locked
Is OneCare itself under attack? RRS feed

  • Question

  • Hi All-

    OneCare
    on my XPsp2 machine is being disabled, both firewall & AV. If I open any input, it quickly fills with tildes~~~~~~~~~. This also happened to the modem dialer, goading me to reenter my email & password, which makes me think a keylogger is also involved.

    Background:
    Around Thanksgiving, my McAfee subscription was running out. I decided to install OneCare instead, figuring it'd streamline some of the slower processes like waiting for McAfee to update before you can check email.
     
    I am on tincans& string rural dialup, and I checked specs-  56K  dialup is listed on the OneCare package. At this point the computer has been on line safely for over 4 years, always updated and scanned regularly. Nothing ever got in.

    Given the fancy packaging, I was surprised that the CD inside seems merely a loader- after just a few seconds run, it downloaded for almost 3 hours, during which time there was apparently no AV or firewall running, as the McAfee had been completely removed.

    Within days, I noticed that during startup, the 'Your machine may be at risk' balloon would appear and then disappear; also the 'saving your settings' splash during logoff would last longer & longer- on the order of 5 minutes. I reported this to OneCare Tech Support. They asked me to run a scan and send the log. The scan found nothing.

    Then I happened to click an embedded 'here' link at Celtx writers forum, a safe enough place up to then.

    My browser window (Firefox 2) shrank to minimum size and started to jump around the corners of the screen. The Windows 'Can't do it' sound kept going off. In the window it said something like 'You have been jacked'. I couldn't catch up to the close button, so I C/A/D'd to Task Manager and closed Firefox, then shutdown the computer. Unfortunately, there was that long 'Saving your Settings' and I'd forgotten to shut down the dialup connection, so I had to disconnect the wire itself- & there was transmission on the line.

    When I restarted, OneCare had both AV & firewall turned off, and it 'encountered a problem' & refused to run a scan scan. Opening the dialer, ~~~~~~~~ filled the ID slots. Using another computer, I reported all this to OneCare support using another computer. They at first sent instructions for a Vista type safe mode run, which doesn't work on XP. Since then I haven't heard back from multiple emails.

    SO- I have multiple issues. I'd like to start with the response of the Celtx forum mods, who saw the link as relatively harmless & going to RickRoll'd. Well, they don't have OneCare- few do at this point. But something got on my machine, and it put shutdowns in my registry that Spybot found but OneCare couldn't. It let anything in while pretending OneCare was working. In other words its only a serious problem to OneCare users- and One Care is blind to it. That makes it pretty sophisticated, and of benefit only to commercial opponents.

    I haven't been able to find any listed symptoms similar to this.  Even a name for this prob would be of great help.! thanks


    Sunday, December 30, 2007 6:43 PM

Answers

  • Since you have an open support case with OneCare support, I would recommend that you continue to work with them on a resolution. I suspect that the problem you now have encountered is related to the shutdown of the PC and some possible file corruption. Since you are on dial-up, reinstalling OneCare will be painful, but that may be the solution to get it working once again.

    Here is how to run OneCare in Safe Mode on XP - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1215336&SiteID=2

    -steve

     

    Monday, December 31, 2007 4:21 AM
    Moderator

All replies

  • Since you have an open support case with OneCare support, I would recommend that you continue to work with them on a resolution. I suspect that the problem you now have encountered is related to the shutdown of the PC and some possible file corruption. Since you are on dial-up, reinstalling OneCare will be painful, but that may be the solution to get it working once again.

    Here is how to run OneCare in Safe Mode on XP - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1215336&SiteID=2

    -steve

     

    Monday, December 31, 2007 4:21 AM
    Moderator
  • Steve- thanks much for the reply, but with all respect...

    I have not had any response at all from OneCare Support since Christmas Eve.

    The procedure I was given was for Vista, and won't work with XP, tho XP was clearly indicated.

    I would like to know how & why the malware got in, given that the machine was fully updated.
    Protection from this kind of situation is the purpose of a program like OneCare.

    If you wish I will post the emails I got from Support.

    What I would like to know at this point:

    a. if I connect this hard drive (rejumpered to slave but containing XP) to another machine with a current Internet Security Suite operating, can I identify & clear this problem without endangering the other machine?

    b. the malware link that triggered all this was at a trusted site and didn't expose the address, it was of the 'you can find it here' type. WHY was I unprotected for this risk?

    I have tried the suggested Safe Mode start of OneCare. I get a screen message that says it cannot be found, or that a device attached to the System is not functioning, depending on whether the command line or icon is used.
    Wednesday, January 2, 2008 1:35 AM
  • First of all, if support has not gotten back to you, please post the case ID and I'll have someone investigate.

     

    For your specific questions, I'll do my best;

    a. As long as the drive is a data drive, since it is slaved and not a boot drive, yes, it cannot infect the main PC unless you execute a program from that drive and the security program on the PC does not detect the malware.

    b. I can't say why it infected you. No security program is perfect, unfortunately.

     

    I don't know why the Safe Mode scan is not working for you, but I just read of someone else with the exact problem.

    -steve

     

    Wednesday, January 2, 2008 2:33 AM
    Moderator
  • Thanks again for helping, Stephen- its SRX1052071843

    Now am stuck with webmail only, the service is Postini, there were no emails related to this stuck in the spam bucket, tho I did get a couple in a wierd character set that even my ISP couldn't identify. My last emails to support were 'reply to' on 12/27 to both J Su & A Fang.




    Wednesday, January 2, 2008 2:33 PM
  • Thanks. I've forwarded the case number and link to this thread for investigation.

    -steve

     

    Wednesday, January 2, 2008 6:36 PM
    Moderator