1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Computer problems, possible worm, HJT log inside.

Discussion in 'Virus & Other Malware Removal' started by Neo95gt, Sep 4, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    Hey guys, I've never posted here but I was directed here and hopefully you guys could help me out. Long story short, I got a like 300 emails pertaining to the sobig virii and a couple days later my computer couldn't start up without safe mode (I would get a the blue screen). Somehow I finally got it to start up normally and i got one of the cd drives to work, but my internet still barely works. I am unable to download anything, that means I cannot update my Norton. However, I ran the sobig worm remover from a CD but it crashes during the process. I managed to run Hijack though and here is the log:

    Logfile of HijackThis v1.96.4
    Scan saved at 8:58:22 PM, on 9/3/2003
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\PackethSvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\sobighijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wish7.com/search/frame.py
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.offtopic.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Rob W\Application Data\Mozilla\Profiles\default\52ddflm7.slt\prefs.js)
    O2 - BHO: (no name) - {AB78D10B-782A-4917-A0CB-1AC631C5DBAE} - C:\WINNT\system32\ppyksxbk.dll
    O2 - BHO: (no name) - {F94723C8-3D83-41CA-BCE0-8998844415A2} - C:\WINNT\system32\mob030612.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: ChatSpace Java Client 2.0.0.64 - http://24.157.231.56/Java/cs4ms064.cab
    O16 - DPF: ESPN.com NBA GameCast - http://scores.espn.go.com/java/NBAGameCastInstall.cab
    O16 - DPF: Yahoo! Checkers - http://download.yahoo.com/games/clients/y/kr0_x.cab
    O16 - DPF: Yahoo! Hearts - http://download.yahoo.com/games/clients/y/hs0_x.cab
    O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/m6/msgr.cab
    O16 - DPF: Yahoo! Spades - http://download.yahoo.com/games/clients/y/ss0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://www.liveupdate.com/controls/getcab2.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.oddworldz.com/royale/everquest.exe
    O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456...players/english/5.0/win/PulsePlayer5AxWin.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://communities.msn.com/central/msnchat4.cab

    I've already checked and fixed O2 - BHO: (no name) - {AB78D10B-782A-4917-A0CB-1AC631C5DBAE} - C:\WINNT\system32\ppyksxbk.dll
    O2 - BHO: (no name) - {F94723C8-3D83-41CA-BCE0-8998844415A2} - C:\WINNT\system32\mob030612.dll

    does anything else raise a flag? thanks for any help

    -Rob
     
  2. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    Anybody see anything weird in the log???
     
  3. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    I'm the one that suggested this forum. This guy {I guess a guy} needs some help from some real HJT log experts.

    BillC
     
  4. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    hehe yea I am a guy......I looked at the HJT tutorial but to me nothing looked suspicious, Can anyone else look it over for me?
     
  5. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi neo95gt,

    Bill asked me to have a look for you. The only thing that jumps out is the big lack of 04 entries. You have only one, and that's not even a necessary one. I'm going out now, but first (and I'm not up on 2K) could you go to Start | Run and type in msconfig and click the Startups tab. Please let me know what you have running. (These will be the "ticked" entries).

    If none are ticked, then could please go to http://www.pacs-portal.co.uk/startup_pages/startup_all.php and just run down that list and any you have marked with a Y in the left hand column, please tick in msconfig.

    And see if you're running more smoothly.

    And if you can connect at all, could you run an online virus scan from here.

    Sorry that's rushed, but I'll be back in a couple of hours, and I'll see how you're getting on.

    Cheers

    Liam
     
  6. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    ok first of all, when i try to run msconfig it doesnt work.....it says like invalid blah blah something which i don't get at all. is their any other way to view msconfig? and i couldnt run that online virus scan, ill keep trying tho, the website just can't load, like 1 hour gets a 1/4 of the page done. please give me your thoughts on this nonsense. lol this is weird.
     
  7. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi, neo..

    I told you I wasn't up on 2K, and I just proved it.. :( :D There isn't an msconfig utility for 2K, but I've found some workarounds you could try, and this site lists them.

    http://www.freelists.org/archives/win2kforum/09-2002/msg00008.html

    It'll be basically the same principle as described in the last post, whichever one you decide on.

    I'm off to work in a few minutes, but there are plenty of people here that know their stuff, so if you have any problems with this, just ask.

    I think that we may have to leave the scan for now, and just get you running first.

    Cheers

    Liam
     
  8. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    hmm ok, i downloaded one of those programs. I don't know if its even running right. Nothing showed up in any of the tabs on the Startup Control Panel bye Mike Lin except for something called "mobsync". Shouldn't there be more than 1??? I'm confused
     
  9. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    I have another question, is there a program out there that I could download onto a cd so I could then run it on my computer and do the virus scan from the cd??? There has to be a small virus scan program that has all the new worms so it could at least do a scan.
     
  10. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    oh and the only reason no programs showed before is because i have another program called startup cop or something and i disabled everything on startup....
     
  11. Neo95gt

    Neo95gt Thread Starter

    Joined:
    Sep 4, 2003
    Messages:
    18
    help???
     
  12. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi neo, apologies but my own PC has been playing up at times today. (Good advert, huh?) :)

    I really don't think that startupcop is configured right, possibly as a result of your viri.

    This will bump the thread up again so someone can have a look at it, who knows more than me. :)

    Cheers

    Liam
     
  13. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    If I find any of the 'real HJT log experts', I'll let you know. :)
     
  14. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    I would like to get a look at the latest HJT log.

    The good news is that Sobig expites on Sept 10. I hope the worm knows this also. :)
     
  15. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Chances are that it is not YOU that has the sobig virus/worm, but someone that has your email address in their address book.

    The way that sobig and many other email virii work is to 'spoof' a return address from one that is found in the infected PC. The mail gets sent out with YOUR address as the return address and not the real sender's address. This is a tactic used to prevent back tracking to find the TRUE infected PC

    When the email is detected as having a virus, the ISP returns the email to the "Return address", which in this case, is not the REAL senders address, but one falsified from the senders address book.

    So you can be totally CLEAN and still get these 'bounce back' reports. The good news is, it's all supposed to come to an end on Sept 10th, so grit your teeth and hang in there.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/162220

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice