Microsoft Infectee

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mizging

Thread Starter
Joined
Aug 12, 2003
Messages
18
Hello:

I was one of the dummies who got taken in by the microsoft hoax yesterday. I was able to download McAfee's and quarantine the virus but my computer is still acting strange. It takes me at least five times to get it to fully boot. I've run diagnostics from the Sony site, but I'm computer iliterate and beyond that I'm lost. Can someone help a feeble old woman? Help, I'll fallen and I can't get up!"

Thanks!
 
Joined
Jun 19, 2003
Messages
1,241
Hi mizging, and welcome to TSG.. :)

If you've got the latest updates for your AV, which if you've just got it would seem a fair bet, there could be other stuff causing your problems.

Could you please and download 'Hijack This!' from..

http://www.spywareinfo.com/files/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.

This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

This program is mainly designed to show hijackers and ad/spyware, but it usually gives a good hint to virii, trojans etc, as well. (y) :)

EDIT: Just re-read your post, and as far as the time taken to boot, my guess would be the MCafee autoupdater may be causing that particular problem.. :) but post the log and we'll sort you out. :)

Cheers

Liam
 

mizging

Thread Starter
Joined
Aug 12, 2003
Messages
18
Thanks for much for being willing to help. You have no idea how much I appreciate you. :O

Logfile of HijackThis v1.97.2
Scan saved at 11:43:39 AM, on 9/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\System32\ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe -a
O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eBookMan Monitor.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.6768171296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Jun 19, 2003
Messages
1,241
Hi mizging, and your welcome, :)

Could you please run another log, close all browser windows, "check to fix" the following entries, then click Fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3....rchPageHome.htm

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - Global Startup: Real-time Monitor.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


Then if you could reboot and go to Start | Settings | Control Panel | Add/Remove Programs and find and remove Hotbar

Then if you could download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

Finally, reboot and post a new HJT! log for a final once over.

I'm going out for a while now, so I'll check up later, or someone else here will in the meantime. (y) :)

Cheers

Liam
 
Joined
Jan 9, 2003
Messages
1,058
mizging, Just for the future, it's good practice NOT to open any attachments unless you have specifically asked for them.

Also, you should note that most big companies in computer security will never send any patches, updates or anything of the sort through email.

Finally (although it doesn't really apply for this case), if an email asks you to "forward to all your friends," please don't. 99.9 times out of 100, it'll be a hoax, chain-letter or a virus, relying on you to do this in order to spread.
 

mizging

Thread Starter
Joined
Aug 12, 2003
Messages
18
Thanks for the words of wisdom. I am usually very careful about what I opened, but the email looked so convincing complete with microsoft information, logo, etc. As soon as I hit the download, I got a sinking feeling and immediately knew I shouldn't have.

Oh well...tough lesson learned, but thank goodnesss for this wonderful site and the caring people who help.

Miz Ging
 

mizging

Thread Starter
Joined
Aug 12, 2003
Messages
18
Liam:

Here is the latest report. Thanks for being such a great help.

G
Logfile of HijackThis v1.97.2
Scan saved at 1:51:44 PM, on 9/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe
C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 5 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe -a
O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eBookMan Monitor.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.6768171296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Jun 19, 2003
Messages
1,241
That's a clean log, Mizging. :)

I would suggest that you only have one AV running at a time, though. You don't have to delete either, just choose one only, to run at a time.

Cheers

Liam
 

mizging

Thread Starter
Joined
Aug 12, 2003
Messages
18
Liam:
Now I'm getting a message that says "NT on-access Scanner Service has encountered a problem and needs to close." That seems to happen when I reboot or boot up.

I also received very few emails today and just received one from someone who said she received a note saying my mailbox was full.

What can I do now?

Ginger
 
Joined
Jun 19, 2003
Messages
1,241
Hi Mizging,

The error message is idendifying the conflict between your two AVs. It's the online virus scanner for Mcafee that doesn't work with PC-Cillin. MCafee's answer is to remove PC-Cillin, which isn't surprising. :rolleyes:

One of them has to go. :) This is down to your personnal preference, but over the time I've been on these boards, the general consensus seems to be that MCafee causes more problems than PC-Cillin.

To be honest, I can't remember ever seeing a bad word said about PC-Cillin.

Just uninstall one of them.

As far as your e-mails go, if this has just hapened, it may be due to the above, although that's a lame guess. :) See if the above advice cures this problem as well. If not we can see if there are any remnants of the virii still there. If you go here you can use the online scan, remember to check the box for My Computer, to scan everything.

Once done, we'll see how it's going.

Cheers

Liam
 

mizging

Thread Starter
Joined
Aug 12, 2003
Messages
18
Hi Liam:

Gee, I just subbed to McAfee and paid $49 for the year. PC didn't even detect the virus and let me download it. Is that usual?

I'll most likely follow your advice, and contact Mcafee and tell them their product is Wreaking havoc with my system. Maybe they'll refund my $$$.

I'm off to a classic car show today, but I'll delete one and do the scan. I'm subbed to 41 lists and am not receiving any emails from those. Just personal ones like yours and a few from friends. Strange!

Thanks again for hanging in there with me. I hope we can get this fixed. My life is my computer since I'm an author!

Ginger
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top