Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Microsoft Infectee

1187 Views 10 Replies 3 Participants Last post by  mizging
M
Hello:

I was one of the dummies who got taken in by the microsoft hoax yesterday. I was able to download McAfee's and quarantine the virus but my computer is still acting strange. It takes me at least five times to get it to fully boot. I've run diagnostics from the Sony site, but I'm computer iliterate and beyond that I'm lost. Can someone help a feeble old woman? Help, I'll fallen and I can't get up!"

Thanks!
Save
Like
Status
Not open for further replies.
1 - 11 of 11 Posts
E
Hi mizging, and welcome to TSG.. :)

If you've got the latest updates for your AV, which if you've just got it would seem a fair bet, there could be other stuff causing your problems.

Could you please and download 'Hijack This!' from..

http://www.spywareinfo.com/files/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.

This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

This program is mainly designed to show hijackers and ad/spyware, but it usually gives a good hint to virii, trojans etc, as well. :up: :)

EDIT: Just re-read your post, and as far as the time taken to boot, my guess would be the MCafee autoupdater may be causing that particular problem.. :) but post the log and we'll sort you out. :)

Cheers

Liam
See less See more
Save
Like
M
Thanks for much for being willing to help. You have no idea how much I appreciate you. :O

Logfile of HijackThis v1.97.2
Scan saved at 11:43:39 AM, on 9/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\System32\ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe -a
O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eBookMan Monitor.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.6768171296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
See less See more
Save
Like
E
Hi mizging, and your welcome, :)

Could you please run another log, close all browser windows, "check to fix" the following entries, then click Fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3....rchPageHome.htm

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - Global Startup: Real-time Monitor.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Then if you could reboot and go to Start | Settings | Control Panel | Add/Remove Programs and find and remove Hotbar

Then if you could download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

Finally, reboot and post a new HJT! log for a final once over.

I'm going out for a while now, so I'll check up later, or someone else here will in the meantime. :up: :)

Cheers

Liam
See less See more
Save
Like
Corrosive
mizging, Just for the future, it's good practice NOT to open any attachments unless you have specifically asked for them.

Also, you should note that most big companies in computer security will never send any patches, updates or anything of the sort through email.

Finally (although it doesn't really apply for this case), if an email asks you to "forward to all your friends," please don't. 99.9 times out of 100, it'll be a hoax, chain-letter or a virus, relying on you to do this in order to spread.
Save
Like
M
Thanks for the words of wisdom. I am usually very careful about what I opened, but the email looked so convincing complete with microsoft information, logo, etc. As soon as I hit the download, I got a sinking feeling and immediately knew I shouldn't have.

Oh well...tough lesson learned, but thank goodnesss for this wonderful site and the caring people who help.

Miz Ging
Save
Like
M
Liam:

Here is the latest report. Thanks for being such a great help.

G
Logfile of HijackThis v1.97.2
Scan saved at 1:51:44 PM, on 9/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ati2evxx.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe
C:\Documents and Settings\Ginger S\Local Settings\Temp\Temporary Directory 5 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.3.1.40\InstallStub.exe -a
O4 - Startup: Mobipocket Web Companion.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\webcomp\webcomp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eBookMan Monitor.lnk = C:\Program Files\Franklin Electronic Publishers\eBookMan Desktop Manager\EbmMgr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.6768171296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
See less See more
Save
Like
E
That's a clean log, Mizging. :)

I would suggest that you only have one AV running at a time, though. You don't have to delete either, just choose one only, to run at a time.

Cheers

Liam
Save
Like
M
Liam:
Now I'm getting a message that says "NT on-access Scanner Service has encountered a problem and needs to close." That seems to happen when I reboot or boot up.

I also received very few emails today and just received one from someone who said she received a note saying my mailbox was full.

What can I do now?

Ginger
Save
Like
E
Hi Mizging,

The error message is idendifying the conflict between your two AVs. It's the online virus scanner for Mcafee that doesn't work with PC-Cillin. MCafee's answer is to remove PC-Cillin, which isn't surprising. :rolleyes:

One of them has to go. :) This is down to your personnal preference, but over the time I've been on these boards, the general consensus seems to be that MCafee causes more problems than PC-Cillin.

To be honest, I can't remember ever seeing a bad word said about PC-Cillin.

Just uninstall one of them.

As far as your e-mails go, if this has just hapened, it may be due to the above, although that's a lame guess. :) See if the above advice cures this problem as well. If not we can see if there are any remnants of the virii still there. If you go here you can use the online scan, remember to check the box for My Computer, to scan everything.

Once done, we'll see how it's going.

Cheers

Liam
See less See more
Save
Like
M
Hi Liam:

Gee, I just subbed to McAfee and paid $49 for the year. PC didn't even detect the virus and let me download it. Is that usual?

I'll most likely follow your advice, and contact Mcafee and tell them their product is Wreaking havoc with my system. Maybe they'll refund my $$$.

I'm off to a classic car show today, but I'll delete one and do the scan. I'm subbed to 41 lists and am not receiving any emails from those. Just personal ones like yours and a few from friends. Strange!

Thanks again for hanging in there with me. I hope we can get this fixed. My life is my computer since I'm an author!

Ginger
Save
Like
1 - 11 of 11 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top