Never let your house guest "Just check their E-Mails" on your P.C.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Boredofu

Thread Starter
Joined
Sep 25, 2003
Messages
86
Meh I'm back again.

Apparently my P.C. is infected by a blaster worm.

My ISP has suspended my account (I'm using a dial up) and has kindly sent me a bunch of downloads to sort out my P.C. before "automatically reinstating my service but they are for Windows 2000 and I'm running on '98.

"You may be aware of the "MSblast/Lovesan" or "Welchia" computer viruses which are currently circulating the internet.

Your PC has since been identified as potentially being infected by one (or both) of the above viruses and is therefore sending large volumes of data via your internet connection."

Logfile of HijackThis v1.97.2

Scan saved at 10:34:52, on 01/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\REGPROT\REGPROT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youthink.com/forums.asp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\Run: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE"
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKCU\..\Run: [AKiller] "C:\PROGRAM FILES\BUYPIN SOFTWARE\ADVERTISING KILLER\AKILLER.EXE"
O4 - Startup: DiamondCS Homepage.lnk = C:\RegProt\DiamondCS Homepage.url
O4 - Startup: Advertising Killer.lnk = C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Spybot - Search & Destroy (advanced).lnk = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Downloads (HKCU)
O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/198.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs4.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://communities.msn.co.uk/scr/MsnPUpld.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.2744212963
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

You guys cleaned house for me last friday.

Is there anything to this "potential" or could this be connected to the problem I had last week with C2lop and Xupiter?
 

Boredofu

Thread Starter
Joined
Sep 25, 2003
Messages
86
Well I have an all inclusive online connection. (We dont get broadband in the outback of London!)

When I sign in I get a message from the ISP telling me that my service is disconnected because of the amount of traffic that is being generated through my PC.
 

Boredofu

Thread Starter
Joined
Sep 25, 2003
Messages
86
When I dial up I am automatically routed to this page:

http://outbreak.ntli.net/

and recieve this message

Virus Infection Alert

You may be aware of the "MSblast/Lovesan" or "Welchia" computer viruses which are currently circulating the internet. We recently sent an email to all our customers advising of the above viruses and requested that each customer installed the relevant security patches on their computer and suggested the use of a firewall.

Your PC has since been identified as potentially being infected by one (or both) of the above viruses and is therefore sending large volumes of data via your internet connection. This will degrade the performance of both your internet connection and that of other ntl internet customers.

In addition to these viruses, on September 10th Microsoft announced another vulnerability in Windows which could result in your computer security being compromised by a virus. The Microsoft Windows patches available for download from this site are the latest patches, which address this new issue.

To allow you to take the necessary steps to protect yourself from these viruses we have temporarily suspended your internet connection.

To reinstate your internet service, please complete all the steps on the next page to disinfect and protect your PC.


Firstly please select the operating system on your computer from these options:

Windows 2000
Windows XP
 
Joined
Jun 19, 2003
Messages
1,241
Hi,

I think the best bet would be to contact NTL.. but not their tech line. Contact Sales.. that way you get a person straight away, for the obvious reason that you might give them money, then let them put you through to tech.... handy hint 645.. :)

Explain the problem, and see if they can tell you what traffic is being sent. You're using Norton so see if you can have a look at the firewall log, just preceding your disconnection.. if it keeps them. I don't use Norton, so couldn't advise more.

Run your Anti-Virus and see what that comes up with. I presume you'll be upto date, for updates.. :) (Dodgy English, but we're english, so we're allowed) :D

Another reason to presume a hoax, and a possible hack...

This is the actual link to the advice, via the NTL homepage..

http://homepage.ntlworld.com/virus.outbreak/

Identical page, but I don't see why it would be set up under two different URLs. (The code for both pages is identical). Also, the second page on the genuine link gives further NTL links for virus information (at the very bottom) whereas your link doesn't.

Just looks suspicious, but then that could be from being here too long. :D

You could ask for verification that the link is bona-fide while you're there.

Hope this gives a bit to go on, and we'll see if someone else has any ideas.

As far as the log goes, the only entry that has come back is..

O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/198.cab


So it wouldn't hurt to fix that anyway.

Cheers

Liam

EDIT: I've just had another look and the winxp-039.exe (on the genuine NTL page) is the genuine patch, and the winxp.exe (on your link) is some kind of generic driver executable. :confused: :)
 

DaveBurnett

Account Closed
Joined
Nov 11, 2002
Messages
12,970
I also think this is supicious. These worms show up in the Hijack This and as already said only affect 200/XP. Your machine does not have them.
 

Boredofu

Thread Starter
Joined
Sep 25, 2003
Messages
86
Heh I'd actually followed the sales tech support group and there was an embargo on my acount.

Of course they had no details of traddic whatsoever and when I said I ran windows '98 they said that a thrird possible (unnamed) virus which was meantined on that link may have been the problem.

When I said that I had no virus they reinstated my account without further investigation or explaination.

At least I had the authority of your experitise to slap them with.

Thanks again serious Net guards.

Last week I was telling people about you guys and how my PC had colonic irrigation.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top