Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
2,106 Posts
Discussion Starter · #1 ·
I'm not sure if this is a Widows problem, an Internet problem, or even a security problem....but it's mostly isolated to internet related programs, so I'm posting it here.

First off, I'm on Windows XP, the problems seems to occur when trying to open or use a hyperlink for the most part. A new window just doesn't open, and it won't let me open the link in a new window by right clicking either. There's also problems with cutting and pasting, it simply won't cut or copy, therefore I can't paste. I tried resetting my internet settings using a Run based command I found in one of the threads I found doing a search....but my problems seems to be a little different. Could this be because of a virus? Also, when I try to access my email, it says there's an RPC error. I'm thinking that's because of what I did to fix the Blaster worm....is there a way to fix this? :confused:

Jim
 

·
Administrator
Joined
·
123,559 Posts
I think a good place to start would be to post a Hijack This log for the experts to look at.

Click here: http://www.majorgeeks.com/downloadg...a8baee6434cfc13
to download Hijack This. Save it to it’s own folder (not temporary files). Click on the Hijackthis.exe.

Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

Cookie
 

·
Registered
Joined
·
2,106 Posts
Discussion Starter · #5 ·
Here's my latest HJT log. Enjoy. :rolleyes:

Logfile of HijackThis v1.97.7
Scan saved at 3:58:21 AM, on 1/5/2002
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\enbiei.exe
C:\WINDOWS\System32\mslaugh.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\teekids.exe
C:\Program Files\ATI Multimedia\main\launchPd.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://darkevil1.proboards27.com/index.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38072.8894097222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E97C064-2433-464E-A0F9-C8DA51C319F3}: NameServer = 207.69.188.185 207.69.188.186

Windows Update is on the fritz as well, I think it might stem from the same problem...which is a big problem in itself as it leaves me open to attack. :eek:
 

·
Administrator
Joined
·
123,559 Posts
Right off I can see the Blaster worm is still there (mslaugh.exe & msblast.exe).

Since I'm not qualified to tell you what to fix (I doubt if it's only the one entry), I will request that this thread be moved over to security and I'm sure someone will analyze your log for you.

Cookie
 

·
Registered
Joined
·
46,353 Posts
I've moved this to the Security forum.
Windows Update is on the fritz as well, I think it might stem from the same problem...which is a big problem in itself as it leaves me open to attack. :eek:
You don't have an AV running on this machine. What do you expect! ;)
 

·
Registered
Joined
·
46,353 Posts
I'm thinking that's because of what I did to fix the Blaster worm....
I don't know what you did to remove the blaster worm, but either you didn't remove it or you got it again.

Did you install the patch for the RPC buffer overrun vulnerability?

First go here and follow the intructions for downloading and running the Blaster removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Imediately after you have run the removal tool go here and install the the patch for the RPC buffer overrun vulnerability, if you haven't done so already.

http://www.microsoft.com/downloads/...ae-a1ba-4d4a-b424-95d32cfc8cba&displaylang=en
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top