• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
russb_69

Norton Problems

6 posts in this topic

Hello everyone. I'm currently using Norton System Works 2003. I keep on getting a dialog box telling me that it has detected a trojan horse virus, and it's pointing to a file itentified as C:\WINDOWS\system32\mcc.exe

 

I ran a system scan and Norton was unable to repair, quarentine, and delete the file.

 

I just ran a live update on the virus definitions, and I tried to delete the file manually in windows explorer. Afterwords however, I had another dialog box popup saying:

 

Cannot delete mcc: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

 

I also ran a scan with Spysweeper. The report indicated that no unauthorized software has been installed, and no traces has been found.

 

Just what is the file mcc.exe?

Is it part of the Windows Xp operating system itself of which has been infected?

 

Can anyone help me resolve this?

Share this post


Link to post
Share on other sites

mcc.exe is a known parasite. Unfortunately, it like company, so there may well be other malware on your computer that Norton does not recognise.

 

We need a closer look at what's happening.

Please download Hijack this

Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Share this post


Link to post
Share on other sites

Russ here. Thanks for replying. Here's what I have, hope I can resolve this tonight...

 

Logfile of HijackThis v1.97.7

Scan saved at 8:47:27 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\mysql-5.0.0-alpha\bin\mysqld.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\mcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\cidaemon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Russell Brown\My Documents\My Downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\WINDOWS\System32\blank.htm

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\userinit.exe,

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O9 - Extra button: ATI TV (HKLM)

O15 - Trusted Zone: http://sympatico.msn.ca

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8158.9084259259

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites

There are a couple of entries I find curious. Is this a dual boot computer, with two versions of Windows? If not, what is drive f: used for? Please let me know in your next post. Only the mcc entry otherwise.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\WINDOWS\System32\blank.htm

 

O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe

Reboot and delete the file C:\WINDOWS\System32\mcc.exe

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Russ here. Thank's for helping. Here's the resulting log. On my computer, I have two hard-drives, C (Master) D (Slave). When I first got my computer, it recognized these drives as E and F. At that time, the only solution that I could come up with to fix these drive letters was to format and re-install my operating system (Windows XP). No harm was done, since I did not have any data nor software installed.

 

After fallowing your instructions, I was able to delete the file, and I'm no longer seeing any Norton antivirus pop-ups. I'm currently doing a full system scan...

 

I saw that in the log file it identified the mcc.exe file with

[Multimedia Codecs] attribute. Why would it show that?

 

On further note... As I just graduated from college taking software development, I find myself more interested in developing operating systems such as Windows XP / Linux. Can you tell me exactly how HijackThis works, what it does, and what the values mean?

 

===========================================

 

Logfile of HijackThis v1.97.7

Scan saved at 4:39:52 PM, on 7/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\mysql-5.0.0-alpha\bin\mysqld.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\mqsvc.exe

C:\WINDOWS\System32\mqtgsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\atiptaxx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Russell Brown\My Documents\My Downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\userinit.exe,

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O9 - Extra button: ATI TV (HKLM)

O15 - Trusted Zone: http://sympatico.msn.ca

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8158.9084259259

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

Share this post


Link to post
Share on other sites
I saw that in the log file it identified the mcc.exe file with

[Multimedia Codecs] attribute. Why would it show that?

 

Anything to mislead and make it look inocuous!

 

 

You can find out more about Hijack this here

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0