Infected with a worm?

museltof · #1 September 11th, 2003, 03:52 PM

Hi there!

I just opened an e mail and it said something like, 'ha ha, by opening this we have passed a worm onto you!' I have think this is a hoax, because I have run Norton Antivirus and nothing showed up. I have also run Spybot. My system is Win ME and I take all the Windows security updates - is it really possible that a worm has got into my system? There is no indication, although just now for the first time I wasn't able to do a live update on Norton because my system told me I did not have an internet connection (not true), but maybe this was just some temporary glitch.

Any advice would be appreciated please.

Robin

tb525 · #2 September 11th, 2003, 08:29 PM

Hi Robin, More than likely it's a hoax. Let's have a look though, just to be safe.
Download, unzip and run HijackThis. When the scan is finished, click 'save log' and copy & paste it in a reply.

http://216.180.252.218/~spywareinfo....hijackthis.zip

museltof · #3 September 11th, 2003, 08:36 PM

Here it is and many thanks!

Logfile of HijackThis v1.97.0
Scan saved at 20:35:52, on 11/09/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\PRIMAX\POWERTWAIN\PMXDETECT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\NAVISCOPE\NAVISCOPE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCREDIMAIL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\REAL\REALDOWNLOAD\REALDOWNLOAD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/wales/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ftp=inktomi2-cdf.server.ntl.com:8080;gopher=inktomi2-cdf.server.ntl.com:8080;http=127.0.0.1:81;https=in ktomi2-cdf.server.ntl.com:8080;socks=inktomi2-cdf.server.ntl.com:8080
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Scan Detector] C:\PROGRA~1\PRIMAX\POWERT~1\Pmxdetect.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O9 - Extra button: Downloads (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://search.cin.com/CFIDE/classes/CFJava.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...869.3984027778
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialer...ecomendada.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chat-b3.freeserve.com/Java/cfs31235.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab

tb525 · #4 September 11th, 2003, 09:11 PM

Hi Robin, There's no sign of a worm on your system..Just a couple of ActiveX controls that need to be removed.

Run HT again and check the following, close any open browser windows and click 'fix checked'.

O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/diale...Recomendada.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activ...pside_web18.cab

museltof · #5 September 11th, 2003, 09:21 PM

I have now done that. Thank you so much for your help, Moderator.

Just out of curiosity, what were those two things I deleted?

Robin

HKEd · #6 September 12th, 2003, 05:17 AM

Hi Robin...the two ActiveX controls that tb525 advised you to delete were non-active (pun intended

) - i.e. the links were dead. ActiveX controls in the Downloaded Program Files folder can be deleted with impunity - if a control is needed for a site, you'll be prompted to install it. ActiveX is an MS technology developed from COM (Component Object Model), DCOM (Distributed COM) and OLE (Object Linking and Embedding). I read an interesting synopsis recently of how MS got into this area, but forgot to bookmark it. :no: Basically, it was a bad idea in the first place, but to "keep up with the Joneses". MS kept on developing it. ActiveX controls can act as executable files and the DPF folder is an easy target for installing malware. Usually, anything in the DPF folder that is non-MS, non-Apple and non-Macromedia (Flash) or marked as damaged can be deleted.

BTW, I see that one of the controls was from Uproar. I used to play the trivia game there a few years back. "Met" some nice people there, some of whom I'm still in touch with via email.