1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Microsoft Infectee

Discussion in 'Virus & Other Malware Removal' started by mizging, Sep 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. mizging

    mizging Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    18
    Hello:

    I was one of the dummies who got taken in by the microsoft hoax yesterday. I was able to download McAfee's and quarantine the virus but my computer is still acting strange. It takes me at least five times to get it to fully boot. I've run diagnostics from the Sony site, but I'm computer iliterate and beyond that I'm lost. Can someone help a feeble old woman? Help, I'll fallen and I can't get up!"

    Thanks!
     
  2. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi mizging, and welcome to TSG.. :)

    If you've got the latest updates for your AV, which if you've just got it would seem a fair bet, there could be other stuff causing your problems.

    Could you please and download 'Hijack This!' from..

    http://www.spywareinfo.com/files/hijackthis.zip

    Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.

    This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

    This program is mainly designed to show hijackers and ad/spyware, but it usually gives a good hint to virii, trojans etc, as well. (y) :)

    EDIT: Just re-read your post, and as far as the time taken to boot, my guess would be the MCafee autoupdater may be causing that particular problem.. :) but post the log and we'll sort you out. :)

    Cheers

    Liam
     
  3. mizging

    mizging Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    18
    Thanks for much for being willing to help. You have no idea how much I appreciate you. :O

    Logfile of HijackThis v1.97.2
    Scan saved at 11:43:39 AM, on 9/19/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\WINDOWS\System32\Atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\ati2evxx.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe -a
    O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: eBookMan Monitor.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.6768171296
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi mizging, and your welcome, :)

    Could you please run another log, close all browser windows, "check to fix" the following entries, then click Fix.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3....rchPageHome.htm

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

    O4 - Global Startup: Real-time Monitor.lnk = ?

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    Then if you could reboot and go to Start | Settings | Control Panel | Add/Remove Programs and find and remove Hotbar

    Then if you could download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

    Now press Settings, and Settings again.
    Go to the Webupdate section, and check "Display also available beta versions".

    Now press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

    Finally, reboot and post a new HJT! log for a final once over.

    I'm going out for a while now, so I'll check up later, or someone else here will in the meantime. (y) :)

    Cheers

    Liam
     
  5. Corrosive

    Corrosive

    Joined:
    Jan 9, 2003
    Messages:
    1,058
    mizging, Just for the future, it's good practice NOT to open any attachments unless you have specifically asked for them.

    Also, you should note that most big companies in computer security will never send any patches, updates or anything of the sort through email.

    Finally (although it doesn't really apply for this case), if an email asks you to "forward to all your friends," please don't. 99.9 times out of 100, it'll be a hoax, chain-letter or a virus, relying on you to do this in order to spread.
     
  6. mizging

    mizging Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    18
    Thanks for the words of wisdom. I am usually very careful about what I opened, but the email looked so convincing complete with microsoft information, logo, etc. As soon as I hit the download, I got a sinking feeling and immediately knew I shouldn't have.

    Oh well...tough lesson learned, but thank goodnesss for this wonderful site and the caring people who help.

    Miz Ging
     
  7. mizging

    mizging Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    18
    Liam:

    Here is the latest report. Thanks for being such a great help.

    G
    Logfile of HijackThis v1.97.2
    Scan saved at 1:51:44 PM, on 9/19/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\WINDOWS\System32\Atiptaxx.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
    C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\System32\ati2evxx.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe
    C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 5 for hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe -a
    O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: eBookMan Monitor.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.6768171296
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  8. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    That's a clean log, Mizging. :)

    I would suggest that you only have one AV running at a time, though. You don't have to delete either, just choose one only, to run at a time.

    Cheers

    Liam
     
  9. mizging

    mizging Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    18
    Liam:
    Now I'm getting a message that says "NT on-access Scanner Service has encountered a problem and needs to close." That seems to happen when I reboot or boot up.

    I also received very few emails today and just received one from someone who said she received a note saying my mailbox was full.

    What can I do now?

    Ginger
     
  10. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Mizging,

    The error message is idendifying the conflict between your two AVs. It's the online virus scanner for Mcafee that doesn't work with PC-Cillin. MCafee's answer is to remove PC-Cillin, which isn't surprising. :rolleyes:

    One of them has to go. :) This is down to your personnal preference, but over the time I've been on these boards, the general consensus seems to be that MCafee causes more problems than PC-Cillin.

    To be honest, I can't remember ever seeing a bad word said about PC-Cillin.

    Just uninstall one of them.

    As far as your e-mails go, if this has just hapened, it may be due to the above, although that's a lame guess. :) See if the above advice cures this problem as well. If not we can see if there are any remnants of the virii still there. If you go here you can use the online scan, remember to check the box for My Computer, to scan everything.

    Once done, we'll see how it's going.

    Cheers

    Liam
     
  11. mizging

    mizging Thread Starter

    Joined:
    Aug 12, 2003
    Messages:
    18
    Hi Liam:

    Gee, I just subbed to McAfee and paid $49 for the year. PC didn't even detect the virus and let me download it. Is that usual?

    I'll most likely follow your advice, and contact Mcafee and tell them their product is Wreaking havoc with my system. Maybe they'll refund my $$$.

    I'm off to a classic car show today, but I'll delete one and do the scan. I'm subbed to 41 lists and am not receiving any emails from those. Just personal ones like yours and a few from friends. Strange!

    Thanks again for hanging in there with me. I hope we can get this fixed. My life is my computer since I'm an author!

    Ginger
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165955

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice