at 100%.
When scan finished I had 22 items, but I did not get any box asking what I wanted to do next.
• Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file. --Instead I could "Select all" or "select none"
• When the scan has finished, look if you can click next icon next to the files found: I could click on icons in object column; some had "cure" in menu, some had all additional choices. Those without an icon had blanked out choices on menu.

• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: I did not see this as a choice.
So I went on to save the log.
After I rebooted CHKDSK ran. It deleted index entry jgaw400.dll in index $!30 of file 2265.
I could not write them all down because it ran too fast but there were several more similar to it.
Please tell me what to do next. Thanks.

 

Here are attachments.

 

All logs, etc. attached on next email. I am working on a different, uninfected computer, and I am only turning the infected one on long enough to send you the logs.

While I was waiting to hear back from you about what to do next, although the scans in normal mode looked clean and McAfee said I was fully protected in normal mode, I had a gut feeling that all was not well. I tried to run Dr Web Cure-IT in safe mode since McAfee was reporting I was not protected in Safe Mode and hitting the Fix button gave “One or more programs cannot be fixed because of an error.” Dr Web ran for several minutes then got an error box from Microsoft saying, gpg8d.exe had encountered an error and needed to close. Restarted and it ran for over an hour, but when I checked back, the computer had apparently rebooted itself because it was in normal mode again, not Safe mode. I ended up just running it again in normal mode and this time checking Cure-move incurable at the completion. Log attached. I had not toggled System Restore as I was waiting for your reply.

After I read your reply, I was about to write back that McAfee had never worked better. It was now asking me (a box came up) if I wanted to install downloads that were ready, installing them quickly instead of taking forever and then reporting (a box came up) when it finished (it had never done that from the time I installed it in February 2009). But, as I was surfing a box labeled Nnn3n or some such thing came up and asked me Reboot system? Yes or no. I clicked no as I was not yet finished with email. A few minutes later when I was done, back came the same box and I mindlessly clicked yes to reboot. Wish I had not done that, because CHKDSK ran and told me in stage 1 of 3 it was deleting corrupt attribute record (128,”) from file segment 19622, then in stage 3 of 3 inserting data attribute into file 19622. When everything loaded in systray, there was the extra M with an X through it, the MS Security Shield was red too, and McAfee reported I was no longer protected on anything! When I clicked the Fix button in McAfee, I got the message “One or more programs cannot be fixed because of an error.”

Wow, what a coincidence that a “corrupt” attribute is replaced and I am back to McAfee Security being turned off. It seems like something dastardly is hiding in stealth mode, telling my hard drive it has a bad sector or allocation unit or something, so that any scans will go right past that black hole with the lid on it and not see what is hiding there. Doesn’t that Dr Web look at every file? What’s up with the CHKDSK scans; I thought they ran if the computer shut off abruptly or something was wrong with the hard drive.

On 7/4/09 I unhooked the Ethernet cable and ran Sophos antiRootkit and Trend Micro Rootkitblaster and Panda Atirootkit (scanned 10120 items); none found anything. After the Panda scan, McAfee put up a box stating “File Change Detected. McAfee has detected a potentially unauthorized file change to your computer. …if unexpected, then block it.
About this file change:
System Guard: Windows win.ini file
Program: Pavark.exe
Location: C:\Documents and Settings\Compaq_Owner\Desktop\ Pavark.exe
Spyware, adware and other PUPs can make changes to the win.ini file, allowing suspect programs to run when you start your computer.” Block or allow change? I don’t know if Panda makes changes so I blocked. You see and use these programs more than I ever will, was this the right choice? Was Panda getting rid of something that should not be there or putting in something that should be?

I ran Sysinternals Rootkit Revealer with Hide standard NTFS Metadata Files unchecked and Scan Registry Files checked. I got 20 entries. My D drive is just the part of the hard drive that has Compaq’s restore partition. Checking Hide standard NTFS Metadata Files left just 5 discrepancies. See logs.

I assume you wanted me to uninstall WinPatrol and A-squared to make sure there are no conflicts with McAfee; but would they not have conflicted when McAfee was behaving nicely and saying I was protected? When I first installed McAfee, it told me to remove Spybot (I did) because it would be incompatible but it did not ding anything else I had installed.

I ran gmer.exe on 7/5/09. Scans attached.

I then rebooted, removed McAfee Security Center from Add/Remove Programs; rebooted, removed McAfee Site Advisor (which had not been displaying BTW); rebooted, ran MCPR.exe; rebooted and ran MCPR again. Of note, McAfee Security Center in Add/Remove said it was used rarely (?daily?!!) and last used 030909, (020309 was the day I installed it and 040309 was the day the computer died in the evening). SiteAdvisor also said it was used rarely and last used 050709, probably around the day I installed it. When it was removed, a Yahoo Toolbar Search Service Alert box popped up with: “Your browser search service settings have been changed or disabled. Do you want to fix the settings and Change back to Yahoo?” I clicked Yes and AT&T Self Support Tool popped up and had detected a change in browser and or internet connection and wanted me to select “please solve my issue.” I clicked it off. I had not hooked back to DSL.

Rather than tempt fate and reinstall McAfee, I opted to install Avast Free. Upon rebooting, Avast scanned and reported C:\Program Files\CompaqConnections\55774797\ Program\Interop.SHDocVw.dll is infected by win32:Adware-gen (Adw). I am guessing that this is just Compaq’s “friendly” spyware that connects me when I have an issue that Compaq could help. Right? I picked ignore for now, thinking I can get it later if it is not what I think it is.

While I was trying to find a download for Comodo Free Firewall, it dawned on me that I could look at the files that were created or modified from 020309 when I installed McAfee to 030909 when McAfee was said to have last been used. So I went to Search and put in those dates and 758 files popped up. I skimmed through them and saw acrobat.com.exe and then I remembered. I had gotten messages that I needed to upgrade to the latest version of Adobe Flash Player when I tried to view videos. I had a devil of a time upgrading, made several attempts that did not work, finally found they had an uninstaller that worked and let me get the newest version. While I was there at Adobe’s website, I decided to get Shockwave Player and update Adobe Reader from 7 to 9.0. I also took the acrobat.com offer. And from the looks of the 200-300 files around 3/8-3/9, that must have been when I did the downloads. Now I remember reading that Adobe had some hole in it that was ripe for an exploit. I think something got in around that time. I have all these files that I have no idea what they are around those dates. See screen shots.

Re Comodo Free Firewall, I found on 7/5/09 a site which I think is UK version of Comodo. It had downloads for Antivirus+Firewall and said you could use either as standalone. But it was dated as 070709 release date—which is tomorrow. So I am reluctant to use it. File Hippo had a new version just did not have the last 3 digits on it like the UK one that McAfee SiteAdvisor (yes, I am using it on the uninfected computer and it works just fine there) said had many green downloads. I am going to have to recheck your version on MGs and put one on a CD on the uninfected computer and copy it over to the infected computer. But, seeing how McAfee was disabled, how am I going to know if Avast and Comodo aren’t quickly compromised?

Anyway, I googled acrobat.com.exe and came up with Prevx CSI as a scanner. I see you have it on Majorgeeks.com. So, is that what I need to use next or something else?
Attachments are coming, but it’s going to take a little while to rehook the infected computer to DSL and locate and email the logs. Thanks for all your help.

 

Sorry to take so long to get the attachments.

 

rest of attachments

I submitted acrobat.com.exe to virustotal.com for scan. It was totally legit, so I cannot attribute anything to it.
I ran Prevx and it called your MGtools a threat, but nothing else. It kept starting whenever I turn the computer on, so I have uninstalled it already.
I went ahead with the Comodo free firewall I found. It and Avast seem to be coexisting nicely. I am on the medium setting, but I see there is a paranoid (highest) level. Avast seems to be updating itself OK.

I went into Safe mode and set up limited user account, password protected it and password protected the existing Administrator account and my old user (also admin) account. No McAfee M with a red X--good riddance! Neither Avast or Comodo shows in systray in Safe mode--hadn't ever thought about it, but I guess maybe they are not supposed to.

Things seem back to normal now. But I am still at a loss to explain why CHKDSK has been running. All due to a bad installation of AT&T's McAfee? But it installed so nicely from the link they sent me and it matched the procedure they sent.

Do you make anything of the glob.js and glob.settings.js? They are Application Data\Adobe\Acrobat\9.0\javascripts files and appear to be what was run before my computer died in April.

I know you are busy with a lot of others. Thanks for helping me.

 

I am exploring Comodo firewall today--a bit of a learning curve to use it.
It had 27 pending files for me to review. Most looked safe and checked out when submitted to Comodo via Lookup. But one is strange looking and when I submit it to Comodo, it gives “compression error.” File is C:\26d582d9bc6e7fb859e9e922c7c8f0\
mpasdlta.vdm. So I googled the last part of that and learned Windows Defender Defintion Update has that type of file but it’s often in Windows\Temp. So I checked Start->Search to see what mpasdlta.vdm files I have. Looking at Hidden files and folders made no difference—3 came up, all in Documents and settings: 9 kb Default from 2006, 244 kb Backup on 070609, and 375 kb one with a string of numbers 070909.
Of course, there is no weird number-named folder in C: directory and no vdm file showing there. I’m not sure what it means to have it pending; Comodo says it is “untrusted” and “NOT considered clean.” I don’t think it is getting to them for analysis because of the error.
Another weird thing I see as I’m looking at folders on the C drive in My Computer--some are grayed or faded out: cmdcons, Config.msi (empty), found.000 with chk fragments, hp, MSOCache, Python22, Recycler, System Volume Information (empty) and system.sav (empty).
And something else weird: When I tried to sign in to my limited user account, I got a message that Compaq Connections already had Data in use in another session even though I had not signed into my Admin account today. It said it was trying to close the other session but couldn’t, so I had to log in on my Admin account. This sounds worrisome even as I type it.
Any suggestions as to what to about it, or is it nothing to worry about?

 

I'll head to the software forum to pursue some new problems that just popped up. From my limited user account, when I tried to print, it wants to send it to FAX and can't find my printer--"The Directory Service is currently unavailable." Does not do this from my old Admin account. Plus I looked in Avast log for errors and found scanning errors every day I have logged on.
Something is not right but it is beyond me to figure it out.

Thanks for all your help. I'll assume the computer is "clean" but keep my eyes open just the same. You may close this thread. Thanks again.