1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Never let your house guest "Just check their E-Mails" on your P.C.

Discussion in 'Virus & Other Malware Removal' started by Boredofu, Oct 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Meh I'm back again.

    Apparently my P.C. is infected by a blaster worm.

    My ISP has suspended my account (I'm using a dial up) and has kindly sent me a bunch of downloads to sort out my P.C. before "automatically reinstating my service but they are for Windows 2000 and I'm running on '98.

    "You may be aware of the "MSblast/Lovesan" or "Welchia" computer viruses which are currently circulating the internet.

    Your PC has since been identified as potentially being infected by one (or both) of the above viruses and is therefore sending large volumes of data via your internet connection."

    Logfile of HijackThis v1.97.2

    Scan saved at 10:34:52, on 01/10/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\REGPROT\REGPROT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youthink.com/forums.asp
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
    O4 - HKLM\..\Run: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE"
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKCU\..\Run: [AKiller] "C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE"
    O4 - Startup: DiamondCS Homepage.lnk = C:\RegProt\DiamondCS Homepage.url
    O4 - Startup: Advertising Killer.lnk = C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: Spybot - Search & Destroy (advanced).lnk = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Downloads (HKCU)
    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/198.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs4.chat.yahoo.com/v43/yacscom.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.co.uk/scr/MsnPUpld.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.2744212963
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

    You guys cleaned house for me last friday.

    Is there anything to this "potential" or could this be connected to the problem I had last week with C2lop and Xupiter?
     
  2. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi Bordofu..

    Could be a hoax?????, as MSBlast doesn't affect W98. I'm just going to check if the same applies to Welchia.

    Edit: Nor does Welchia. But just in case something else is in there, go to http://housecall.trendmicro.com/housecall/start_corp.asp and run the online scan.

    Cheers

    Liam
     
  3. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Well I have an all inclusive online connection. (We dont get broadband in the outback of London!)

    When I sign in I get a message from the ISP telling me that my service is disconnected because of the amount of traffic that is being generated through my PC.
     
  4. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    When I dial up I am automatically routed to this page:

    http://outbreak.ntli.net/

    and recieve this message

    Virus Infection Alert

    You may be aware of the "MSblast/Lovesan" or "Welchia" computer viruses which are currently circulating the internet. We recently sent an email to all our customers advising of the above viruses and requested that each customer installed the relevant security patches on their computer and suggested the use of a firewall.

    Your PC has since been identified as potentially being infected by one (or both) of the above viruses and is therefore sending large volumes of data via your internet connection. This will degrade the performance of both your internet connection and that of other ntl internet customers.

    In addition to these viruses, on September 10th Microsoft announced another vulnerability in Windows which could result in your computer security being compromised by a virus. The Microsoft Windows patches available for download from this site are the latest patches, which address this new issue.

    To allow you to take the necessary steps to protect yourself from these viruses we have temporarily suspended your internet connection.

    To reinstate your internet service, please complete all the steps on the next page to disinfect and protect your PC.


    Firstly please select the operating system on your computer from these options:

    Windows 2000
    Windows XP
     
  5. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,242
    Hi,

    I think the best bet would be to contact NTL.. but not their tech line. Contact Sales.. that way you get a person straight away, for the obvious reason that you might give them money, then let them put you through to tech.... handy hint 645.. :)

    Explain the problem, and see if they can tell you what traffic is being sent. You're using Norton so see if you can have a look at the firewall log, just preceding your disconnection.. if it keeps them. I don't use Norton, so couldn't advise more.

    Run your Anti-Virus and see what that comes up with. I presume you'll be upto date, for updates.. :) (Dodgy English, but we're english, so we're allowed) :D

    Another reason to presume a hoax, and a possible hack...

    This is the actual link to the advice, via the NTL homepage..

    http://homepage.ntlworld.com/virus.outbreak/

    Identical page, but I don't see why it would be set up under two different URLs. (The code for both pages is identical). Also, the second page on the genuine link gives further NTL links for virus information (at the very bottom) whereas your link doesn't.

    Just looks suspicious, but then that could be from being here too long. :D

    You could ask for verification that the link is bona-fide while you're there.

    Hope this gives a bit to go on, and we'll see if someone else has any ideas.

    As far as the log goes, the only entry that has come back is..

    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/198.cab


    So it wouldn't hurt to fix that anyway.

    Cheers

    Liam

    EDIT: I've just had another look and the winxp-039.exe (on the genuine NTL page) is the genuine patch, and the winxp.exe (on your link) is some kind of generic driver executable. :confused: :)
     
  6. DaveBurnett

    DaveBurnett Account Closed

    Joined:
    Nov 11, 2002
    Messages:
    12,970
    I also think this is supicious. These worms show up in the Hijack This and as already said only affect 200/XP. Your machine does not have them.
     
  7. Boredofu

    Boredofu Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    86
    Heh I'd actually followed the sales tech support group and there was an embargo on my acount.

    Of course they had no details of traddic whatsoever and when I said I ran windows '98 they said that a thrird possible (unnamed) virus which was meantined on that link may have been the problem.

    When I said that I had no virus they reinstated my account without further investigation or explaination.

    At least I had the authority of your experitise to slap them with.

    Thanks again serious Net guards.

    Last week I was telling people about you guys and how my PC had colonic irrigation.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168750

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice