something odd just happened

[Guest stardust]

I'm running XP and just installed one of the automatic updates that Windows will automatically send. When I restarted my computer, however, I got a message box titled "Windows Help" and it said that it couldn't find the file mirc.hlp and that if I couldn't find it I needed to reinstall it. Does anyone know what this file is (the box said it's a help file, so that's something) and what it does and if it's important? And furthermore, why would it suddenly disappear after installing an Update?

 

And yes, I have a firewall and I also constantly have Norton running monitoring everything.

[Guest Scotsman]

Hmmm..that's quite weird. Does it happen if you reboot your computer again? It may be a virus. Can you write down the exact message you get?

 

Also, save this, run it, hit "SCAN", then save the log(don't checkmark anything) and paste it here.

[CanadianChris 0]

It's the help file for mIRC. Or so it would seem. It's not a file that you need an installation to run, though. Do a search for "mirc.hlp" in Google and get it from somewhere else. If you don't have mIRC installed, then I'm at a loss.

[Guest I'm That Damn Zzzzz]

mirc sounds like the mIRC chat. If you don't use the help file for that program, you'd probably can ignore the error. If the error bugs you, find another .hlp file, copy it to where it needs to be and rename it mirc.hlp, Windows should be stupid enough to not know the difference.

[Guest Scotsman]

Whoa whoa whoa. Try not to give advice unless you really know Not trying to be an ass, but the IRC.Flood trojan(DDOS Bot) is well known for using mirc.hlp, and prompting this error on startup.

[MrRant 0]

Go and download TrojanHunter. There is a 30-day trial. You need to update it manually but it's just copying some files into a directory. Simple.

[Guest stardust]

What exactly is mIRC chat?

 

And I'll do the stuff y'all suggested and see what happens.

[Guest Scotsman]

mIRC Chat is a chatting service. Connect to a server, and theres thousands of chat rooms. However, I'm thinking that this is the trojan that you have.

[Guest stardust]

This is what Hijack this came up with:

 

Logfile of HijackThis v1.96.4

Scan saved at 3:34:52 PM, on 12/7/2003

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton Personal Firewall\NISUM.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton Personal Firewall\ccPxySvc.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Open Site\opnste.exe

C:\windows\system32\WINClock.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\Program Files\Common Files\GMT\GMT.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

C:\Program Files\Norton Utilities\SYSDOC32.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Semagic\LiveJournalU.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\download\hijack.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaul...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com

N2 - Netscape 6: user_pref("browser.startup.homepage", "www.yahoomail.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\x3rj4to1.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\x3rj4to1.slt\prefs.js)

O1 - Hosts: 216.93.168.167 auto.search.msn.com

O1 - Hosts: 216.93.168.167 sitefinder.verisign.com

O1 - Hosts: comments (such as these) may be inserted on individual

O2 - BHO: (no name) - {00000000-5eb9-11d5-9d45-009027c14662} - C:\WINDOWS\VX2.dll

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [sentry] C:\WINDOWS\Sentry.exe

O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [system] dcomx.exe

O4 - HKLM\..\Run: [Run32dll] c:\windows\system32\winhelper.exe WINClock.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

O4 - HKLM\..\RunServices: [system] dcomx.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Startup: Semagic.lnk = C:\Program Files\Semagic\LiveJournalU.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV03.EXE

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE

O4 - Global Startup: TFTP2672

O4 - Global Startup: TFTP3376

O4 - Global Startup: TFTP4004

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: JT's Blocks - http://download.yahoo.com/games/clients/y/blr2_x.cab

O16 - DPF: Yahoo! MahJong Solitaire - http://download.yahoo.com/games/clients/y/mjsr2_x.cab

O16 - DPF: Yahoo! Word Racer - http://download.yahoo.com/games/clients/y/wr1_x.cab

O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-...IL/PhPSetup.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab

O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,30

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11edaa929534aae9b605/...ip/RdxIE601.cab

O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab

O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/inbrowse...5.30/Hiwire.cab

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...uginstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...282/mcfscan.cab

[Guest stardust]

This is what TrojanHunter came up with.

 

Registry scan

No suspicious entries found

Inifile scan

No suspicious entries found

Port scan

Port 5180/TCP is open (matches Peeper.120)

(Tell me more about port alerts...)

Memory scan

No trojans found in memory

File scan (autostarted files, running executables)

Found possible trojan file: C:\WINDOWS\System32\dcomx.exe/ZMQ9Zo.exe (Possible trojan downloader, SDBot)

Found possible trojan file: C:\WINDOWS\System32\dcomx.exe (Suspicious: UPX-packed file in Windows System folder)

Found possible trojan file: C:\WINDOWS\System32\dcomx.exe/XBgQsxq.exe (Possible trojan downloader, SDBot)

Found possible trojan file: C:\WINDOWS\System32\dcomx.exe (Suspicious: UPX-packed file in Windows System folder)

Found possible trojan file: C:\windows\system32\WINClock.exe (GENERROR (TExportDetector): List count out of bounds (-516674043))

No trojan files found

[MrRant 0]

Hmm... and in Add/Remove you don't have mIRC? If not and Trojan hunter didn't pick it up then the only thing else I can find is that it would be a virus and Norton's website has only this listed or various or numerous Backdoor.IRC.Floods but you would/should already have definitions to remove it. Is your subscription current?

Edited December 7, 2003 by MrRant

[Guest Scotsman]

You got a virus bro. I'm heading out for dinner for now but will be back in about 2 hrs. Update Norton, and do a full system scan and let me know how that works out. I'll be back soon.

[Guest stardust]

I ran liveupdate for Norton and when I restarted I didn't get the message I got the last time (the one about mIRC). Instead I just got the normal ones I always get, which I have run a virus scan on (back when they first started), and for which no viruses were detected.

 

However, maybe Scotman or Rant will know, what are these files?

 

O4 - Global Startup: TFTP2672

O4 - Global Startup: TFTP3376

O4 - Global Startup: TFTP4004

 

And this one: Found possible trojan file: C:\WINDOWS\System32\dcomx.exe/XBgQsxq.exe (Possible trojan downloader, SDBot)

Found possible trojan file: C:\WINDOWS\System32\dcomx.exe (Suspicious: UPX-packed file in Windows System folder)

 

I've been getting for months now on startup. All of those I just listed I'll get message boxes for on startup. The first three, it says it can't be opened. The last one, it says dcomx.exe has encountered a problem and needs to close. Like I said, when I first started getting those I ran a virus scan and nothing was found, and those haven't caused any problems, I'm just curious as to what they are.

 

And Scotsman, I'm not a "bro."

[MrRant 0]

Trojan Hunter should allow you to remove those files.

[Guest stardust]

Will it hurt my comp if I remove them, though? I'm guessing not since the application they were created with can't be found (that's the message I get), but I'm very wary of fucking my computer up.

[MrRant 0]

If you are wary then go to Start->All Programs->Accessories->System Tools and hit System Restore and create a restore point so you can go back to it. If something happens of course.

[Guest stardust]

Well I tried to delete those three using Hijack This, and they couldn't be deleted. They're in my startup, and were modified on 7/29, which was around the time when my computer was hacked this past summer (which was what prompted me to download the Norton Firewall and the AV program). I'm guessing it's okay, since I don't have any viruses being detected and my computer's running fine. I'm just curious as to what they are.

[MrRant 0]

I would be wary... if you have a Trojan on your computer most of the point of it is so someone can access your computer remotely unless the specific program is blocked by your firewall already.

 

Did you try and remove the trojan files with Trojan Hunter?

[Guest stardust]

The TFTP files weren't found under Trojan Hunter. I did, however, find the actual program for them, which is an FTP called TFTP. When my comp was hacked into this past summer, whoever had done it registered another user name (that was what really tipped me off, when I restarted my computer and saw a user name called "stoner" considering I'm the only one who uses my computer), so I deleted the user name and then noticed that there was an unfamiliar FTP running in my system tray, so I closed it and asked a friend for advice. That led me to downloading the firewall and Norton. I found the FTP files and deleted those, but the dcomx.exe is part of the Windows System folder, so I'm hesitant to remove it.

 

Trojan Hunter didn't find any trojans, but did say that the dcomx.exe file does allow Trojans to get in.

[MrRant 0]

http://www.f-secure.com/v-descs/rpc.shtml

 

I'd get rid of it if I was you.

[Guest stardust]

Thanks. I just didn't want to accidentally delete something that didn't need to be deleted.

[Guest stardust]

http://www.f-secure.com/v-descs/rpc.shtml

 

I'd get rid of it if I was you.

I ran this earlier today and apparently it didn't extract the files. And I'd deleted the TFTP program the other day, but I'm still getting the messages on startup that the various tftp files can't be found and the dcomx.exe needs to shut down on startup. Should I just go in and delete the dcomx.exe file myself or try to extract it again?

[MrRant 0]

You said Spybot/TrojanHunter couldn't delete them either huh?

 

There is probably some registry stuff in there as well. You could delete the files yourself and if the message keeps coming up then go to Start->Run->Command and type in msconfig.

 

Check and see if those files are listed in that startup and you can uncheck them.

 

Outside of that... reformat.

[Guest stardust]

I'll do that either tomorrow or Thursday. Thanks for all your help, by the way.