1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] I may have a virus, I need help!

Discussion in 'Virus & Other Malware Removal' started by Jaxxx, Oct 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Jaxxx

    Jaxxx Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    11
    Hi,

    I may have a virus that I suspect I received yesterday. Have ran AVG comes up with a clean bill of health but when I go to run, for example Nero, I get the following error: "A error using COM/OLE occurs. Please check the installation of COM on your computer". I also, for some reason, am unable to right click and cut/copy/paste.

    I have took the advice of other posters in the forum and run HijackThis, here are the results:

    Logfile of HijackThis v1.97.3
    Scan saved at 14:49:24, on 18/10/2003
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolsv.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINNT\svchost.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Real\RealOne Player\realplay.exe
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
    C:\Program Files\Common Files\Adobe\Web\AOM.exe
    D:\resources\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allcybersearch.com/ie/
    O1 - Hosts: 66.40.21.73 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [hid.exe] C:\WINNT\System32\hid.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -aim
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Anonymizer (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.roylinedirect.co.uk
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_RYD.cab
    O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://download2.0190-dialer.com/VLoading.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
    O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz01.cab
    O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb04.cab
    O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz06.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb10.cab
    O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb07.cab
    O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz05.cab
    O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb08.cab
    O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz02.cab
    O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb05.cab
    O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_List.cab
    O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz03.cab
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://images.cerials.net/download_serial.exe
    O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb01.cab
    O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb13.cab
    O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb12.cab
    O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz09.cab
    O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb16.cab
    O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb02.cab
    O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb11.cab
    O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb03.cab
    O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz07.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb14.cab
    O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb17.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb06.cab
    O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz04.cab
    O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Serv.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS2\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100

    Obviously I would like to clean the machine up rather than wipe it completely. Although that is an option just now. Can anyone help me?
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
  3. Jaxxx

    Jaxxx Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    11
    Thanks,

    but none of these will run on my machine, IE is unable to execute the Javascript popup requests for pages and using Netscape none of them work. Help......!
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
    In that case we have a bit of a problem, but hang on for a while we find someone to advise you on how to overcome the problem.
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    We've had a few cases of the copy/paste problem on Win2k being caused by msblaster infection. Even after "curing" the blaster infection it may be necessary to upgrade your Service pack to regain full functionality. In fact, to install the Microsoft Blaster Security patch you must have SP2 or later.

    However, first things first:

    O4 - HKLM\..\Run: [hid.exe] C:\WINNT\System32\hid.exe
    O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe

    We need to remove both these files. Hid.exe is probably used in some manner similar to what is described here:

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.ratsou.b.html

    Let's see if we can delete them in Safe Mode. One way to start Safe Mode is to run msconfig, open the Boot.ini tab and check /safeboot

    This will have to be unchecked when done. Alternately try tapping the F8 key promptly on reboot to access the Boot menu.

    Once in Safe Mode, go to Start > Run and enter cmd

    A command shell should open. Enter exactly:

    del C:\WINNT\System32\hid.exe
    del C:\WINNT\svchost.exe


    >> Now run HijackThis and check and "fix" the two '04' entries specified above.

    You can run msconfig now and uncheck the /bootsafe option if you used that. Reboot to normal mode and post another Scanlog.

    If clear we should proceed to updating your Service pack and getting the blaster patch.

    If the javascript problem persists, install Wscript for Win2k/XP

    http://www.microsoft.com/downloads/...43-7E4B-4622-86EB-95A22B832CAA&displaylang=en
     
  6. Jaxxx

    Jaxxx Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    11
    Thank you for this, I will try and sort the problem following your instructions then post the results when finished. Much appreciated.
     
  7. Jaxxx

    Jaxxx Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    11
    Hi,

    followed your previous instructions, here is the result of the 2nd log I have ran after the removal of the appropriate files:

    Logfile of HijackThis v1.97.3
    Scan saved at 15:36:13, on 19/10/2003
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    D:\resources\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allcybersearch.com/ie/
    O1 - Hosts: 66.40.21.73 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -aim
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Anonymizer (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.roylinedirect.co.uk
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_RYD.cab
    O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://download2.0190-dialer.com/VLoading.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
    O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz01.cab
    O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb04.cab
    O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz06.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb10.cab
    O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb07.cab
    O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz05.cab
    O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb08.cab
    O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz02.cab
    O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb05.cab
    O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_List.cab
    O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz03.cab
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://images.cerials.net/download_serial.exe
    O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb01.cab
    O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb13.cab
    O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb12.cab
    O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz09.cab
    O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb16.cab
    O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb02.cab
    O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb11.cab
    O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb03.cab
    O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz07.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb14.cab
    O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb17.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb06.cab
    O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz04.cab
    O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Serv.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS2\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100

    In addition, the cut/paste/copy and javascript problem I had previously seems to have disappeared. Is there anything else I need to do?
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I should have had you remove these as well as they seem to be search hijacks.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allcybersearch.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allcybersearch.com/ie/
    O1 - Hosts: 66.40.21.73 auto.search.msn.com

    >> Good to hear about the javascript and copy/paste problem disappearing. That means we don't need to reinstall wscript or reinstall IE.

    However since you have Win2K SP1 I don't think you can be properly protected against the rpc buffer overrun exploits which are so dangerous these days you are vulnerable just by going online.

    As you can see from this link, sp2 is the Minumum requirement for it to be installed:

    http://www.microsoft.com/downloads/...56-E7CE-44C3-8B94-817EA8485DD1&displaylang=en

    see also > http://forums.techguy.org/t163821/s.html

    Last but not least, I would recommend you install a firewall. Both ZoneAlarm and Sygate have free versions which are highly regarded:

    ZoneAlarm
    Sygate


    You should also install the most recent IE cumulative updates.

    See the "Virus Alerts" links on this page:

    http://www.microsoft.com/security/

    Let me know if you are having any further problems, and I will mark this as "resolved" if not. Of course what you do from here, security wise is up to you. I just want to aquaint you with the risks of your current configuration.
     
  9. Jaxxx

    Jaxxx Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    11
    Hi,

    Deleted the appropriate entries in HijackThis, installed SP2 and the MSBlaster patch, then ran the free virus check on pandasoftware. Came up clear. I have installed Tiny Personal Firewall aswell as AVG and my machine now seems to be back to normal.

    Here is the latest version of HijackThis I have ran:

    Logfile of HijackThis v1.97.3
    Scan saved at 10:17:00, on 21/10/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Tiny Personal Firewall\persfw.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Winamp3\winamp3.exe
    D:\resources\HijackThis.exe

    O1 - Hosts: 66.40.21.73 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -aim
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Anonymizer (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.roylinedirect.co.uk
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_RYD.cab
    O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://download2.0190-dialer.com/VLoading.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
    O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz01.cab
    O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb04.cab
    O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz06.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb10.cab
    O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb07.cab
    O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz05.cab
    O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb08.cab
    O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz02.cab
    O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb05.cab
    O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_List.cab
    O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz03.cab
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://images.cerials.net/download_serial.exe
    O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb01.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb13.cab
    O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb12.cab
    O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz09.cab
    O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb16.cab
    O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb02.cab
    O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb11.cab
    O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb03.cab
    O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz07.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb14.cab
    O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb17.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb06.cab
    O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz04.cab
    O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Serv.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS2\Services\Tcpip\..\{028E4F44-0ED7-4D53-B4A5-23BFC2A26F6B}: NameServer = 194.168.4.100,194.168.8.100

    Thanks for all the help.
     
  10. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
  11. Jaxxx

    Jaxxx Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    11
    Hi,

    have removed those files using HijackThis and also ran adaware and removed 6 suspicious files. Hopefully this should be it.. the machine now seems clean.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The log does look clean and you've certainly done a great "rebuilding" job, all things considered. You are good to go and I will mark this as resolved.

    My only further comment is that if you are not running a web server you might want to disable this service through the Administrative Tools > Services properties:

    http://www.liutilities.com/products/wintaskspro/processlibrary/inetinfo/
     
  13. Jaxxx

    Jaxxx Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    11
    Hi,

    thank's for everyone's help, I found it invaluable and would have considered re-installing windows otherwise. Much appreciated Rollin Rog, IMM and dvk01.
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    :)

    [tsg=yourewelcome][/tsg]
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172830

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice