Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSN WINDOWS LIVE VIRUS


  • This topic is locked This topic is locked
22 replies to this topic

#1 xldeane

xldeane

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 28 February 2009 - 04:37 AM

Hello Gentlemen/Ladies About a year ago I clicked someone's silly link from msn. Since then I haven't been able to remove this virus I take it it is a virus. The problem is that it is somehow linked to my account. I've attempted to change my password etc but it still somehow signs in and spams more virus links to my contacts.
I've recently reformatted and scanned with Kaspersky & Super anti spyware but it doesn't resolve a thing. Any help would be greatly appreciated!



DDS (Ver_09-02-01.01) - NTFSx86
Run by Deano at 9:23:10.65 on 28/02/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2543 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ergodex\bin\ergomon.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Deano\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ErgoMon] "c:\program files\ergodex\bin\ergomon.exe"
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [nwiz] nwiz.exe /install
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [CtxfiReg] CTXFIREG.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-8-18 133152]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-2-13 213520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-2-22 425080]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-4-25 201992]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-2-5 10384]
R3 ErgoDvr;Ergodex DX1;c:\windows\system32\drivers\ergodvr.sys [2005-2-18 25771]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
S3 ASUDriver;ASUDriver;\??\c:\program files\amd\amd overdrive\i386\aoddriver.sys --> c:\program files\amd\amd overdrive\i386\AODDriver.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-9-24 79360]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\deano\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\deano\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 gggen;Generic USB Flash Driver;c:\windows\system32\drivers\gggen.sys [2008-12-31 11648]
S3 SaiH0004;SaiH0004;c:\windows\system32\drivers\SaiH0004.sys [2008-9-14 132232]
S3 SaiK0CEA;SaiK0CEA;c:\windows\system32\drivers\SaiK0CEA.sys [2008-4-25 104960]
S3 SaiL0004;SaiL0004;c:\windows\system32\drivers\SaiL0004.sys [2008-9-14 15488]
S3 SaiU0004;SaiU0004;c:\windows\system32\drivers\SaiU0004.sys [2008-9-14 28416]
S3 SaiU0CEA;SaiU0CEA;c:\windows\system32\drivers\SaiU0CEA.sys [2008-4-25 28544]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2009-02-28 06:08 <DIR> --d----- c:\program files\Lavasoft
2009-02-27 13:04 <DIR> --d----- c:\program files\MSN Messenger
2009-02-26 18:00 <DIR> --d----- c:\documents and settings\deano\.housecall6.6
2009-02-22 10:47 <DIR> --d----- c:\program files\a-squared Free
2009-02-21 17:38 <DIR> --d----- c:\program files\Codemonster
2009-02-13 09:34 <DIR> --d----- c:\program files\Kaspersky Lab
2009-02-13 09:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-02-13 09:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-02-07 06:07 <DIR> --d----- c:\docume~1\deano\applic~1\DNA
2009-01-29 14:47 <DIR> --d----- c:\docume~1\deano\applic~1\HLSW

==================== Find3M ====================


============= FINISH: 9:23:31.42 ===============

Attached Files


Lead, follow or get the hell out of the way......

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 AM

Posted 11 March 2009 - 04:14 AM

Hi xldeane,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have run any tool or have made a major change to the system since your last post. Also tell me how is the current condition of your computer. Please be specific and detailed about the type of account (MSN, Yahoo, Outlook, Outlook Express, Gmail, etc.) is sending spam.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized).
  • Please copy and paste the content of just log.txt to your reply. No need for info.txt

    Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.

You might want to save this page on your favorites, so you can find it again when you return.

#3 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 07:55 AM

Hi farbar Thanks for helping me out m8 log.txt attached as requested. Awaiting further instructions. xl.....out

Attached Files

  • Attached File  log.txt   52.75KB   6 downloads

Lead, follow or get the hell out of the way......

#4 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 08:10 AM

I have an MSN Premium Account for my email, every time I log in to my email (MSN Messenger starts up automatically) go to inbox, notification at the top of page says"checking email" then after a few seconds go to "sending email" and keeps sending emails until I log out and close window. Just thought of some thing a while ago I typed my email address into Google and it took me to a website that had my email address and password on show along with hundreds of others. Needless to say that I changed my password immediately but I dont know how long it was available for.

Link to site : http://pastebin.ca/raw/1349392
Lead, follow or get the hell out of the way......

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 AM

Posted 11 March 2009 - 08:29 AM

I see your attach.zip file from the first log is not complete, so we need this log too.
  • Please go to start -> Run.
    • Copy and paste the bold line in the run-box and click OK: c:\rsit\info.txt
    • A text file opens, copy and paste the content to your reply.
  • Tell me if you have a dial-up (vs ADSL or Cable) connection and if you know this server as I get conflicting information on it:

    78.143.192.10,78.142.192.20

Edited by farbar, 11 March 2009 - 09:18 AM.


#6 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 12:20 PM

Sorry try this one xl....out

Attached Files


Lead, follow or get the hell out of the way......

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 AM

Posted 11 March 2009 - 12:40 PM

Tell me if you have a dial-up (vs ADSL or Cable) connection and if you know this server as I get conflicting information on it:

78.143.192.10, 78.142.192.20

#8 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 12:47 PM

Sorry I have Broadband ADSL. I am hardwired into a wireless router so is a laptop. Wireless is disabled on router. DNS Servers are 78.143.192.10 & 78.143.192.20 Hope this helps. xl....out
Lead, follow or get the hell out of the way......

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 AM

Posted 11 March 2009 - 01:12 PM

It certainly helps. You should be in GB and this is your ISP:

inetnum: 78.143.192.0 - 78.143.192.255
netname: FAST-NETWORK
descr: Fast.co.uk Core Network
remarks: INFRA-AW
country: GB The lower server


The lower server is a dialup service in Russia:

inetnum: 78.142.192.0 - 78.142.192.127
netname: DI-MEDIA-DIAL-MOSCOW-REGION
descr: dial-up service Balashiha MO
remarks: INFRA-AW
country: RU


It means your DNS is hijacked.
  • To make sure please go to Add/Remove Programs in the Control Panel and uninstall both MSN Messenger 7.0 and MSN. After cleaning you install them later on.

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FB055183-1AF3-4BC5-8349-F90B283325DB}: NameServer = 78.143.192.10,78.142.192.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{FB055183-1AF3-4BC5-8349-F90B283325DB}: NameServer = 78.143.192.10,78.142.192.20
    O17 - HKLM\System\CS2\Services\Tcpip\..\{FB055183-1AF3-4BC5-8349-F90B283325DB}: NameServer = 78.143.192.10,78.142.192.20


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.

Please include in your next reply:
  • The log of MBAM.
  • A fresh rsit log.
  • Any comment or feedback about how it went.


#10 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 01:56 PM

One of us is a genius, and I dont think its me. xl.....out

Attached Files


Lead, follow or get the hell out of the way......

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 AM

Posted 11 March 2009 - 02:08 PM

Well done. :thumbup2:
  • Please fix this line with Hijackthis as before:

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply. We don't need rsit log this time.
Please include in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#12 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 05:01 PM

I have a good feeling about this. :thumbup2: Sorry I took so long to get back to you. xl....out

Attached Files


Lead, follow or get the hell out of the way......

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 AM

Posted 11 March 2009 - 05:36 PM

The Combofix log was good.
  • We need to scan a file. Click on this link--> virustotal
    • Copy and paste the following bold line in the Browse... area:

      C:\WINDOWS\system32\ddmon.dll

    • Click Send File.
    • If the file is analyzed before, click Reanalyse File Now button.
    • Please copy and paste the results of the scan in your next post.
  • Go to Start => Run => Copy and paste the following text in the run box and click OK.

    cmd /c dir /o:d /a /s "C:\Documents and Settings\Deano\Application Data\deskPDF" > "%userprofile%\desktop\log1.txt"

    A text file (log1.txt) will be created on your desktop. Copy and paste the content of it to your reply.


#14 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 05:47 PM

What can I say but Thanks xl...out

Attached Files

  • Attached File  log1.txt   648bytes   1 downloads

Lead, follow or get the hell out of the way......

#15 xldeane

xldeane
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Essex UK
  • Local time:09:47 AM

Posted 11 March 2009 - 05:50 PM

Sorry forgot this one xl...out

Attached Files


Lead, follow or get the hell out of the way......




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users