1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Win2000 Pro. Virus Problems.

Discussion in 'Windows XP' started by aarhus2004, Apr 21, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. aarhus2004

    aarhus2004 Gone but always remembered Thread Starter

    Joined:
    Jan 9, 2004
    Messages:
    1,049
    Hello,

    I was asked if I could solve an 'annoyance' on a friend's computer. This takes the form of a pop-up window calling itself 'Messenger Service". Porno.

    He has Win2000 Pro. Cable Modem. I.E.6., 64MB Ram, lots of HD free space and a 700+ MHz. CPU. No anti-virus was present. No firewall. His usage is mainly gaming. He knows little about his computer and I run WinMe.

    I downloaded and installed AVG (Free), Spybot S&D, Belarc, RegSeeker and jv16pt. I plan to download and install HijackThis, CWShredder, Lavasoft and msconfig.

    A virus scan revealed 30 infected files. Some were healed and the remainder placed in the Virus Vault - 16 in total. Among them 8 system files, all C:\WINNT\system32.dll.cache. The system file viruses were identified as IRC/Backdoor Flood and BAT.Generic. 4 of each.

    I ran Spybot and removed a host of spyware.

    Windows Update told of 38 Critical Updates which I attempted to download. I am uncertain as to whether this was successful since when I returned to the update site 38 was still the number on critical offer.

    Later, after being informed the the system was doing all required of it, I deleted the stored and infected files. Another scan revealed an infection in what appeared to be the 8 selfsame files. However AVG's ability to transfer them to the Virus Vault appears to have been compromised. They remain on the HD and their number is now 10.

    I deleted MIRC (a software unknown to the user). I also deleted MSN Messenger in view of a security bulletin found and the prospect of a new download.

    The roller-ball mouse (checked for cleanliness) is now moving frustratingly slowly. The original 'annoyance' remains undeterred!

    Advice on downloads, steps to take and information to be submitted much appreciated.
     
  2. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,922
    First Name:
    James
    Its called Windows Messenging Service. It helps administrators find out if there is a error on the system, the server would send a message through that. Somehow someone found a way to use that to make the ads. Since it's not required for home users, you can disable it through the Services snap-in in the Administrative Tools. I'm not at home ( i will be in a few minutes) I will look it up for you.
     
  3. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,922
    First Name:
    James
    BTW, run HighJackThis and paste the log here.
     
  4. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,922
    First Name:
    James
    Regarding the Windows Popups, it's found in Control Panel > Administrative Tools > Services.

    Scroll down to Messenger and right click > properties. Select Disabled for Startup type and you can also press Stop.. Apply and those messages will be stopped.
     
  5. aarhus2004

    aarhus2004 Gone but always remembered Thread Starter

    Joined:
    Jan 9, 2004
    Messages:
    1,049
    Hello Tidus4Yuna,

    Thanks for responding. On my next session on that computer I will follow your guidance re the pop-ups and Windows Messenger Service.

    I will also post the HijackThis log. That will just leave the virus issue, perhaps.
     
  6. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,922
    First Name:
    James
    Most of the time, there maybe a file in the log that is causing the virus.

    Also the instructions I gave were for Windows XP, but I'm 99% sure it's the same for Windows 2000/
     
  7. aarhus2004

    aarhus2004 Gone but always remembered Thread Starter

    Joined:
    Jan 9, 2004
    Messages:
    1,049
    Tidus4Yuna wrote:

    "Also the instructions I gave were for Windows XP, but I'm 99% sure it's the same for Windows 2000/"

    Thanks, Tidus4Yuna. I hope to be able to get to the other computer tomorrow (Friday).

    If you have any thoughts on why my download of AVGrisoft removed the viruses on it's first scan but then only reported them the second time I would be grateful.
     
  8. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    33,922
    First Name:
    James
    Maybe a trial version? That's weird that it did that. Your best bet is to buy Norton Antivirus. AVG did not get a good rating to stop viruses (a benchtest of about 32,000+ viruses) At least with Norton you get your money's worth
     
  9. aarhus2004

    aarhus2004 Gone but always remembered Thread Starter

    Joined:
    Jan 9, 2004
    Messages:
    1,049
    Hi, Tidus,

    The AVGrisoft is a free version and comes highly recommended.

    I have stopped Messenger via Control Panel|Admin Tools|Component Services|Messenger - Stop. Popup no longer offends. Great!! (y)

    Here is the log of HJT:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:35:30 AM, on 4/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\My Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://searchmyrequest.com/hp.php
    O1 - Hosts: 64.237.45.18 ad.doubleclick.net
    O1 - Hosts: 64.237.45.18 aff.weatherbug.com
    O1 - Hosts: 64.237.45.18 www.burstnet.com
    O1 - Hosts: 64.237.45.18 oz.valueclick.com
    O1 - Hosts: 64.237.45.18 a.tribalfusion.com
    O1 - Hosts: 64.237.45.18 servedby.advertising.com
    O1 - Hosts: 64.237.45.18 my.search
    O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
    O1 - Hosts: 209.87.155.230 date.com
    O1 - Hosts: 209.87.155.230 dating.com
    O1 - Hosts: 209.87.155.230 freedating.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
    O4 - HKLM\..\Run: [MSTABLE1223] C:\WINNT\System32\dllcache\DLLCACHE33\die.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Windows Explorer] Explorer*.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.4471643519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks.
     
  10. aarhus2004

    aarhus2004 Gone but always remembered Thread Starter

    Joined:
    Jan 9, 2004
    Messages:
    1,049
    Hello, Tidus.

    I have done some work on the system and thought another HijackThis log may help.

    AVG still shows 8 infected files (all same as in my first post). Same viruses.

    The popup may have ceased to do so. We shall see. Thanks for any further help.



    Logfile of HijackThis v1.97.7
    Scan saved at 1:30:33 PM, on 4/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\My Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 64.237.45.18 www.burstnet.com
    O1 - Hosts: 64.237.45.18 oz.valueclick.com
    O1 - Hosts: 64.237.45.18 a.tribalfusion.com
    O1 - Hosts: 64.237.45.18 servedby.advertising.com
    O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
    O4 - HKLM\..\RunServices: [Windows Explorer] Explorer*.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.4471643519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Win2000 Virus Problems
  1. Technoid1
    Replies:
    12
    Views:
    739
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222753

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice