Jump to content


Photo

Norton Problems


  • Please log in to reply
5 replies to this topic

#1 russb_69

russb_69

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 09:48 PM

Hello everyone. I'm currently using Norton System Works 2003. I keep on getting a dialog box telling me that it has detected a trojan horse virus, and it's pointing to a file itentified as C:\WINDOWS\system32\mcc.exe

I ran a system scan and Norton was unable to repair, quarentine, and delete the file.

I just ran a live update on the virus definitions, and I tried to delete the file manually in windows explorer. Afterwords however, I had another dialog box popup saying:

Cannot delete mcc: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

I also ran a scan with Spysweeper. The report indicated that no unauthorized software has been installed, and no traces has been found.

Just what is the file mcc.exe?
Is it part of the Windows Xp operating system itself of which has been infected?

Can anyone help me resolve this?

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 01 July 2004 - 05:15 PM

mcc.exe is a known parasite. Unfortunately, it like company, so there may well be other malware on your computer that Norton does not recognise.

We need a closer look at what's happening.
Please download Hijack this
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 russb_69

russb_69

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 07:48 PM

Russ here. Thanks for replying. Here's what I have, hope I can resolve this tonight...

Logfile of HijackThis v1.97.7
Scan saved at 8:47:27 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql-5.0.0-alpha\bin\mysqld.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\mcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Russell Brown\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\WINDOWS\System32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O9 - Extra button: ATI TV (HKLM)
O15 - Trusted Zone: http://sympatico.msn.ca
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8158.9084259259
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 02 July 2004 - 02:25 PM

There are a couple of entries I find curious. Is this a dual boot computer, with two versions of Windows? If not, what is drive f: used for? Please let me know in your next post. Only the mcc entry otherwise.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\WINDOWS\System32\blank.htm

O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe

Reboot and delete the file C:\WINDOWS\System32\mcc.exe

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 russb_69

russb_69

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 July 2004 - 03:52 PM

Russ here. Thank's for helping. Here's the resulting log. On my computer, I have two hard-drives, C (Master) D (Slave). When I first got my computer, it recognized these drives as E and F. At that time, the only solution that I could come up with to fix these drive letters was to format and re-install my operating system (Windows XP). No harm was done, since I did not have any data nor software installed.

After fallowing your instructions, I was able to delete the file, and I'm no longer seeing any Norton antivirus pop-ups. I'm currently doing a full system scan...

I saw that in the log file it identified the mcc.exe file with
[Multimedia Codecs] attribute. Why would it show that?

On further note... As I just graduated from college taking software development, I find myself more interested in developing operating systems such as Windows XP / Linux. Can you tell me exactly how HijackThis works, what it does, and what the values mean?

===========================================

Logfile of HijackThis v1.97.7
Scan saved at 4:39:52 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql-5.0.0-alpha\bin\mysqld.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Russell Brown\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1721.0\en-ca\msntb.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O9 - Extra button: ATI TV (HKLM)
O15 - Trusted Zone: http://sympatico.msn.ca
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8158.9084259259
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 03 July 2004 - 10:37 AM

I saw that in the log file it identified the mcc.exe file with
[Multimedia Codecs] attribute. Why would it show that?


Anything to mislead and make it look inocuous!


You can find out more about Hijack this here
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button