Messenger Service warnings

I have picked up a virus which puts Messenger Service warnings on my screen. The virus operates by putting an .EXE file in the WINNT temp diretory the .EXE is named a variation on cf8se3.exe. I can stop its operation for one cycle by changing the .exe to another form ie. .dud but the next reboot the exe has been regenerated as another variation on the name and registry have been accordingly changed and I have to do it again. I don't have the tool to track what file generates the .exe and registry entry. Can you give me any advice? What is this and how do you clean it. Trend office, spybot and adaware all miss it. Thanks

 

Thank you very much I will do that soon as I get home. I have HJT but I am not fully versed in it. I am really looking forward to finding this one. Been a pain.

 

Safe mode log
Logfile of HijackThis v1.99.1
Scan saved at 3:23:18 PM, on 5/15/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Lori\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Battelle
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Normal
Logfile of HijackThis v1.99.1
Scan saved at 3:46:01 PM, on 5/14/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Lori\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwwi.Battelle.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wwwi.Battelle.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Battelle
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://wwwi.Battelle.org
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

Start up log
StartupList report, 5/15/2006, 3:15:03 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Lori\My Documents\Hijackthis\HijackThis.EXE
Detected: Windows 2000 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\TEMP\XK68E5.EXE
C:\WINNT\Explorer.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Connection Keeper\ConKeepM.exe
C:\Documents and Settings\Lori\My Documents\Hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
IgfxTray = C:\WINNT\System32\igfxtray.exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
OfficeScanNT Monitor = "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
GWMDMMSG = GWMDMMSG.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
OfficeScanNT RealTime Scan: C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe (autostart)
OfficeScanNT Personal Firewall: C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Trend Micro Filter: \??\C:\Program Files\Trend Micro\OfficeScan Client\TmFilter.sys (autostart)
OfficeScanNT Listener: C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Trend Micro VSAPI NT: \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,920 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Thanks so much for the help

 

Hello roberdwhite,

http://www.sysinternals.com/Utilities/Autoruns.html

Autoruns is a program that enumerates XP startup locations. When you find the variable startup, you can jump to it's reg entry and has the ability to disable/remove it. Look first under the Logon/WinLogon tabs.

C:\WINNT\TEMP\XK68E5.EXE - Can't find info on this.

Moving this thread to the Virus/Spyware section.

Regards - Charles

 

As I indicated this is the file that runs the messages. Disablig it stops the function for the time till next boot then the file is renewed . I want to find the file that generates this file and kill it so the whole process is eded. I need a tool to tell me what is generating this file on boot. Is the autorun tool above able to do that?

 

Hello roberdwhite,

Use autoruns to find that .EXE, the line will show the Registry entry for it. That reg line may give us the info as to what this is. The info your giving us so far is not indicating what the virus / trojan is.

Don't bother renaming the .EXE variables, delete them, using MoveOnBoot if you have to.

Regards - Charles

 

Not knowing what it is is the base problem. I went inot the registry and the line just calls this exe I am not smart enough to derive any other info from it. I deleted the line but it is regenerated for the new file name each reboot. I just change the file of this exe so I can work at least this session without those popups all the time. It is the file that generates this exe and the registry entry that I have to identify and delete that entry.

 

Download and scan with Ewido http://www.ewido.net/en/

Install as a scanner only: under "Additional Options ", uncheck "Install background guard" and "Install scan via context menu" and before using it, update it. Post anything it finds here, may need more than one post for it.

Regards - Charles

 

Will do.

 

Problem got real intense. I am going back to zero. Not sure if I am cross doing the problem or had dual infection. I am going to take the whole system down, install the sprotection Adaware, spybot, AVG, and spyblaster turn off messenger service and see what I got from scratch. I will post Hijack logs when I am back up.

 

II am back up and will post logs the first of next week. I think the problem was a combination of the messenger services hole and being hit with a bunch of attacks. I have been warned in another forum that AVG may not be all I hope any recommendation on that? I hope to use a good freeware but will go to a commercial if necessary.

 

Hi roberdwhite,

Look at this site for independent AV comparitives: http://www.av-comparatives.org/

I use these two on two different XP installation:

Eset:Nod32 v2.5
Home page
http://www.eset.com/index.php
Forum
http://www.wilderssecurity.com/index.php

Kaspersky Labs: KAV v6.0
Home page
http://www.kaspersky.com/
Forum
http://forum.kaspersky.com/

Regards - Charles