cancel
Showing results for 
Search instead for 
Did you mean: 
timky1
Level 7
Report Inappropriate Content
Message 1 of 10

Univ.script/99a - Listed as low threat- It isn't

On December, 13th, my wife's virus scan popped with a green alert that Univ.script/99a had been removed. On every subsequent login, it happened again. By Saturday, her account froze. My admin account on that machine was still okay, so I did a virus scan, registry scan, adaware scan, spybot search and destroy and a defrag. The virus scan popped with Univ.script/99a, the adaware scan showed 55 non-crit entries which I removed. After cleaning the system, everything seemed okay, then virus scan popped with Univ.script/99a, and both accounts froze. This is a DELL 8240, 1GB, XP SP2 with all the security updates, running Security center 11, the online version available with Qwest DSL.

But that isn't the end of the story.

Saturday, my DELL Inspiron 8600, 1GB, XP SP2, also running SC 11 popped with Univ.script/99a and froze.

Also on Saturday, my DELL 8250, 1GB, XP SP2, running the same stuff, also popped with Univ.script/99a. And then, instead of freezing, it would come up with a msg box telling me that an IE script was using to many resources, did I want to close it, which I did. It would go away, only to reappear later. Finally, on Monday, my system froze, but I was able to recover it.

My laptop and my wife's PC would not recover and are in various stages of re-formatting/reloading. Virus scans by AVG, Kaspersky and the new webroot scanner for MSN do not indicate any threats on any of the systems.

In addition to Mcaffee's security center, I am also running Threat-Fire, a root scanner.

I am using a linksys wrtg54g wireless router. My 8250 and 8240 PCs are connected by 10/100, my laptop is wireless.

Any ideas on what caused this? I still have 2 computers that are not affected, they haven't been on my network since Wednesday, and are seemingly okay.
9 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

RE: Univ.script/99a - Listed as low threat- It isn't

McAfee should have cleaned it as it's been on their books since 2004. If you've been getting any "write-protected" type errors in the process then it may be caught in your System Restore folder. If that has happened, only if it has happened, disable System Restore and reboot and they should be gone.

Probably the best way to get to the bottom of this quickly is to use Hijackthis and post its log on any of the following forums. They have experts who can spot these problems and know the quickest way to solve them.

Do not post the log here, we can't help!

DOWNLOAD HIJACKTHIS

Post the logs at a specialist Forum:

AUMHA FORUM

BLEEPING COMPUTER FORUM

GEEKS TO GO FORUM

MAJOR GEEKS FORUM

MALWARE REMOVAL FORUM

SPYWARE INFO FORUM

TECH GUY FORUM

WHAT THE TECH FORUM (Formerly Tom Coyote)

Be sure to read all the sticky announcements/instructions at the top of each malware forum!
timky1
Level 7
Report Inappropriate Content
Message 3 of 10

Great Idea!

I have used Hijack This!, and I didn't see anything out of the ordinary, but then, I'm not an expert either. I'll post one tonight on the appropriate forum.
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

RE: Great Idea!

I was also going to suggest running THIS tool. It may help and would in any case be useful to have around as extra protection anyway.

RE: Great Idea!

According to PCTools, those are part of their updating process for ThreatFire. I happened to see McAfee VS delete one such file a few days ago, so I opened Security Center, made a screen shot of the log file in question, submitted it to PCTools.

PCTools, in turn, told me what the files are. I then asked what ThreatFire files are updated, which they told me, and, as far as I can tell, ThreatFire is being updated despite VS deleting files such as c:\windows\temp\cht8B7.tmp, which supposed had a virus in it, namely Univ.script/99a (Virus).

There seems to be no way to submit this so-called virus file to the lab, because ThreatFire uses it only as it is updating, and, apparently, sometime after that process is completed, VS deletes the file.

However, there would seem to be some discrepancy: PCTools say they use the file, but McAfee says it has been on its removal system for three years. Is there some way to get McAfee and PCTools to talk to one another and fix whatever it is that needs fixing?
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 6 of 10

RE: Great Idea!

Thanks John for that input, very interesting.

Get Threatfire to write to McAfee, they must be able to submit the actual file in question somehow.

Send a file to Avert for analysis:
http://vil.nai.com/vil/submit-sample.aspx

or

Email file to: [EMAIL="virus_research@avertlabs.com"]virus_research@avertlabs.com

Submissions must be no more than 3mb, zipped and password protected using the password infected or they will be rejected.

RE: Great Idea!

Per your request, I contacted the PC Tools person who was handling this for me; he asked if I could send him a copy of one of the VS-quarantined files.

Tried, but VS kept "VSing"; locked down firewall, disabled VS, restored one of the files.

Zipped it with a password, sent it to PC Tools. Unlocked Firewall and restarted VS, which process totally locked up the computer--that added to another problem that locked up things earlier today.

Restarted, scanned entire computer to be sure that the file I had restored, zipped, etc., had done no harm; apparently all is well.

Received a reply from PC Tools; I don't consider this exchange of e-mails to be privileged, so here's what my contact had to say:

"Thanks for providing that sample. Interesting when I copy that file to a system with McAfee the real-time protection flags it right away, but if I completely delete the TFBL.tmp file and allow it to update with its full contents McAfee does not detect anything. There must be some string in that file that matches a string for one of there AV signatures.

"We will get in touch with McAfee to see what they say and do our own internal investigation."

I replied and asked that he keep me informed; assuming that that happens, I'll update this thread.

(We won't even mention the truly weird Firefox extension error I found today, using the latest beta-test FF release: If my FF news reader is enabled, the "send link" feature of the main context menu in Firefox does not work! I wonder if McAfee caused that, too...).
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

RE: Great Idea!

That's interesting. At least PC Tools are on top of the issue. As far as that FF thing...all I can say is "who knows?"

:confused:
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

RE: Great Idea!

I should add...anything beta is unsupported naturally. I know that only too well from past experience.
Right now I'm testing XP Pro SP3 Beta on one partition and Vista Ultimate SP1 Beta on another...and so far, absolutely no problems, even with McAfee. But that often is not the case.
timky1
Level 7
Report Inappropriate Content
Message 10 of 10

John reminded me of something...

In addition to what I had described in my first post, something else strange that John's post on FF reminded me of...

On the affected systems, when I run msconfig to disable the startup files, a message comes up that access is denied, but the changes still take, weird.

Also, I zipped and pwd protected a HiJack This! log, and sent it to Avert. XP said it was encrypted, but Avert said that it was not when they received it.

I do have my wife's system back up and running after the reformat, reload and update sequence...there has to be an easier way. I run McAffee, Threatfire, and now webroot sweeper and Super-anti spyware, all real time. In addition I scan with lavasoft's adaware, spybot search and destroy, ccleaner and hijack this, and I still get problems...yikes. I fear for those who don't even run a firewall.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community