locked
what is this event reporting? RRS feed

  • Question

  • here is an event found on a workstaion:
    Event Type: Warning
    Event Source: OneCareMP
    Event Category: None
    Event ID: 3004
    Date:  4/2/2009
    Time:  7:41:01 AM
    User:  N/A
    Computer: SHIPPING
    Description:
    Windows OneCare Live Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Windows OneCare Live can't undo changes that you allow.
     For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Hiloti.gen!A&threatid=2147616923
      Scan ID: {8FCB919C-AB55-41C3-85F6-B47B9D6E575A}
      Agent: On Access
      User: NT AUTHORITY\SYSTEM
      Name: Trojan:Win32/Hiloti.gen!A
      ID: 2147616923
      Severity: Severe
      Category: Trojan
      Path Found: file:C:\Documents and Settings\it.SDOFFICE\Local Settings\Temporary Internet Files\658206.dll
      Alert Type:
      Process Name: C:\Program Files\Network Associates\VirusScan\Mcshield.exe
      Detection Type: Generic
      Status: Suspend

    What, exactly is this reporting?

    Is this event reporting that OneCare has blocked or deleted the dll in question?
     
    Is it reporting that McShield blocked or deleted the dll?
     
    Is it reporting that OneCare blocked McShield.exe?
     
    Is it reporting that anything was actually blocked or done?
     
    What does the status of "suspend" mean?
     

    McSbield is, of course the VirusScan on-access scanner but Mcafee reports nothing about this event. The dll reported is not found on the workstation. OneCare daily scan reports nothing.

    Microsoft support --- was not much help on this one 

    I think this OneCare may be a good product but without support it is unusable.

     


    WWED
    Wednesday, April 8, 2009 3:43 PM

Answers

  • The first thing you need to do is *remove* either McAfee protection or OneCare protection as having both can cause performance issues or worse, system instability. They *will* conflict. You must never have multiple real-time protection components installed and active on a PC.

    The problem you are seeing is that both scanners were intercepting the infected file and only one succeeded. The file was blocked, but OneCare is reporting that it was the McAfee app that was accessing the DLL - scanning it. OneCare blocked, or tried to block the threat.

    If you choose to keep oneCare, use the McAfee cleanup tool:
     

    http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

    -steve


    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Wednesday, April 8, 2009 6:27 PM
    Moderator

All replies

  • The first thing you need to do is *remove* either McAfee protection or OneCare protection as having both can cause performance issues or worse, system instability. They *will* conflict. You must never have multiple real-time protection components installed and active on a PC.

    The problem you are seeing is that both scanners were intercepting the infected file and only one succeeded. The file was blocked, but OneCare is reporting that it was the McAfee app that was accessing the DLL - scanning it. OneCare blocked, or tried to block the threat.

    If you choose to keep oneCare, use the McAfee cleanup tool:
     

    http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

    -steve


    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Wednesday, April 8, 2009 6:27 PM
    Moderator
  • thanks for the info - I was not aware that the two were incompatible. For that matter I did not think that OneCare was a reasonable replacement for McAfee - is it? I was thinking that it was more of an anti-spyware tool that worked with any existing anti-virus software. this was not clear in the install or documentation.

    At this point, I think I will remove the OneCare - the main reason is that I cannot rely on anti-virus software for which the support is so weak. I can call McAfee anytime and talk with an expert if I have a question. The email support for OneCare is REALLY bad and this forum is good as far as forums go but is no substitute for handling a real crisis.


    WWED
    Wednesday, April 8, 2009 10:34 PM
  • You're welcome.
    Windows Defender is the antispyware program from Microsoft. The engine and definitions of Defender are included in OneCare, but OneCare brings much more to the table.
    Note also that subscribers have access to phone support for OneCare. Trial users are limited to email support.
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Thursday, April 9, 2009 1:01 PM
    Moderator