How can I tell if I have a worm??

fancy · Member Joined: 01 Feb 2004 Posts: 12 Points: 0

I opened an attachment, which I now find out could have had: Bagel worm H,J,orK in it. My computer hasn"t done anything odd. I ran a freedom virus scan which said 0 virus'.
I'm computer duh so any answer has to be easy to understand.
Thanks all.

This post has: 0 recommendations

steamwiz · Posted: Fri 03/05/2004 10:18am [Post #2]

Hi

Do a free on-line virus scan here :-

http://www.pandasoftware.com/activescan/

and here :-

http://housecall.trendmicro.com/

ALSO

Please Download hijackthis from

http://computercops.biz/zx/phoenix22/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam

This post has: 1 recommendation

fancy · Member Joined: 01 Feb 2004 Posts: 12 Points: 0

Steamwiz, thanks for your reply,
panda software showed 41242 files 191 infected, 191 disinfected

housecall.trendmicro. trend active update did not update sucessfully ( tried several times)

hijackthis page cannot be displayed.

I ran panda again 0 infected
Is this good enough or should I do something else?

My isp has free anti virus, which I've called several times thinking it doesn't work now I know it doesn't.

Can anyone tell me what antivirus and firewall would be the best to purchase?? Thanks all

This post has: 0 recommendations

steamwiz · Posted: Fri 03/05/2004 2:52pm [Post #4]

Hi

Sorry about the link above, which was out of date, I've edited it to this one......which does work.

http://computercops.biz/zx/phoenix22/hijackthis.zip

Please show us your log now.

steam

This post has: 0 recommendations

amazon_geek · Member Joined: 05 Mar 2004 Posts: 3 Points: 0

I highly recommend Norton Antivirus and Personal Firewall. Get the 2003 version if you can. I think the 2004 version is too intrusive to the computer. It may come as a package "Norton Internet Security"

Good luck!

This post has: 0 recommendations

Basementgeek · Supreme Guru Joined: 01 Jan 2003 Posts: 12000 Points: 1188

There are a lot of us here use these 2 free programs.

FREE ZONE ALARM

FREE ANTI VIRUS

Cheers Smile

This post has: 0 recommendations

fancy · Member Joined: 01 Feb 2004 Posts: 12 Points: 0

Logfile of HijackThis v1.97.7
Scan saved at 1:20:14 PM, on 3/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE
C:\Program Files\TELUS eCare\bin\mad.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ellen\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/internet/display.do
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://www.stlu.com/plugins/Plugin0501.0065/streetnoage nt7.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/direc tor/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/share d/cab/x86/MSSecAdv.cab?1065737653519
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/A vSniff.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19 106/flash.cab
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://a1153.g.akamai.net/7/1153/5970/v0005/www.mindave nue.com/downloads/akamai/AXELPlayerAX_Win32.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall .antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/b in/cabsa.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cab s/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash /swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/download/setup/pcpowerscan.c ab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-D FE4-4624-87C3-163549BE2704/clearadj.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup143. cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.c ab

This post has: 0 recommendations

steamwiz · Posted: Sat 03/06/2004 4:13am [Post #8]

HI

Just a couple to fix

Close all browser windows - run hijackthis and tick to fix :-

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19 106/flash.cab

Before you leave the site.....check this out....

http://www.help2go.com/article152.html

Happy surfing

steam

This post has: 0 recommendations

fancy · Member Joined: 01 Feb 2004 Posts: 12 Points: 0

thanks Steamwiz, since I ran the hijack scan, these have been dected:

Incident Status Location

W32/Netsky.D.worm Disinfected Local Folders\Deleted Items\Re: Re: Re: Your document (document_4351.pif)
W32/Netsky.D.worm Disinfected Local Folders\Deleted Items\Re: Your document (your_document.pif)
W32/Netsky.D.worm Disinfected Local Folders\Deleted Items\Re: Your website (your_website.pif)
W32/Bagle.pwdzip Disinfected Local Folders\Deleted Items\*TELUS Detected Spam* Notify about your e-mail account utilization. (Readme.zip)
I ran the hijackthis again should I post it too?
I have the xp firewall enabled, but when I go to grc.com it shows my firewall as being penetrated. I'm running Freedom antivirus also.
I want to install Norton av and fire wall , do I have to get all this problem cleared first or will norton clean it up if I install it?
Thanks all

This post has: 0 recommendations

steamwiz · Posted: Sat 03/06/2004 2:40pm [Post #10]

Hi

It's as well to clean your computer first...

empy your recycle bin, then reboot.

Then do another on-line scan

All should be clean...if it isn't let us know.

XP firewall is useless... it only works one-way...it blocks incoming but not outgoing....I would disable it immediately.

Download and install Zonealarm free firewall and AVG free anti-virus

Both are excellent and better than a lot of bought ones.

If you really want to buy one later ...OK, but for now this is your best option.

steam

This post has: 0 recommendations