Jump to content


Photo

What's this??


  • This topic is locked This topic is locked
7 replies to this topic

#1 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 28 July 2004 - 08:20 AM

1. First it was angelfire, now I'm seeing some "dumbpea free webhosting"..

2. Also, I have been unsuccessful trying to delete this application named "mtu" which keeps sneaking back.

3. A balck dialog box keeps springing up saying "access denied" to some of my files. the title of the dialog box is something.cmd.exe

Logfile of HijackThis v1.98.0
Scan saved at 9:17:30 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\WINDOWS\System32\navsvc32.exe
C:\WINDOWS\System32\NAVSCANNER32.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guardian.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKLM\..\RunServices: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\RunServices: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKCU\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKCU\..\Run: [Microsoft Update] navsvc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF568A1-11F0-450B-A371-419509C065AA}: NameServer = 165.21.83.88 165.21.100.88

#2 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 28 July 2004 - 11:00 AM

Hi usherer

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present:

navsvc32.exe
NAVSCANNER32.EXE


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
Make sure all browser and all Windows Explorer windows are closed before fixing

O4 - HKLM\..\Run: [Microsoft Update] navsvc32.exe

O4 - HKLM\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE

O4 - HKLM\..\RunServices: [Microsoft Update] navsvc32.exe

O4 - HKLM\..\RunServices: [NAVSCANNER32] NAVSCANNER32.EXE

O4 - HKCU\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE

O4 - HKCU\..\Run: [Microsoft Update] navsvc32.exe


Reboot

Go for free online Virus scans here:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Then use the Disk Cleanup Utility to empty all your Temp folders

Then Disable system restore: Instructions here
Reboot

Enable System Restore.

Pls. post another log.

Pls. GET ALL your critical updates !!

http://uk.trendmicro...me=WORM_RBOT.QC
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#3 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 28 July 2004 - 01:20 PM

Thanks alot for your advice!

How's this?? Is it a clean bill of health?

Logfile of HijackThis v1.98.0
Scan saved at 2:19:44 AM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guardian.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF568A1-11F0-450B-A371-419509C065AA}: NameServer = 165.21.83.88 165.21.100.88

#4 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 28 July 2004 - 01:29 PM

BTW, how did I manage to get this worm?

I use Blubster to download mp3s. Is it safe?

#5 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 28 July 2004 - 01:44 PM

Hi usherer

Yep, clean bill of health :)

How you got that worm??

This worm scans the network and attempts to log on to target systems using a list of text strings as user names and passwords. It then drops copies of itself in the default shares of successfully accessed machines.

It has backdoor capabilities. It connects to an Internet Relay Chat server and waits for commands issued by a remote user.

This worm exploits the following Windows vulnerabilities:

* RPC/DCOM vulnerability
* IIS/WebDAV vulnerability

More information on these vulnerabilities can be found in the following links:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-007

This worm also steals CD keys of certain games.

It runs on Windows NT, 2000, and XP.

did you get ALL critical updates\patches ??

I just did a search for BLUBSTER - I do NOT think it is "safe"!

Overview
Blubster is a popular peer-to-peer file sharing program. At the time of writing 4,900,000 users has downloaded Blubster according to download.com. Blubster has since its first release bundled at least the following products: CyDoor, BetterInternet, MySearch Bar, WebHancer, WebSavings, etc.

http://www.kephyr.co...ter/index.phtml

HTH
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#6 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 28 July 2004 - 02:03 PM

Hey Marianna! :wave:


THANKS A MILLION
:love: :love: :love:

I LOVE YOU.

YOU. ARE. A. GENIUS.

The Kephyr site seems to be right! I did suffer from those on my previous PC and this one too! OK, am gonna uninstall Blubster like right NOW.

BTW, the critical patches I d/l couldnt be opened. They said that the patches couldnt be opened with a win 32 application.



HURRAY! Life is beautiful again!!

#7 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 28 July 2004 - 02:04 PM

BTW, what software do you use to d/l mp3s then? Kazaa?

#8 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 28 July 2004 - 02:41 PM

Hi usherer :)

You Are Very Welcome :bounce: Glad we could help :)

Microsoft had some problems this morning - I found out :lol:

Go here for Microsoft Security Bulletin MS03-026

http://www.microsoft...n/MS03-026.mspx

and here for the other one:

http://www.microsoft...n/MS03-007.mspx

KaZAA ???? NEVER !

I still have WinMX :)


Happy SAFE Surfing :)
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button