Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msn Virus?


  • Please log in to reply
13 replies to this topic

#1 Koops12

Koops12

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 09 February 2008 - 03:22 PM

My sister recently infected my computer with the MSN Virus (as it is commonly called :thumbsup: ). I scanned numerous times with Avast! Spybot S&D and Ad-Aware; my MSN doesn't seem to be sending it out anymore, neither do my sisters' profiles. Just to be safe, I thought I should post this and see if anyone could give me some confirmation or information. Thanks.

EDIT: It appears that the virus is still spreading from my computer whenever I log into MSN, so I guess I never really got rid of it in the first place.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:51 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\wkssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael2\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Mouse Software 1] C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
O4 - HKLM\..\Run: [Creative Keyboard Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Keyboard Software 1] C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-448539723-1336601894-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'StG')
O4 - HKUS\S-1-5-21-448539723-1336601894-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'StG')
O4 - HKUS\S-1-5-21-448539723-1336601894-682003330-1003\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'StG')
O4 - HKUS\S-1-5-21-448539723-1336601894-682003330-1006\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Michelle')
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 7054 bytes

Edited by Koops12, 09 February 2008 - 05:30 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:35 PM

Posted 16 February 2008 - 11:04 PM

Hello Koops12,

Download MsnCleaner.zip to your Desktop, but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner.zip
(Copy/Paste the URL into the address bar or use "Save Target As")
  • Extract the content of MsnCleaner.zip to your Desktop.
  • Now reboot into Safe Mode
  • Double-click MsnCleaner.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Koops12

Koops12
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 17 February 2008 - 10:48 AM

Thanks for getting around to helping me. Sorry I didn't reply earlier, but here is the log.

- Logfile MSNCleaner 1.5.5 by www.forospyware.com
- Created Logfile: 2/17/2008 on 10:41:42 AM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 2
Deleted file: 2
Undeleted Files: 0

C:\WINDOWS\nsreg.dat <--- Deleted
C:\WINDOWS\SiSport.sys <--- Deleted
Posted Image

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:35 PM

Posted 17 February 2008 - 11:19 AM

Hi Koops12,

We will run ComboFix.

You need to disable your Avast Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts



To disable avast antivirus:
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Koops12

Koops12
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 17 February 2008 - 12:41 PM

ComboFix Log:

ComboFix 08-02-17.2 - Michael2 2008-02-17 12:16:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.173 [GMT -5:00]
Running from: C:\Documents and Settings\Michael2\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Danielle\g2mdlhlpx.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-12 15:01 . 2008-02-12 15:01 <DIR> d-------- C:\Program Files\Avira
2008-02-12 15:01 . 2008-02-12 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-11 23:30 . 2008-02-09 20:55 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-10 15:45 . 2008-02-09 15:21 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-02-09 20:54 . 2008-02-12 14:54 <DIR> d-------- C:\Documents and Settings\Michael2\.housecall6.6
2008-02-09 14:46 . 2008-02-09 14:46 <DIR> d-------- C:\Documents and Settings\StG\Contacts
2008-02-09 12:37 . 2008-02-09 12:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 12:37 . 2008-02-09 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 16:01 . 2008-02-11 23:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-08 16:01 . 2008-02-11 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 15:21 . 2008-02-06 15:21 <DIR> d-------- C:\Documents and Settings\StG\Application Data\Creative
2008-01-27 22:15 . 2008-01-27 22:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-18 14:35 . 2008-01-18 14:35 <DIR> d-------- C:\Program Files\iPod
2008-01-18 14:34 . 2008-01-18 14:35 <DIR> d-------- C:\Program Files\iTunes
2008-01-18 14:34 . 2008-01-18 14:34 <DIR> d-------- C:\Program Files\Bonjour
2008-01-18 14:28 . 2008-01-18 14:28 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-18 14:27 . 2008-01-18 14:27 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 17:05 --------- d-----w C:\Program Files\Lx_cats
2008-02-14 13:22 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-12 04:14 --------- d-----w C:\Documents and Settings\Michael2\Application Data\gtk-2.0
2008-02-09 17:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 01:12 --------- d-----w C:\Documents and Settings\Michelle\Application Data\Creative
2008-01-19 19:36 --------- d-----w C:\Program Files\Inkscape
2008-01-18 19:34 --------- d-----w C:\Program Files\QuickTime
2008-01-18 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-09 23:36 --------- d-----w C:\Documents and Settings\Danielle\Application Data\Apple Computer
2008-01-09 21:53 --------- d-----w C:\Documents and Settings\Michael2\Application Data\Thunderbird
2008-01-07 02:47 --------- d-----w C:\Documents and Settings\Michael2\Application Data\Creative
2008-01-06 04:57 --------- d-----w C:\Program Files\Celtx
2008-01-06 04:44 --------- d-----w C:\Documents and Settings\Michael2\Application Data\Greyfirst
2008-01-04 17:09 --------- d-----w C:\Documents and Settings\Michael2\Application Data\Nvu
2007-12-31 17:15 --------- d-----w C:\Documents and Settings\Michael2\Application Data\Inkscape
2007-12-31 01:46 --------- d-----w C:\Documents and Settings\Michael2\Application Data\Apple Computer
2007-12-31 01:40 --------- d-----w C:\Documents and Settings\Michael2\Application Data\ArcSoft
2007-12-29 05:00 --------- d-----w C:\Documents and Settings\Michael2\Application Data\TuneUp Software
2007-12-27 16:23 --------- d-----w C:\Documents and Settings\Michael2\Application Data\Talkback
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2003-10-30 13:09 249856]
"Cmaudio"="cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"Creative Mouse Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-10-24 13:52 65536]
"Creative Mouse Software 1"="C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe" [2005-11-29 16:44 221184]
"Creative Keyboard Software"="C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe" [2005-10-24 13:52 65536]
"Creative Keyboard Software 1"="C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe" [2005-04-05 00:11 229376]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 18:32 20480]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 17:05 102400]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-13 15:30 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-06-02 20:16:38 1073152]

R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-12 18:56]

*Newly Created Service* - HTTPFILTER
*Newly Created Service* - UPNPHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 01:25:04 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 12:19:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 12:20:21
ComboFix-quarantined-files.txt 2008-02-17 17:20:05
.
2008-02-14 08:43:50 --- E O F ---
Posted Image

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:35 PM

Posted 17 February 2008 - 01:40 PM

Hi Koops12,

Please post a fresh Hijackthis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Koops12

Koops12
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 17 February 2008 - 02:05 PM

Everything seems to be working fine on my computer. It has been running at its normal pace. However, there are many more processes running than usual. MSN doesn't seem to be sending anything out anymore. Here is my latest HJT log. Thanks once again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:59, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Mouse Software 1] C:\Program Files\Creative\Input Devices\MOUSE\CTPoint.exe
O4 - HKLM\..\Run: [Creative Keyboard Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Keyboard Software 1] C:\Program Files\Creative\Input Devices\Keyboard\CTType.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 6758 bytes
Posted Image

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:35 PM

Posted 17 February 2008 - 02:14 PM

Hi Koops12,

Your log looks clean. :thumbsup:


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.





As for the running processes, this is caused by all the programs you haved added (like the antivirus).

Uninstall then Reinstall MSN and see if helps.


We can remove a few items if you you want.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
(Description: CMedia audio card system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

Edited by SifuMike, 17 February 2008 - 04:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Koops12

Koops12
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 17 February 2008 - 03:38 PM

Thank you very much for all of your help, SifuMike. :thumbsup:

Edited by Koops12, 17 February 2008 - 03:38 PM.

Posted Image

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:35 PM

Posted 17 February 2008 - 04:47 PM

You're most welcome. :thumbsup: And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :blink:

Delete MsnCleaner.zip and MsnCleaner.exe from your desktop.


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Koops12

Koops12
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 18 February 2008 - 05:09 PM

I have gotten rid of MsnCleaner easily. However whenever I try to run "ComboFix /u" I get an error message saying, "Windows cannot find 'ComboFix'. Make sure you have typed the name correctly, and then try again. To search for a file, click the Start button, and then click the Search button."

Also, I have read the links you have given me and they have taught some things I didn't know, so thanks for that.
Posted Image

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:35 PM

Posted 18 February 2008 - 05:23 PM

However whenever I try to run "ComboFix /u" I get an error message saying, "Windows cannot find 'ComboFix'. Make sure you have typed the name correctly, and then try again. To search for a file, click the Start button, and then click the Search button."


Just delete it from here C:\Documents and Settings\Michael2\Desktop\ComboFix.exe and then manually reset your time.


Or try this

Enter (with the quotation marks):

"%userprofile%\desktop\combofix.exe" "/u"

There is a space between the sets of quotation marks.

Edited by SifuMike, 18 February 2008 - 05:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Koops12

Koops12
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 18 February 2008 - 06:36 PM

Alright, I did everything manually. The computer is running just fine, the number of running processes are back to normal. I just wanted to thank you once again for all of your help.
Posted Image

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:35 PM

Posted 18 February 2008 - 06:44 PM

Thank you for the kind words.. It's always nice to hear that someone appreciates the help we are giving. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users