1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

A doozie of a problem!

Discussion in 'Virus & Other Malware Removal' started by Ingenou, Jan 27, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. mtbird

    mtbird

    Joined:
    Dec 10, 2001
    Messages:
    3,687
    Hi Paul.....
    I've sent out a call for one of our virus gurus to take a look at this.....there's a couple of things that concern me. This area is not my forte, so I want to get a good opinion.
    Might take a little while, so hang in there :)

    Debe
     
  2. mtbird

    mtbird

    Joined:
    Dec 10, 2001
    Messages:
    3,687
    Paul......
    Please go here......

    http://www.spywareinfo.com/articles/hijacked/

    and download the program "Hijack This". Unzip the program, click on the .exe and run the scan. Once the scan is done, click on save log. Please post the results for us to look at.


    Debe
     
  3. Ingenou

    Ingenou Thread Starter

    Joined:
    Dec 3, 2002
    Messages:
    74
    Hi

    Downloaded as you suggested, but can't find the .zip file, all I have is a whole raft of 'DAT' files of approximately 100Kb each. Curioser and curioser.

    I also noticed that I now have an auto-dialler to a sex-site installed, which, considering I have a cable modem and not a dial-up, suggests that this application arrived via means other than deliberate or erroneous acions on my part.

    Anyone got a quill pen & an abacus for sale? I'm getting to the end of my tether with computers! :confused:
     
  4. mtbird

    mtbird

    Joined:
    Dec 10, 2001
    Messages:
    3,687
    Paul.....
    I'm thinking we need a priest and an exorcist :eek: :D

    Did you download the zip file to your desktop ? Try this.....right click on your desktop. Click "new", then folder. It will place a new folder on your desktop. Name it whatever you like. Now download the zip file again. This time be sure to save it to your desktop. Click on the file and it should bring up your Zip program to unzip it. When it asks where do you want to unzip the files to, browse to the new folder you made. You should then have a file in this folder called Hijack This. Click on it and run the scan. After the scan is complete, click save log. Save to a convenient location and copy and paste the results here.

    It also looks like you have a backdoor trojan......

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACKTACK.B

    Be sure to run the online scan from TrendMicro. Follow the instructions at the link and it should clean this out.

    Next......( I know, when will this end :( )......go here...

    http://spybot.eon.net.au/index.php?lang=en&page=download

    and download the SpyBot 1.1 program. Save it to your desktop. Click on the file and install. With the program open, look on the left side for "online". Click this and then click on "search for updates", then download the updates. Now run the scan. Anything that it finds in red can safely be removed. Hopefully this will find the new nastie you have !!

    Ok.....deep breath ;) good luck !

    I'm requesting this be moved to the security forum for better help.

    Debe
     
  5. Dark Star

    Dark Star

    Joined:
    Jun 8, 2001
    Messages:
    3,054
    Ingenou...

    It looks like you're getting some excellent help in here from mtbird. :D

    I've never heard of "IBS" but anything that's 93.41Mb and appears to be growing in any system needs to be looked at closely. I did find this info while Google searching IBS... perhaps you'll recognize it.

    "Download this free IBS screen saver today. View dynamic and compelling images from around the world...."

    http://www.eurobible.net/eu/home/download/index.php

    Or IBS may also be.....

    "IBS was created to support the newly emerging home security market. Since 1982, IBS has become a leader in the security industry with installations around the world."

    http://www.ibsoft-us.com/aboutus.html
     
  6. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You have more than just Commonname.
    There are Exactsearch, eAnthology and Medialoads Browser plugins as well, and a number of bad ActiveX objects.

    And there are these, which I don't trust:

    CORESYS = C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE
    CoreSrv = "C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE "

    What directory do you have in Program Files whose name begins with "Access..."?

    You really need to post a Hijack This log.

    Can you do that?

    HT will also allow us to remove the offending items.
     
  8. Ingenou

    Ingenou Thread Starter

    Joined:
    Dec 3, 2002
    Messages:
    74
    I attempted to go to 'Housecall' via Netscape (my default browser), but it just hangs. However, I got there straight away on IE and am now downloading the HouseCall software for a scan.

    Hijack This has generated a log, which I have saves, but I have no idea how to send it to this forum!?

    IBS: Neither of those suggestions rang any bells whatsoever...

    Thanks
     
  9. Ingenou

    Ingenou Thread Starter

    Joined:
    Dec 3, 2002
    Messages:
    74
    Thanks for all the suggestions - can't get rid of 'Common Name' in IE Tools/Internet Options etc., becuase it's not showing as there!

    I have a folder in Program Files entitled 'Access', but it's empty....
    pretty weird, huh?


    Logfile of HijackThis v1.91.2
    Scan saved at 12:02:04 PM, on 1/29/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.msn.co.uk/
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
    O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME1.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: eXact Browser Companion - {F9765480-72D1-11D4-A75A-004F49045A87} - c:\progra~1\exact\exacttoolbar00038.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [CORESYS] C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE
    O4 - HKLM\..\Run: [CoreSrv] "C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE "
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
    O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: NeoTrace It! (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: HushEncryptionEngine - https://mailserver4.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://www.exactsearchbar.com/mailcom/Download/Standalone/exactSetup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37576.1431712963
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://D:\Resources\IntraLaunch.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} - http://runonce.msn.com/setacceptlang.cab
    O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F} - C:\DOCUME~1\PAULKE~1\APPLIC~1\drpprcrdodoa.dll
    O18 - Protocol: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40} -
     
  10. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    OK, do this:

    Run Hijack This, and check ALL of the items in bold. Doublecheck so as to be sure not to miss a single one.
    Next, shut down all Internet Explorer Windows, and have HT fix all checked.
    Reboot when you're done.


    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - (no file)
    O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse0.dll
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME1.DLL
    O2 - BHO: eXact Browser Companion - {F9765480-72D1-11D4-A75A-004F49045A87} - c:\progra~1\exact\exacttoolbar00038.dll

    O4 - HKLM\..\Run: [CORESYS] C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE
    O4 - HKLM\..\Run: [CoreSrv] "C:\PROGRA~1\ACCESS~1\EXPL32\CORESRV.EXE "

    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

    O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} - http://expressit.broderbund.com/Plu...tings/vroom.CAB
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} - http://www.exactsearchbar.com/mailc.../exactSetup.exe
    O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearch.com/TB/The_Ul...er_Enhancer.exe
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://D:\Resources\IntraLaunch.CAB

    O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F} - C:\DOCUME~1\PAULKE~1\APPLIC~1\drpprcrdodoa.dll
    O18 - Protocol: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
     
  11. Ingenou

    Ingenou Thread Starter

    Joined:
    Dec 3, 2002
    Messages:
    74
    In Task Manager, I have five (5) svcost.exe processes running: 3 'User Name' SYSTEM, 1 'User Name' LOCAL SERVICE and 1 'USER NAME' NETWORK SERVICE.
     
  12. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  13. Ingenou

    Ingenou Thread Starter

    Joined:
    Dec 3, 2002
    Messages:
    74
    Hi, I did what you suggested and then rebooted.

    Everything seems OK. I did another 'Hijack This' scan and the only thing I seem to have left is that 'CNBabe' item - do you think it's Ok as it is now?

    Many thanks to you and to all who have been so much help! I really appreciate it.
     
  14. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    The Cnbabe item is an orphaned BHO, as the file is reported "missing".

    It's harmless now, and I guess you can finally be pronounced spyware-free :)

    Happy surfing!
     
  15. Ingenou

    Ingenou Thread Starter

    Joined:
    Dec 3, 2002
    Messages:
    74
    Thank you!!

    Any suggestions as to whch anti-virus app. is best? I was using Norton, then I saw it rated 3rd in two surveys and downloaded F-Secure (which completely hangs the sysytem, by the way), now I'm not running one at present, but have XP firewall & Sygate Personal Firewall running.

    I'm also looking for an 'IP address blanker' - so that I don't broadcast my IP addy for hackers to roll right on in... know of anything like that?

    I must say I'm very impressed with all you guys and that last bit was extremely expert!! Sincere compliments!

    Thanks
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/115559

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice