Win2000 Pro. Virus Problems.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

aarhus2004

Thread Starter
Gone but always remembered
Joined
Jan 9, 2004
Messages
1,049
Hello,

I was asked if I could solve an 'annoyance' on a friend's computer. This takes the form of a pop-up window calling itself 'Messenger Service". Porno.

He has Win2000 Pro. Cable Modem. I.E.6., 64MB Ram, lots of HD free space and a 700+ MHz. CPU. No anti-virus was present. No firewall. His usage is mainly gaming. He knows little about his computer and I run WinMe.

I downloaded and installed AVG (Free), Spybot S&D, Belarc, RegSeeker and jv16pt. I plan to download and install HijackThis, CWShredder, Lavasoft and msconfig.

A virus scan revealed 30 infected files. Some were healed and the remainder placed in the Virus Vault - 16 in total. Among them 8 system files, all C:\WINNT\system32.dll.cache. The system file viruses were identified as IRC/Backdoor Flood and BAT.Generic. 4 of each.

I ran Spybot and removed a host of spyware.

Windows Update told of 38 Critical Updates which I attempted to download. I am uncertain as to whether this was successful since when I returned to the update site 38 was still the number on critical offer.

Later, after being informed the the system was doing all required of it, I deleted the stored and infected files. Another scan revealed an infection in what appeared to be the 8 selfsame files. However AVG's ability to transfer them to the Virus Vault appears to have been compromised. They remain on the HD and their number is now 10.

I deleted MIRC (a software unknown to the user). I also deleted MSN Messenger in view of a security bulletin found and the prospect of a new download.

The roller-ball mouse (checked for cleanliness) is now moving frustratingly slowly. The original 'annoyance' remains undeterred!

Advice on downloads, steps to take and information to be submitted much appreciated.
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,347
Its called Windows Messenging Service. It helps administrators find out if there is a error on the system, the server would send a message through that. Somehow someone found a way to use that to make the ads. Since it's not required for home users, you can disable it through the Services snap-in in the Administrative Tools. I'm not at home ( i will be in a few minutes) I will look it up for you.
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,347
Regarding the Windows Popups, it's found in Control Panel > Administrative Tools > Services.

Scroll down to Messenger and right click > properties. Select Disabled for Startup type and you can also press Stop.. Apply and those messages will be stopped.
 

aarhus2004

Thread Starter
Gone but always remembered
Joined
Jan 9, 2004
Messages
1,049
Hello Tidus4Yuna,

Thanks for responding. On my next session on that computer I will follow your guidance re the pop-ups and Windows Messenger Service.

I will also post the HijackThis log. That will just leave the virus issue, perhaps.
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,347
Most of the time, there maybe a file in the log that is causing the virus.

Also the instructions I gave were for Windows XP, but I'm 99% sure it's the same for Windows 2000/
 

aarhus2004

Thread Starter
Gone but always remembered
Joined
Jan 9, 2004
Messages
1,049
Tidus4Yuna wrote:

"Also the instructions I gave were for Windows XP, but I'm 99% sure it's the same for Windows 2000/"

Thanks, Tidus4Yuna. I hope to be able to get to the other computer tomorrow (Friday).

If you have any thoughts on why my download of AVGrisoft removed the viruses on it's first scan but then only reported them the second time I would be grateful.
 

Couriant

James
Moderator
Joined
Mar 26, 2002
Messages
39,347
Maybe a trial version? That's weird that it did that. Your best bet is to buy Norton Antivirus. AVG did not get a good rating to stop viruses (a benchtest of about 32,000+ viruses) At least with Norton you get your money's worth
 

aarhus2004

Thread Starter
Gone but always remembered
Joined
Jan 9, 2004
Messages
1,049
Hi, Tidus,

The AVGrisoft is a free version and comes highly recommended.

I have stopped Messenger via Control Panel|Admin Tools|Component Services|Messenger - Stop. Popup no longer offends. Great!! (y)

Here is the log of HJT:

Logfile of HijackThis v1.97.7
Scan saved at 9:35:30 AM, on 4/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://searchmyrequest.com/hp.php
O1 - Hosts: 64.237.45.18 ad.doubleclick.net
O1 - Hosts: 64.237.45.18 aff.weatherbug.com
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 my.search
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O1 - Hosts: 209.87.155.230 date.com
O1 - Hosts: 209.87.155.230 dating.com
O1 - Hosts: 209.87.155.230 freedating.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
O4 - HKLM\..\Run: [MSTABLE1223] C:\WINNT\System32\dllcache\DLLCACHE33\die.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Windows Explorer] Explorer*.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.4471643519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks.
 

aarhus2004

Thread Starter
Gone but always remembered
Joined
Jan 9, 2004
Messages
1,049
Hello, Tidus.

I have done some work on the system and thought another HijackThis log may help.

AVG still shows 8 infected files (all same as in my first post). Same viruses.

The popup may have ceased to do so. We shall see. Thanks for any further help.



Logfile of HijackThis v1.97.7
Scan saved at 1:30:33 PM, on 4/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
O4 - HKLM\..\RunServices: [Windows Explorer] Explorer*.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38098.4471643519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top