Virus on my computer

[Sopman]

Norton found a file "mcc.exe" infected. Norton can not clean it or quarantine. I can't delete it.
I keep getting porn pop-ups.

Their are some other files that Norton can not clean or quarantine. I have the latest updates. Norton displays the path, but I'm unable to find the file because the "temporary Internet Folder" is not listed under "Documents and Setting".

Can someone help?

Sopman

 

[Sopman]

Correction:
It under Documents and Settings/Owner their is no "Local Settings" folders, so I can locate the virus.

Sopman

 

[vop]

Run 'hijackthis':

Look for O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe

Have HijackThis "Fix" that one and then delete the C:\WINDOWS\System32\mcc.exe in safe mode with hidden files shown.


Otherwise, your situation may in fact be considered a trojan and may be cleanable using a trojan scanner. Add that keyword to the seach parameters below.

Results 1 - 21 of about 88 for "mcc.exe" virus norton xp remove OR fix OR clean:

http://www.google.ca/search?q="mcc....R fix OR clean&hl=en&lr=&ie=UTF-8&sa=N&tab=gw

 

[Sopman]

Here's the log from Hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 8:18:01 AM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\mcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.emachines.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1300F42C-89E4-4C7E-989B-5338C1457921} - C:\WINDOWS\System32\mni.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\AddCLS.exe
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -

http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!

http://hard-virgins.com/dkvaget/x.chm::/load.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://www.nick.com/common/groove/gx/GrooveAX27.cab

 

[Sopman]

How do I start up in safe mode?

Sopman

 

[dibbkd]

You said in your first post you keep getting porn pop-ups. In addition to having a virus, you MOST likely also have spyware.

Run Ad-aware, free download (very good) from:

http://www.lavasoft.com

or Spybot, don't have their website handy.

 

[mrboj8ngles]

I had a similar problem with Norton - the program detected a several files under adware.binet, yet, whenever i searched for them my comp. would report that it couldn't find them. After several forums and several microsoft chatrooms, I found my problem. Make sure that you have the option checked "check all hidden files." This easily solved my problem and I was able to find and eliminate the files Norton was unable to delete.
-just a thought
I advise a non-sub. version of webroot spy sweeper, and the classic search and destroy

Good luck

 

[vop]

F8 = Safemode

Google search words for more help:

safemode xp f8 "how to"

 

[dibbkd]

Opps, I put the wrong link, instead of

http://www.lavasoft.com,

it should be:

http://www.lavasoftusa.com

 

[Sopman]

I ran spy-bot. It did not find it.

Sopman

 

[Sopman]

I checked the "check all hidden files" and was able to find the file that Norton could not clean or quarantine, but I still can't remove the mcc.exe file. Someone mentioned running 'Sophos Anti-Virus'. Is this similar to Norton Anti-virus?

Sopman

 

[vop]

1. Try terminating any rogue EXE’s from task manager. If you can't get at it because of running malware, use (freeware) 'process explorer' from

http://www.sysinternals.com.

2. Have ‘HijackThis’ fix the rogue item line(s). Thereafter, delete or uninstall affected items.

 

[rothin]

Update ur Norton AV to the latest defn. - restart ur system - press F8 to get to optional system startup - select safe mode command prompt - after a brief period u will land up at command prompt - go to the norton av directory thru dos - locate & run navdx.exe with options /doallfiles /delete.This scan will take a long time depending on the amount of data on disk & it takes a while to scan zipped or compressed files..be patient this will do it for u.After the scan is over successfully perform a Norton scan in safe mode to reconfirm.
Be sure to turn off system restore when scanning in safe mode.