MSN Virus!!!!

Adam Warren

Adam Warren

New Member
Allright, i was on msn, and one of my buddys sent me a link which said lol look at this, and being tired and stupid, i clicked on it. and now im infected with a horrible virus. When i clicked on it, it auotmaticly put three virus's on my computer... (dropper.small.12.s dropper.agent.4.ah downloader.dyfica.3.r) It was AVG that picked them up, that and Microsoft Anti Spyware. I tried going about so many thing to delete this, but nothing works, and from what i can tell on the net, no one has yet. just thought id warn all of you! and if anyone knows how to get rid of it HELPPPP:(
 
Byteman

Byteman

Malware Destroyer
post a HJT log. Close all programs before you run hjt, and don't run it from within a zip file, put it in a folder of its own, (ei... c:\program files\hjt), then run it, save a log and post it here.
 
Adam Warren

Adam Warren

New Member
Byteman said:
post a HJT log. Close all programs before you run hjt, and don't run it from within a zip file, put it in a folder of its own, (ei... c:\program files\hjt), then run it, save a log and post it here.
Click to expand...

i have no idea what that i, lol. can you be a bit more specific! :)
 
jancz3rt

jancz3rt

<b>VIP Member</b>
I can....

Adam Warren said:
i have no idea what that i, lol. can you be a bit more specific! :)
Click to expand...

Download Hijack This.....and then close all your programs that are running in the taskbar. HJT allows us to see all the running processes and help you. Then post the HJT log here so that we can analyse it.

JAN :D
 
Adam Warren

Adam Warren

New Member
jancz3rt said:
Download Hijack This.....and then close all your programs that are running in the taskbar. HJT allows us to see all the running processes and help you. Then post the HJT log here so that we can analyse it.

JAN :D
Click to expand...

Allright i did that... I cant make no scence out of it. but its really starting to tick me off so if anyone else has had it and got rid of it fill me in:(
 

Attachments

  • Log.doc
    32.6 KB · Views: 113
Phatxam

Phatxam

New Member
I got that same thing when I was talking to my friend. The only thing is, I didn't click on it and asked her what was it. :eek:
 
Byteman

Byteman

Malware Destroyer
ok, you have a virus and a worm. you have a very new version of the kelvir virus. Your ad-aware program is the old version and now worthless, (download and install and update the new version), and your running AVG for an Antivirus program, (or are you running Symantec as well?, you should only have one antivirus program). If you are going to use AVG, download the latest definitions here (newest version only) and reboot to safemode (F8 button repeatedly when rebooting), and run a full virus scan. You should also know that there is a new version of AVG, you should install and use it.

As for hijackthis, you can safely put a check by these items and have hjt fix them, they are bad.

O4 HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe

these are running processes, (viral), if you can open hjt and click the "open misc tool section" button, then click "process manager", then look for the below item and select one and kill the process, don't reboot yet, kill the other process as well. don't reboot, make sure your antivirus is new version and updated then reboot to safe mode and scan. Let us know... :)

C:\WINDOWS\system32\mssmmspgr.exe
C:\DOCUME~1\User\LOCALS~1\Temp\bwgo00de02b7.exe

Also, you could try some online virus scanners. Here are 2.

http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/housecall/start_corp.asp
 
Last edited:
Hellbreather

Hellbreather

New Member
Well it's not her fault either, unless shes a computer hacker. Most likely it's a piece of spyware installed on her computer, thats auto started and posted it on her MSN to everyone she talking to at the time.
 
L

LOCURAFAN

New Member
here's what I got on hijack this...

Logfile of HijackThis v1.99.1
Scan saved at 8:32:26 PM, on 5/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Documents and Settings\Laura.LAURA-N0UP69FYR\reg.exe
C:\WINDOWS\seeve.exe
c:\windows\system32\zfrcmqs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\Run: [REGRUN] C:\Documents and Settings\Laura.LAURA-N0UP69FYR\reg.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [mgvctu] c:\windows\system32\zfrcmqs.exe
O4 - HKLM\..\RunServices: [Windows] system.exe
O4 - HKCU\..\Run: [azs5RWbmQ] stramon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdwareSys] C:\DOCUME~1\LAURA~1.LAU\LOCALS~1\Temp\3.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0697c45721d1f36e5223/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52D74F34-8AAB-41D9-B183-735894800F69}: NameServer = 68.94.156.1 151.164.30.104
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe



:confused: :confused:
 
Byteman

Byteman

Malware Destroyer
You've definately got CW something + other spyware too. Please start by doing the following steps, (especially the CWShredder, don't miss that):

1. Disable System Restore (right-click on "My Computer", Properties, System Restore, check Turn off System Restore).

2. Enable viewing of all files/folders (open "My Computer", Tools, Folder Options, View, click "View hidden folders and files" and uncheck "Hide extensions for known file types").

3. Run BOTH online scans below.

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/hou.../start_corp.asp

4. Download CWShredder (be sure to update it before you run it), VX2finder, Kill2me, and run them. Let them fix what they find. See these links for download:
http://www.intermute.com/spysubtrac...r_download.html
http://www.pchell.com/downloads/vx2finder.exe
http://www.spywareinfo.com/~merijn/files/kill2me.zip

5. Now, download Ad-Aware SE, and SpyBot, (both are free, see links below) install them and update them seperately. Then re-boot to safe mode (pressing F8 when booting up) and run a FULL system scan with Ad-Aware, (not the Smart Scan), and check all the items it finds/let it remove them. Run SpyBot and scan, let it remove what it finds. REBOOT your machine and run them again, TAKE NOTE of what items still remain that they couldn't get ride of! Some items will be taken off from a 2nd scan and some items they will NOT be able to remove at all, (Note what those items are).

http://www.download.com/Ad-Aware-SE...ubj=dl&tag=top5
http://www.safer-networking.org/en/mirrors/index.html

Then after all that, post back with a HijackThis log, and we'll clean up any leftovers... :)
 
Last edited:
You must log in or register to reply here.
Top