Virus in startpage Microsoft?

[sinterklaas]

Doing lots of formats and fresh installs for friends, I usually first check the internet connection by loading the Microsoft startpage, before I install Norton AV. Last time I had to wait for someone who was desperately looking for his username and password, so I decided to install NAV 2001 first, then configure the dial-up and after that update the virusdefs. The connection was ok, so after updating I opened IE 6.0 to set his requested startpage. I waited for the pre-installed Dutch Microsoft startpage (www.msn.nl) to load, and -to my surprise- got an alert from NAV: it had found a trojan horse in "mc.vbs" !

I scanned this file on several pc's (almost every pc has it in its TIF), but NAV 2001 did not find any viruses - neither did NAV 2002.

Does this mean that NAV does not recognize a trojan horse when it is already there before NAV is installed? That implies that there must be an incredible amount of computers with this vb script running, while their owners think they are safe because of NAV...

Please don't panic: I must be wrong. But where?

 

[eddie5659]

Hiya

Apparently, if you have MSN Messenger installed on the machine, through MSN Messenger's COM/ActiveX interface.
MSN Messenger then manually modifies the source of the HTML page, through a VBS script you can find at MSN.

This is a section from the following site, which explains a little. Its about a person ringing as to why it was to be installed on his system:

Darn, I can't copy. Oh, well, here's the page:

http://www.xanga.com/contentfolders.asp?user=Coyote&tab=reviews

Its about half way down and begings with MSN And Their Online...

Try it without MSN and see if it occurs.

I hope that explains some of it. From what I read in that site, they don't want to admit to putting it in.

Regards

eddie

 

[sinterklaas]

Hi Eddie

Found Xanga.com, but could not find something starting with "MSN and Their Online...". Wrong link, or is it just bedtime for me? Anyway, I appreciate your answer.

I would like to know whether this script is a dangerous Trojan or a harmless file. And also, if it is dangerous: what can I do to remove it?

BTW, I did not install MSN Messenger - I never do.

Hope you can give me some more information.

 

[eddie5659]

Hiya

I'll look into it, but if you wait for the page to load...may take a while, its halfway down and it says

MSN and their online interractive support Regarding mc.vbs on MSN.com Home Page

I have read something here:

http://groups.google.com/groups?q=m...=1979b01c13101$834f5fb0$b1e62ecf@tkmsftngxa04

about a vbs.mcon_c virus. Is this what was coming up with Norton?

http://www.avp.ch/avpve/worms/net/mcon.stm

http://www.europe.f-secure.com/v-descs/mcon.shtml

As in how to remove it, I don't know yet.
If this wasn't what was coming up with Norton, what was?

Regards

eddie

 

[SavvyLady]

Try this scan for virus,worms & trojans... if its found & can be removed it will.


http://housecall.antivirus.com/pc_housecall/


Savvy

 

[sinterklaas]

Thanks for your support!
SavvyLady: the virusscan you suggested only found one virus in my temporary internet files; Norton found two (JS.EXCEPTION.Exploit and VBS.Seeker.E)...
Eddie: you were right about the link: it did not load properly. I've read the other articles as well, but could not find an answer. Just questions, like mine. Well, it's good to see that I'm not the only one
I'm sure I don't have the worms named in the last two articles. Norton only came up with 'Trojan Horse', and 'repaired' the file. That's all...

What on earth is that VB script doing??!
Why does NAV only marks the file as trojan as long as it is installed before the file arrives?
And: will deleting be enough to stop it?

 

[hewee]

Go over to http://www.wilders.org/ and click on freetools. They have scanning programs that may help you and a forum also.

 

[eddie5659]

I don't know if this will help in this case, but you could se if it does. Tools | Internet Options. Advanced tab. Scroll down through Browsing and look for Enable Install on Demand. Uncheck this, apply and OK.

If you go along now, does a popup box appera asking if you wish to download?

eddie

 

[Rollin' Rog]

Disabling Windows Scripting Host should put the kabosh on any exploits which use VBS files. Noscript.exe from symantec should do it.

http://www.sarc.com/avcenter/venc/data/win.script.hosting.html

 

[sinterklaas]

Hewee: thanks for the tip! I do have a good scanner myself, but I will keep this one in mind for others who haven't.

eddie: I really appreciate your efforts. I unchecked the box as you said, but no popup appeared...

Rollin'Rog: think you're right. Your solution may not be the answer to my question, but it solves the safetyproblem (if there is one...). And that is what you are here for, after all. You're doing a great job!

I guess that it is none of my business whether this file is dangerous or not, but I'm still curious why NAV thinks this file is a trojan. So, if you don't mind, I'm gonna ask Symantec.

( Yes, I know I should have done that before I asked you.
And yes, I will let you know the answer (if I get one).
Isn't that the least I can do? )

 

[$teve]

sinter...........try this trojan scanner,if its a trojan you have this app will tell you.
www.moosoft.com "the cleaner"

 

[sinterklaas]

"Mc.vbs is falsely identified as malicious."

(I'm sorry - that's all there is...)