1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Windows Live Messenger Virus - HJT logfile

Discussion in 'Malware and Virus Removal Archive' started by Hanne, 2007/06/05.

  1. 2007/06/05
    Hanne

    Hanne Inactive Thread Starter

    Joined:
    2007/03/20
    Messages:
    6
    Likes Received:
    0
    Ok, now I have a problem... Recieved a zip file from a friend on MSN messenger - thought it was pictures but it was a virus or something. When I'm logged on to MSN it sends itself to all contacts on my list together with a text saying "hey check out this photo, duno if i should ad to my alb, leme send to you ". Have tried to run avast and Spybot but it doesn't help. A solution someone?

    Here is the HJT logfile:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 08:57:55, on 2007-06-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program\Alwil Software\Avast4\ashServ.exe
    C:\Program\ALWILS~1\Avast4\ashDisp.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\Program\Winamp\winampa.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\RECYCLER\msnservice.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\MSN Messenger\MsnMsgr.Exe
    C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program\Logitech\Music Anywhere\LMASysTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\Program\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program\Alwil Software\Avast4\ashWebSv.exe
    C:\Program\MSN Messenger\usnsvc.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Last.fm\LastFM.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Johan Gustafsson\Lokala inställningar\Temporary Internet Files\Content.IE5\4XAJKTMN\HiJackThis_v2[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forum.body.se/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {890C7964-9320-4055-BE11-7D7B562A6417} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MSN Services] C:\RECYCLER\msnservice.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Music Anywhere Settings.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163354826144
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://digicenter.se/aurigma/ImageUploader4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 6526 bytes
     
    Last edited: 2007/06/05
    Hanne,
    #1
  2. 2007/06/05
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    You definitely have a worm, probably a variant of the carpet.c worm.

    1. disable system restore:
    Code:
    1.	Click Start, right-click My Computer, and then click Properties.
2.	In the System Properties dialog box, click the System Restore tab.
3.	Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4.	Click OK.
5.	When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
    2. Use HijackThis to FIX:
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {890C7964-9320-4055-BE11-7D7B562A6417} - (no file)
    O4 - HKLM\..\Run: [MSN Services] C:\RECYCLER\msnservice.exe

    3. Download Adaware, install, update & scan entire system.
    http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10672044.html?tag=pop.software

    4. use Disk Cleanup & get rid of:
    temporary files
    temporary internet files
    recycle bin
    To run Disk Cleanup do:
    Click Start, and then click Run. In the Open box, type cleanmgr, and then click OK

    5. reboot

    6. launch MSN messenger & if all seems OK after 24 hours, turn System Restore back on:
    Code:
    1.	Click Start, right-click My Computer, and then click Properties.
2.	In the System Properties dialog box, click the System Restore tab.
3.	Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4.	Click OK
     
    TonyT,
    #2


  3. to hide this advert.

  4. 2007/06/12
    Hanne

    Hanne Inactive Thread Starter

    Joined:
    2007/03/20
    Messages:
    6
    Likes Received:
    0
    Hi TonyT!

    Seems like my problem is solved after following your directions. Thanks alot!
    Btw these kinds of worms are they mostly "harmless" or what do they do?

    /Hanne
     
    Hanne,
    #3
  5. 2007/06/13
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    None are harmless. There's not a lot of documentation re the one you had as far as what it actually does or can do. Any worm is bad and has the potential to install other malware or backdoor trojans, which eventually can render the comp. useless.
     
    TonyT,
    #4
  6. 2007/06/13
    Hanne

    Hanne Inactive Thread Starter

    Joined:
    2007/03/20
    Messages:
    6
    Likes Received:
    0
    :eek: Glad I got rid of it then... Thanks again.
     
    Hanne,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...