Jump to content
Sign in to follow this  
Dee

Help I Have Major Problems Here :(

Recommended Posts

From what the port scan said its a 2000 machine.

 

Seems from some of the running processes to be an ibm thinkpad??

 

But I thought they had run the blaster removal tool??

 

Its showing C:\WINNT\system32\msblast.exe in that swat it list up there??

 

 

Hi Volt

 

Yes your right it is an IBM Thinkpad.....that's what I cannot figure out....I did use the blaster removal tool and it showed that both Lovscan and also the other one popped in there since yesterday teekid...it showed both removed...then like inprofile said when I restarted and did the scan they were right back there again.

 

I am lost

Share this post


Link to post
Share on other sites

Hi inprofile

 

 

Thats what I thought ....I felt that is what stinger would do...remove some of those other files...cause I read down the list and backdoor etc was on that list :( although I did not see pitchfork on that list....everything seems to go and then hey pristo they appear back.

 

I deleted the MSN Messenger file as I said yesterday or the day before when all this started, I thought it was that then. Maybe I should not have done that???....I still have this mIRC v591 pop up....from Khaled Mardam Bey showing up on my computer when I log on via management functions. Should I accept this or not???????.....it is saying it is an unlicened copy. I did read what Volt sent about this Khaled guy but huhhhh I cannot make him out???..is he a good or bad guy :help

 

I have drawn a total blank here, is there anything else I can try?....if we sorted the IRC thing first would that make the mblast and deloder thing more straight forward to remove following the steps that you outlined before inprofile????

 

Also now my Internet Explorer email facility is accepting mail but it is not allowing me send mail???.....This is the facility I seriously need to get back to be able to send MP3's (urgently) :(:( ....these are too big to send via hotmail.

 

Whats your thoughts?

 

 

De :blink:

Share this post


Link to post
Share on other sites

Dee,,did you run that fix blaster tool from safe mode??

Share this post


Link to post
Share on other sites

In my last post i left you a link so that you could post a Pit test for us to get some info on your machine.

 

 

Yes, I have just completed that ..... :)

Share this post


Link to post
Share on other sites

Well where is it?

 

You are meant to put it your reply so that we can see it!

 

 

Sorry I thought you could access it privately to view.....

 

 

Which areas would you like me to post, there is alot of data...?

Share this post


Link to post
Share on other sites

Well where is it?

 

You are meant to put it your reply so that we can see it!

 

 

Sorry I thought you could access it privately to view.....

 

 

Which areas would you like me to post, there is alot of data...?

This is what your looking for???...sorry I have never run this test before...bare with me please

 

 

 

TechExpress link for your current results:

http://www.pcpitstop.com/techexpress.asp?i...3UVJWKSY6NS8DF4

Share this post


Link to post
Share on other sites

I'm stepping into this kind of late, but could you run a 'hijackthis' scan as well?

 

http://tomcoyote.org/hjt/

 

unzip, run, 'scan', save log', then copy and paste the results back to here.

Share this post


Link to post
Share on other sites

I have just run this scan using McAfee Online Scan

It still says 17 infected

 

 

 

C:\WINNT\system32\msblast.exe W32/Lovsan.worm.a

C:\WINNT\system32\navdb.dbx IRC/Flood.am

C:\WINNT\system32\inst.exe BackDoor-ARG.dr

C:\WINNT\system32\msapp.exe BackDoor-ASE

C:\WINNT\system32\Dvldr32.exe W32/Deloder.worm

C:\WINNT\system32\rconnect.exe SlimFTP

C:\WINNT\system32\explorer.exe IRC/Flood.mirc

C:\WINNT\system32\explore.EXE IRC/Flood.k.dr

C:\WINNT\system32\api32.exe BackDoor-ASX

C:\WINNT\system32\msiexec16.exe BackDoor-ACH

C:\WINNT\Fonts\~GLH0003.TMP IRC-Pitchfork

C:\WINNT\Fonts\~GLH0004.TMP IRC-Pitchfork

C:\WINNT\Fonts\~GLH0005.TMP IRC-Pitchfork

C:\WINNT\Fonts\~GLH0006.TMP IRC-Pitchfork

C:\WINNT\svchost.exe ServU-Daemon

C:\WINNT\svchost2.exe BackDoor-ACH

C:\Documents and Settings\...\Temp\eqbjgr.exe IRC/Flood.gen.dr

 

 

 

 

Hi Radio

 

Would you still like me to run that scan or can you see the information you need from the above?

 

:)

Share this post


Link to post
Share on other sites

Radio,

 

Here is the results of that Hijackjack scan for you anyways

=========================================

 

 

 

 

 

Logfile of HijackThis v1.96.0

Scan saved at 00:56:41, on 17/08/2003

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\system32\crypserv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

c:\winnt\srvany.exe

c:\winnt\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\Explorer.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\System32\tp4serv.exe

C:\WINNT\System32\Atiptaxx.exe

C:\WINNT\System32\RunDll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\loadqm.exe

C:\WINNT\System32\msapp.exe

C:\WINNT\System32\api32.exe

C:\winnt\system32\msiexec16.exe

C:\WINNT\System32\internat.exe

C:\CFGSAFE\AUTOCHK.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\unzipped\hijackthis[1]\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.ie/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [iBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe

O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe

O4 - HKLM\..\RunServices: [GLSetIT32] C:\winnt\system32\msiexec16.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7845.6232291667

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.4.14/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...285/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4294093F-8948-495F-BFA5-066EC4CCCE69}: NameServer = 194.145.128.1 194.125.2.206

Share this post


Link to post
Share on other sites

put a check next to these items, close all browser/explorer windows, press 'fix', then reboot

 

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe

O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe

O4 - HKLM\..\RunServices: [GLSetIT32] C:\winnt\system32\msiexec16.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

 

for this running program, c:\winnt\srvany.exe , goto 'start\run', type: services.msc, then scroll down until you see 'srvany', double-click it, 'stop' the service, then set the startup type to 'disabled'

 

after rebooting, delete these files:

 

c:\winnt\tour.reg

c:\winnt\srvany.exe

c:\winnt\svchost.exe

 

C:\WINNT\system32\Explorer.exe

C:\WINNT\System32\msapp.exe

C:\WINNT\System32\api32.exe

C:\WINNT\system32\msiexec16.exe

 

C:\WINNT\Fonts\rundll32.exe

C:\WINNT\Fonts\explorer.exe

 

note the folders that the files are in, there are legitimate files by the same name in other folders that should not be touched.

Share this post


Link to post
Share on other sites

Radio

 

:huh::blank:

 

OMG now I am SCARED......I just hope I do this correctly.....if not it was nice knowing you guys and thanks for the help. Holy Moley :(:blink:

 

De

 

:blushing:

Share this post


Link to post
Share on other sites

Thanks Radio. :tup:

 

That should get rid of the Bot that was causing the loop when Windows was started.

 

You know what that means Dee - More scanning and you should be able to d/l the patch. ;)

Share this post


Link to post
Share on other sites

Well I was sitting here going thru all that hijack mess and Radios already got it up and posted.

 

I'm blind. ;)

 

We may have boken the record for scans on one machine?? :mrgreen: v

Share this post


Link to post
Share on other sites

:)

 

 

Well I have deleted the first lot from the Hijackthis scan and I have set the options to "Show All" files. OK I better keep going and get the rest done. Me now wondering any chance of a diploma :mrgreen: at the end of this marathon :woot: ...well I sure am earning my supper ;)

 

tee hee

 

:rolleyes:

Share this post


Link to post
Share on other sites

1st Problem

---------------

 

 

 

for this running program, c:\winnt\srvany.exe , goto 'start\run', type: services.msc, then scroll down until you see 'srvany', double-click it, 'stop' the service, then set the startup type to 'disabled'

 

 

I have done this and "srvany" is not in here????????......

Share this post


Link to post
Share on other sites

ok,

 

just open task manager(ctrl+alt+del), and end the process.

 

it shouldn't start up again after rebooting now anyway.

Share this post


Link to post
Share on other sites

Yes .....srvany.exe is there

 

It' s there and I have tried twice to end it and it will not allow me. It keeps saying opperation could not be completed .....access is denied.

Share this post


Link to post
Share on other sites

reboot in safe-mode, then delete the files listed above

 

reboot normally, then run a new hijackthis scan and post those results.

Share this post


Link to post
Share on other sites

Make sure your logged in as admin,,and ya might try to end it from safe mode.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...