View Full Version : MSN messenger virus?
liamkincaid25
12-04-2008, 10:22 PM
Greetings and merry christmas folks!!
I was chatting with a friend the other day and appeared a link in the window chat , thinking was something my friend send me I clicked on it and now whenever I am chatting the chat window close after a few minutes if you try to reopen it you can not. and when yo try to close the msn to restart it it says "all windows chat will close" when there is none open. I think this is some kind of virus was looking around but can not find any info Is there a tool to remove it from the msn messenger program?( I do not have any antivirus installed)
classicsoftware
12-05-2008, 12:40 AM
---------- BEGIN RANT ----------
First, I have a few questions,
Are you out of your mind?
Did you miss your last drug test?
Are you mad?
Why in God's name would you be on line without an anti-virus?
Second, even if you return to your senses,
DO NOT EVER CLICK ON A LINK IN AN IM WINDOW, EVER.
---------- RANT OVER ----------
Please read this thread (http://www.pcguide.com/vb/showthread.php?t=60009) and post a Hijackthis log.
liamkincaid25
12-09-2008, 11:34 PM
I tried to do the step about the MSCONFIG in the link you provide but i keep getting the message "cannot find the file MSCONFIG (or one of its components) Make sure the path and filename are correct and that all required libraries are available"
I di the scan with HJT AND THE RESULT IS AS FOLLOWS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:45 PM, on 12/9/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\service.exe
C:\WINNT\system32\monitorbk.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LVComs] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Service] service.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINNT\system32\monitorbk.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209434902251
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
--
End of file - 4633 bytes
Thank you for any assitance any of you can provide.
classicsoftware
12-10-2008, 08:55 AM
First:
How to run a scan with Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.[/QUOTE]
Second:
Please do the following:
Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop). Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you.
Note:
Do not mouseclick Combofix's window while it is running. That may cause the program to stall...
Third:
Re-boot the system
Post the Combofix Log
Post the MBAM log
Post a new HJT log
Tell us how the system is running.
liamkincaid25
12-10-2008, 02:22 PM
COMBOFIX
ComboFix 08-12-09.03 - Administrator 12/10/2008 14:00:46.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.67 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\Web\default.htt
.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-10 17:52 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-12-10 17:23 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-10 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 17:23 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-10 04:10 --------- d-----w c:\documents and settings\Administrator\Application Data\.purple
2008-12-08 11:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 11:56 --------- d-----w c:\program files\Linksys
2008-12-08 11:56 --------- d-----w c:\program files\Funk Software
2008-12-08 11:56 --------- d-----w c:\program files\Common Files\Funk Software
2008-12-04 02:31 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-12-03 23:59 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2008-12-03 23:59 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys
2008-12-03 01:17 --------- d-----w c:\program files\Java
2008-11-10 09:43 410,984 ----a-w c:\winnt\system32\deploytk.dll
2008-10-24 04:21 --------- d-----w c:\program files\Sun
2008-10-24 04:16 --------- d-----w c:\program files\LimeWire
2008-10-16 18:13 202,776 ----a-w c:\winnt\system32\wuweb.dll
2008-10-16 18:13 1,809,944 ----a-w c:\winnt\system32\wuaueng.dll
2008-10-16 18:12 561,688 ----a-w c:\winnt\system32\wuapi.dll
2008-10-16 18:12 323,608 ----a-w c:\winnt\system32\wucltui.dll
2008-10-16 18:09 92,696 ----a-w c:\winnt\system32\cdm.dll
2008-10-16 18:09 51,224 ----a-w c:\winnt\system32\wuauclt.exe
2008-10-16 18:09 43,544 ----a-w c:\winnt\system32\wups2.dll
2008-10-16 18:08 34,328 ----a-w c:\winnt\system32\wups.dll
2008-10-16 18:06 268,648 ----a-w c:\winnt\system32\mucltui.dll
2008-10-16 18:06 208,744 ----a-w c:\winnt\system32\muweb.dll
2008-09-15 05:13 1,644,432 ----a-w c:\winnt\system32\WIN32K.SYS
2008-03-19 00:28 271 ---h--w c:\program files\desktop.ini
2008-03-19 00:28 21,952 ---h--w c:\program files\folder.htt
2002-07-24 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [09/04/07 04:40p 6856704]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [08/30/07 05:43p 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"LVComs"="c:\winnt\system32\LVComS.exe" [07/09/99 07:22a 94720]
"DXM6Patch_981116"="c:\winnt\p_981116.exe" [11/30/98 06:04p 497376]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [08/14/08 06:36p 17408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/15/08 01:04a 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [11/10/08 05:43a 136600]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="Atiptaxx.exe" [11/15/00 05:10p 192512 c:\winnt\system32\atiptaxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 03:05p 186640]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-18 147456]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin PCMCIA WLAN Monitor.lnk - c:\winnt\system32\monitorbk.exe [2008-03-20 462848]
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2008-12-08 36864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.YUY2"= lvcod32.dll
"VIDC.YVU9"= lvcod32.dll
"VIDC.VDOM"= vdowave.drv
"VIDC.MPG4"= msscmc32.dll
"VIDC.TR20"= tr2032.dll
"msacm.voxacm119"= vdk32119.acm
"vidc.vivo"= ivvideo.dll
R3 ati2mpab;ati2mpab;c:\winnt\system32\DRIVERS\ati2mp ab.sys [2008-04-01 273376]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\winnt\system32\drivers\maestro.sys [1980-01-03 48368]
R3 PCMCIABKPCM98;Belkin 11Mbps Wireless Notebook Network Adapter;c:\winnt\system32\DRIVERS\bkpcm98.sys [2008-03-20 75291]
S3 el656CT5;FEM656-3Com 10-100 LAN+56K Modem CardBus PC Card-(Modem) (Controller);c:\winnt\system32\DRIVERS\el656CT5.SY S [2008-12-04 469072]
S3 el656nd5;3Com 10-100 LAN CardBus PC Card Driver;c:\winnt\system32\DRIVERS\el656nd5.sys [2008-12-04 75536]
S3 el656SE5;FEM656-3Com 10-100 LAN+56K Modem CardBus PC Card-(Modem) (Serial);c:\winnt\system32\DRIVERS\el656SE5.SYS [2008-12-04 72304]
S3 LVCam;Logitech USB Video Camera;c:\winnt\system32\DRIVERS\LVCD.sys [2008-08-14 31232]
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SystemRoot%\system32\msafd.dll
O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
c:\winnt\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file://c:\program files\Bejeweled 2\Images\stg_drm.ocx
c:\winnt\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file://c:\program files\Bejeweled 2\Images\armhelper.ocx
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5zqielyp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-12-10 14:06:37
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\winnt\system32\Perflib_Perfdata_5f8.dat 16384 bytes
scan completed successfully
hidden files: 1
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 12/10/2008 14:09:07
ComboFix-quarantined-files.txt 2008-12-10 18:08:20
Pre-Run: 36,405,149,696 bytes free
Post-Run: 36,690,477,056 bytes free
126 --- E O F --- 1980-01-07 22:26:46
liamkincaid25
12-10-2008, 02:25 PM
Malaware byte resut
Malwarebytes' Anti-Malware 1.31
Database version: 1482
Windows 5.0.2195 Service Pack 4
12/10/2008 1:48:25 PM
mbam-log-2008-12-10 (13-48-25).txt
Scan type: Quick Scan
Objects scanned: 52892
Time elapsed: 20 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Windows Service (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx\Windows Service (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\service.exe (Backdoor.Bot) -> Delete on reboot.
HJT lo result
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:20 PM, on 12/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\monitorbk.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LVComs] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINNT\system32\monitorbk.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209434902251
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
--
End of file - 4746 bytes
Thank you for your help
CuratoR
12-10-2008, 06:06 PM
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Windows Service (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx\Windows Service (Backdoor.Bot) -> Quarantined and deleted successfully.
Files Infected:
C:\WINNT\service.exe (Backdoor.Bot) -> Delete on reboot.
Your logs reveal that you got infected with one of the variants of BackDoor-CDC remote access trojan. Thats what you got thru the messenger. For more info, see the link below,
[/URL][URL]http://vil.nai.com//vil/content/v_127556.htm (http://vil.nai.com/vil/content/v_127556.htm)
Reboot the system after running malwarebyte as prompted, and make sure that c:\winnt\service.exe is gone.
Like classic, I'd also urge you to install an Antivirus Software immediately, update it and scan your system. Additionally, install a firewall software too, the best protection against trojans.
Plzzz run HJT again and post the log.
CuratoR,
liamkincaid25
12-10-2008, 10:24 PM
This is the result of the new scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:39 PM, on 12/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\monitorbk.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LVComs] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINNT\system32\monitorbk.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209434902251
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
--
End of file - 4907 bytes
CuratoR
12-10-2008, 10:33 PM
I think you got rid of the virus. But plzzz, install an AntiVirus software immediately.
liamkincaid25
12-10-2008, 10:53 PM
Thank you for all your help CURATOR AND CLASSISOFTWARE
classicsoftware
12-11-2008, 12:18 AM
Open Hijackthis and place a check next to:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
Close all program and browser windows except for Hijackthis and click fix checked. Then:
Re-boot
Post a fresh log
Tell me how the system is running.
liamkincaid25
12-11-2008, 09:05 PM
Open Hijackthis and place a check next to:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
Close all program and browser windows except for Hijackthis and click fix checked. Then:
[LIST]
Re-boot
Post a fresh log
Tell me how the system is running.
[/LIST]
Result of HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:19 PM, on 12/11/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\monitorbk.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LVComs] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINNT\system32\monitorbk.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209434902251
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
--
End of file - 4692 bytes
classicsoftware
12-12-2008, 12:25 AM
Re-boot Done....
Post a fresh log Done....
Tell me how the system is running. Not so much....
liamkincaid25
12-12-2008, 09:22 AM
Re-boot Done....
Post a fresh log Done....
Tell me how the system is running. Not so much....
Sorry I guess I forgot that part. System now is runnig very well , I am not sending this damn "virus" anymore and I can talk without the windows disappearring. I think I got a small complication with IE as a result of dealing with this ( for this I posted a separte thread). THANK YOU VERY VERY MUCH for your TIME and HELP
classicsoftware
12-12-2008, 04:04 PM
Now that you are clean, you need to keep it that way. Please follow the rules below. Pay careful attention to number 4. Since the release of Service Pack 2 for Windows XP, Microsoft has greatly improved the security of Windows. The majority of attacks now occur in other software. Adobe Acrobat Reader is the most attacked program right now. You need to keep your software up to date and the Secunia PSI is the best way to go.
How to Protect Yourself While On-Line
Make sure you have an up to date Antivirus. Scan Regularly. There are many free versions:
AVAST (http://www.avast.com/eng/download-avast-home.html)
AVG (http://free.grisoft.com/freeweb.php/doc/2/)
Antivir (http://www.free-av.com/antivirus/allinonen.html)
Make sure you have a software firewall and if you are on broadband, get behind a NAT router. There are also free versions:
Kerio (http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/)
Sygate (http://www.filehippo.com/download_sygate_personal_firewall/)
Zone Alarm (http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp%3bjsessionid=BzJnZDxzyCUCcyZMB2t0Q co5IgutuYlrOMI5snmy1ZptQ2vOr1l1!776180791!-1062696904!7551!7552!-2099742426!-1062696903!7551!7552)
Keep Windows up to date. Visit Windows Update (http://windowsupdate.microsoft.com) and Office Update (http://office.microsoft.com/en-us/downloads/default.aspx) regularly.
Keep all of your software up to date. You can check on your software with the Secunia Software Inspector (http://secunia.com/software_inspector/). Sign up for e-mail notification and they will tell you when to check your system again.
Use Firefox (http://www.mozilla.org/products/) with the NoScript (http://noscript.net/) extension as your web browser.
Download, install and keep an updated version of SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html).
Do NOT click on links in any I.M. program.
Use Thunderbird (http://www.mozilla.com/en-US/thunderbird/) in place of Outlook or Outlook Express.
Use Foxit Reader (http://www.download.com/Foxit-PDF-Reader/3000-2079_4-10313206.html) with the PDF Download (https://addons.mozilla.org/en-US/firefox/addon/636) extension instead of Adobe Acrobat Reader.
DO NOT open attachments from ANYONE. Download them, and scan them with your AV before opening and only if your expect to receive them.
If you use IE download a copy of IE-Spyad (http://www.spywarewarrior.com/uiuc/resource.htm).
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.