Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ern123

13 Posts

18874

January 1st, 2004 06:00

Downloader.MSCache virus -- Please Help!!

I received a pop up message from Norton AntiVirus saying that it had detected a virus that could not be repaired.  In the activity log, it says that there's a file that is infected with the Downloader.MSCache virus.  I don't know whether this is important or not, but it's apparently located in my temporary internet folder.  However, I have since run two comprehensive virus scans, and nothing shows up as being infected.  How serious is this, and what do I do?

I visited the Symantec Security Response web site, but it offered little help for a novice such as myself.  I did find the page that describes the virus and provides removal steps, but it says that removal requires an "experienced technician," which I certainly am not. 

Furthermore, I'm unable to submit the file to them because I can't locate the file to quarantine it, and I can't find a way to contact a technician by e-mail. 

I guess my questions are as follows:

1) How do you explain Norton AntiVirus detecting the virus initially, but then failing to detect it in the virus scan?  I did uninstall a program that probably carried the virus.  Would that have removed it from my computer?

2) If the virus is still present, what steps should I take to remove it?  Do I need an "experienced technician" to remove it for me, or can I do it myself following the steps on Symantec's web site?  Does the fact that the virus doesn't show up in the scan complicate matters (i.e. does the scan have to be able to detect the virus for it to be removed)?

3) Should I try to quarantine the file and submit it to Symantec?  If so, how do I locate the file in the temporary internet folder?

4) Do you know of a way I can contact someone with Symantec to assist me without spending loads of cash through their telephone service?  

5) How concerned should I be about this?  How much damage could this inflict on my computer?

I would greatly appreciate any help you can provide.  I'm at a loss for what to do.

 

Message Edited by ern123 on 01-01-2004 02:13 AM

Yellowhammer

725 Posts

January 1st, 2004 11:00

First empty your temporary internet files.  In internet explorer Tools>Internet Options>General Click the "Delete Files" button in the middle.


THen run Ad-Aware and Spybot Search and Destroy to to check for spyware programs.  Make sure you update them both before running them.  Remove all that Ad-Aware finds.  Remove all the "red" items that Spybot
Search and Destroy Finds.  Ad-aware is available here.  Spybot Search and Destroy is available here.

To be sure you are clean, download hijackthis from here.  Post your hijack this log when you have finished so someone can check it.

Message Edited by Yellowhammer on 01-01-2004 07:14 AM

ern123

13 Posts

January 1st, 2004 15:00

Thanks for responding, Yellowhammer.  I deleted all of my temporary internet files and ran Ad-Aware, but I haven't run Spybot yet because it warned that it could alter the performance of the computer.  Is it safe to run? 

One of the items Ad-Aware found was a RegKey that was labeled "Possible Browser Hijack Attempt."  That sounds rather ominous, and would seem consistent with what happened to my computer.  I neglected to mention this before, but I believe I may have been infected with the virus when I accidentally downloaded a program that messed with my browser.  And by "messed with," I mean:

- It added a bunch of new folders to my favorites menu, some of which included pornography sites.   

- It changed my home page to some site I was unfamiliar with.

- It caused several pop up windows to appear when I opened my browser.

- It added two bars to my browser, one to the top and one to the bottom.

- It created new icons on my desktop, along with a bar with links to the internet.

However, since I uninstalled the program, I haven't experienced any visible problems.  Yet, I don't know whether I still have the virus or not.

Maybe this new information will provide you with better insight into I'm dealing with.  Again, I do appreciate your help.   

Yellowhammer

725 Posts

January 1st, 2004 16:00

Spybot will not hurt the performance of your computer.  Just delete the Red items to be conservative.  What spybot might do is delete some spyware that are required to be on your system for programs like Kazaa to run.  If a program such as Kazaa requires spyware then it should not be on your computer.  There are plenty of alternatives without spyware. 

After you run it, run hijackthis from the instructions in the previous post and post your log. 

ern123

13 Posts

January 1st, 2004 17:00

How do I unzip it?

Yellowhammer

725 Posts

January 1st, 2004 17:00

Don't open it from it's current location.  Choose to save it.  Save it to a folder that you have created such as c:hjt.  Unzip it in that folder.

ern123

13 Posts

January 1st, 2004 17:00

Okay, I ran Spybot.

Regarding HijackThis, the page you referred me to says: "Also, make sure that you actually extract HijackThis to its own folder. DO NOT run it from within a zip manager (Winzip), as no backups will be saved."

When I clicked the download button, it gave me the option of opening it from its current location, which I did.  However, it appears to be located in my temporary internet files folder, and it has ".zip" at the end of the address.  Should I proceed with the scan?  If not, how do I "extract HijackThis to its own folder"?

Sorry to be such a nuisance.

Yellowhammer

725 Posts

January 1st, 2004 17:00

With a zip utility.  If you are using Windows xp all you have to to is right click on it and select Extract All.  A wizard will walk you through it.  You can browse to the folder you want to unzip it to or create a new folder.

ern123

13 Posts

January 1st, 2004 18:00

Logfile of HijackThis v1.97.7
Scan saved at 2:04:13 PM, on 1/1/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\America Online 6.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "my.netscape.com"); (C:\Documents and Settings\Robert Neckel\Application Data\Mozilla\Profiles\default\str2zdaf.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Robert Neckel\Application Data\Mozilla\Profiles\default\str2zdaf.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SoftStuff Wallpaper Changer.lnk = C:\Program Files\SoftStuff\softstrt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{663A365B-48F3-4C86-9C54-6AC380A714E8}: NameServer = 151.164.11.201 151.164.1.8

 

ern123

13 Posts

January 1st, 2004 18:00

That's great to hear.  I'll do as you suggested.

Any idea how the virus could disappear like that?  Could it have been removed when I uninstalled the infected program, or could Ad-Aware or Spybot have taken care of it?

I appreciate your help.

Yellowhammer

725 Posts

January 1st, 2004 18:00

Looks OK to me.

You do need to install the critical updates to your system.  Both Windows XP and Internet Explorer are out of date.

I would suggest installing SpywareBlaster, SpywareGuard, and IE-SPYAD on your system as well.  Links to all of these are here.

YoKenny

363 Posts

January 3rd, 2004 18:00

Aeronautica, please start your own topic by using the New Message button as using the Reply leads to confusion with multiple people's problems.

Please read: http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=572

Aeronautica

1 Message

January 3rd, 2004 18:00

I had the same virus...when I first realized something was not right was when I started my computer and my system32 file popped up as soon as windows came up (btw I use Win XP).  I was successful in removing the virus, however the system32 file still starts up when I boot my computer.  How can I get it to stop doing this?

Was this post helpful?

View All

No Events found!

Top