McAfee Scan Always Locks on this File

Hi.. this is just a test message.. sorry

Hi technomed, and welcome to the forum:

First, is your PC experiencing any problems, or is this just the result of a routine scan by McAfee? I ask because if your PC is experiencing no problems, there is a good chance this is a false positive detection by McAfee, which you should ignore.

There is indeed a legitimate XP file called MSONSEXT.DLL in my C:\Program Files\Common Files\Microsoft Shared\Web Folders folder. When I upload this file to  VirusTotal.com, an online scanner using numerous AV engines (including McAfee), I find it free of any infection. 

I would suggest you do the same. If nothing is detected at Virustotal (or if only McAfee detects it) then you have a false positive, and should just wait for McAfee to fix this with its next update.

On the other hand, if other scanners at VirusTotal also detect something, or if you are having problems with your system, you may have an infection. Post back with your results for further instructions.

P.S: You are correct to avoid registry cleaners- they will not help, and can severely hurt your PC.

hello again, sorry about the earlier test page, that was a Dell tech helping me setup my account here.

Thanks for the speedy & helpful reply.

My PC has not yet experienced any other problems, but these two:

1) the McAfee scan stops mid-way (you may be right; it may be just a virus scan problem, nothing inherent to the PC), however,…

2) my Spy Sweeper’s scan also hung up & locked half-way, but on a different file (I’ll let you know which file this evening when I return home—I think it was some type of Microsoft “SHELL” file). That’s when I uninstalled Spy Sweeper.

When I tried to test MSONSEXT.DLL at VirusTotal.com, it wouldn’t upload. I tried to make a copy of this file (to place on my desktop) to upload it, but my PC wouldn’t let me. It said something about a redundancy error. So I’m not sure how to test the file at VirusTotal.com

It’s a real pleasure to have someone actually try to help with problems like these. I tried for days to research this problem, and your help—as well as from others—is truly appreciated.

Hi again technomed:

I think I misunderstood you- I thought McAfee was flagging that file as malware. If it is just freezing at that file name, be aware that the file names displayed during a scan are just an approximation of what file is being currently scanned.

The fact that 2 separate defensive programs are freezing on different files points more towards malware, rather than a false positive detection (although not necessarily).

The first thing I would do is to rule out infection with an online anti-malware scan with the free ESET Online Scanner:
 http://www.eset.com/onlinescan/
This scan might take some time, so be patient. You can speed it up somewhat by disabling your background shield in McAfee- I don't use McAfee, but if you right-click on its icon in the notification tray at the bottom right of your taskbar, it should offer you that option.

This scanner not only detects viruses and other malware, but cleans them as well, and saves a log. If something is detected, allow the scanner to clean it, and post that log file back here for further instructions (the log file can be found at: C:\Program Files\EsetOnlineScanner\log.txt). You might need more cleaning.

If the online scan detects nothing, I would download the free version of MalwareByte's Anti-Malware (MBAM) and run a quick scan. Full instructions on how to do this are here (courtesy of Bugbatter):
http://en.community.dell.com/forums/t/19255626.aspx#19421089

Let us know how it goes.

Hi Joe53,

The other file that stalled the scan & locked up my computer when I scanned with Spy Sweeper was:

C:\WINDOWS\system32\WMPSHELL.DLL  (a Windows Media Player launcher)

I tested this file successfully & it does appear to be free from viruses. Maybe this Spy Sweeper lockup was just coincidental, but I thought I’d provide any possible clues.

Also, MSONSEXT.DLL still will not upload to VirusTotal for testing. It also refuses to be scanned when I use the McAfee A/V resident on my PC; it just locks up the computer.  BTW, 2 weeks ago everything worked fine. I'm not sure of any particular thing that could have made it misbehave currently.

Where to now?  :- )

Thanks!

Hi Joe,

Sorry I didn't respond sooner. I waited for an alerting e-mail that there was a response first (couldn't find one), but never checked back here for a reply like I should have--my mistake.

I'll try your suggestions and give you an update. I was anxious about being unprotected (no full A-V scan possible) so I consulted other sites in the meantime. I'll get back to you with the results.

I'm grateful for your help.

technomed:

No apology necessary- the email notifications were down for a few days from these forums, hence you got no alert. Good luck, and I look forward to your results.

Hi Joe,

ESET found one possible Macro virus and cleaned it. MBAM (quick scan) found no malware. But when I re-tried McAfee, the scan still locked at MSONSEXT.DLL  The results follow:

ESET Scan Results

“probably unknown MACRO virus (cleaned)

C:\Documents and Settings\Epstein Family\My Documents\Prior Files\Templates\Backup of Normal.wbk”

Log.txt:

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=3832 (20090206)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.066 (20070917)

# EOSSerial=af2bb47ef0d7ad41bfe965ceff029b00

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2009-02-06 01:40:26

# local_time=2009-02-06 06:40:26 (-0700, US Mountain Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 3

# scanned=189570

# found=1

# scan_time=2074

C:\Documents and Settings\Epstein Family\My Documents\Prior Files\Templates\Backup of Normal.wbk  probably unknown MACRO virus (cleaned)  00000000000000000000000000000000

MBAM Results

Malwarebytes' Anti-Malware 1.33

Database version: 1735

Windows 5.1.2600 Service Pack 3

2/6/2009 9:05:01 AM

mbam-log-2009-02-06 (09-05-01).txt

Scan type: Quick Scan

Objects scanned: 54928

Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

• Memory Processes Infected: (No malicious items detected)
• Memory Modules Infected: (No malicious items detected)
• Registry Keys Infected: (No malicious items detected)
• Registry Values Infected: (No malicious items detected)
• Registry Data Items Infected: (No malicious items detected)
• Folders Infected: (No malicious items detected)
• Files Infected: (No malicious items detected)

 I did notice that ESET did pause a comparatively long time when it came to the MSONSEXT.DLL file, but after a minute or two, it continued the scan.

 Do these clues help?

 Thanks,

 Bob

Hi Bob:

After reading some of your posts (in other threads and websites) it seems that your MSONSEXT.DLL file is indeed the problem, in that your right-click context menu will not allow you to open, copy,  delete, view properties, scan with your AV, etc. It is either infected, or  corrupted.

I have the same XP/SP3 version as you, and can do all those things to that file. Unless you use MS Web Folders or SharePointPortalServer programs, it is likely not a necessary file and *should* be able to be safely deleted. Since you have a good copy in your C:\i386 backup library, you can always restore it later if needed (but see below).

It is odd that you cannot upload it to VirusTotal, though, which suggests it exceeds their file size limit. When you hover over the file (without clicking on it) with your mouse cursor, can you see a balloon box? If so , it should show the following:
Description: Microsoft Web Folders
Company: Microsoft Corporation
File Version: 11.0.6715.60
Date Created: 20/09/2005, 11:33:08 AM
Size: 1.23 MB

If your file size exceeds 10 MB, it will not upload, and indicates probable infection. If you cannot see the file size, go up a level and hover over the Web Folders folder; its total contents size should be about 1.5 MB. If this is not the case, you will need the advice of a malware removal expert.

If the folder and/or file sizes seem about right, you might just be dealing with a corrupted file. You could try rebooting into Safe Mode and try to delete the MSONSEXT.DLL file from there, but I can't guarantee that this is 100% safe to do, as it is in your MicrosoftShared files folder, and might be required by another program (although I could not find any evidence of this with a google search).

Your Eset amd MBAM scans suggest you are not infected (despite the unknown macro detection) but it is still possible.

I think your safest bet at this point is to post a HijackThis logfile in the Malware Removal board here:
http://en.community.dell.com/forums/3521.aspx

Full instructions on how to do this are here:
http://en.community.dell.com/forums/t/19251122.aspx

Be aware that the experts there are swamped with requests, and a response might take a day or two.

For my own feedback, I would be interested to know about those file and folder sizes, though.

Good luck!

Hi Joe,

Thanks for your analysis. While further poking around I discovered the following, which may be the heart of the strange symptoms.

In the Event Scanner, I came across a whole boatload of Error messages and warnings. The key ones all said:

“The device, \Device\Harddisk0\D, has a bad block.”

Looks like these messages have been generated (unbeknownst to me) for many months, but only became apparent to me from the recent locked McAfee scans.

It is also possible that the MSONSEXT file is also bad, but perhaps it is somehow associated with the “bad block”?

When I go to the Dell Support site linked to the Error msgs, there are posted dozens of confusing & unsequenced Knowledge Base items to interpret. Where can I go within the Dell community to get help resolving this? My computer is less than a year old and I’m not sure if this type of assistance is covered in the regular warranty. Maybe I have to reformat my hard drive (not quite sure how) and reload stuff? Or could the hard drive be mechanically flawed?

Any recommendations?

Thanks,

Bob

“The device, \Device\Harddisk0\D, has a bad block.”

Ouch!

I'm sorry to say, but if you have been getting this error message for many months in your event viewer, this points to an entirely different problem; you have a hardware problem. Namely, your hard drive is failing. This is not a malware issue, and I have no expertise in this area, other than to advise you to back up all your data while you still can, to another drive, then replace your hard drive, before it completely fails.

I would imagine, if your Dell PC is less than a year old, that you are still covered under warranty for a failing hard drive. I would contact Dell phone support about this.

You'd think that Dell would flash this type of error on your desktop in giant letters, rather than bury it in the Event Viewer. Oh well. It sure wasn't obvious from the symptoms that this was the problem.

Thank you for all your help!!

You are welcome.

To confirm the problem, you can run a Dell Diagnostics test on your hard drive.

- Reboot and tap F12
-  Dell diagnostics> extended test> hard drive.

Full instructions here:
http://en.community.dell.com/forums/p/18498379/18621365.aspx#18621365

Ran Diagnostics and it showed a disk error. Called Dell Support and they confirmed bad hard drive. New hard drive on its way to me, no charge.

Thanks again!