Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSN Messenger Virus/Worm/Malware


  • Please log in to reply
1 reply to this topic

#1 Freakeh

Freakeh

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:11:04 PM

Posted 07 June 2005 - 07:11 AM

Now I've usually been able to rid my PC of spyware, viruses, malware etc. but this one right here has me stumped.

It started with a younger brother getting a link sent to him over msn, it went like this;

"hey check this out: *your email*@hotmail.com(as a link)

When you click it, it sends you to a download link and younger brothers being as they are he stupidly clicked opened and it download and started up spreading this annoying little nasty. The file that downloads its called unknown@hotmail.com being .com as in an windows command file.

Once infected it will then randomly send the same link out to all your contacts as well as playing silly buggers with msn in general ie. convo window's will randomly close, some contacts won't even work as in they won't start a convo even when you double click them.

I have obviosuly tried every program that deals with virus, spyware, malware etc and none pick up this thing. I'll list the programs used;

- Spybot
- Adaware
- Spyblaster
- Error Nuker
- XoftSpy
- A squared
- Spyware Guard
- AVG Antivirus
- AntiVir XP
plus many online scanners

I've googled the unknown@hotmail.com filename and it turns up with results that vary between sites. Some say its this virus and some say its other names and files etc. I've tried to find these files that are mentioned to be part of this virus but none exist on my PC. Here's the link to the google search: http://www.google.com.au/search?q=unknown%...:en-US:official

I being prepared to post my HijackThis log ran it and was faced with it quiting out straight away. I tried it again and it still did it so I'd say that's part of the virus. I however started in Safe mode and it ran letting me get a log done.

Logfile of HijackThis v1.99.1
Scan saved at 4:06:19 PM, on 7/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Avant Browser\avant.exe
F:\Program Files\Error Nuker\bin\ErrorNuker.exe
F:\Documents and Settings\Sentinel\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aapt.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
F3 - REG:win.ini: load=F:\WINDOWS\System32\saoyqqiot\csrss.exe
F3 - REG:win.ini: run=F:\WINDOWS\System32\saoyqqiot\csrss.exe
F2 - REG:system.ini: UserInit=F:\WINDOWS\\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - F:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG Free\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG Free\avgemc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SysMetrix] F:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] F:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Error Nuker] F:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKCU\..\Run: [STYLEXP] F:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] "f:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [RSD_HDDThermo] F:\Program Files\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [HotRodASD.exe] F:\DOCUME~1\Sentinel\Desktop\HotRodASD-dm.exe /r
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: csrss.lnk = F:\WINDOWS\system32\saoyqqiot\csrss.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - F:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - F:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download all by Net Transport - F:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - F:\PROGRA~1\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - F:\PROGRA~1\HiDownload\HDGet.htm
O8 - Extra context menu item: Download by Net Transport - F:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - F:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - F:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - F:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - F:\PROGRA~1\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c9.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{70CC0802-3988-490F-8651-065BCC4549B7}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Unknown owner - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - F:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - F:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - F:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: StyleXPService - Unknown owner - F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - F:\WINDOWS\System32\UAService7.exe


Any help is appreciated and ask me anything because I have a tendency to miss certain aspects that are important.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:34 AM

Posted 08 June 2005 - 12:12 PM

Do you know what this is?

O4 - HKCU\..\Run: [HotRodASD.exe] F:\DOCUME~1\Sentinel\Desktop\HotRodASD-dm.exe /r


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

F3 - REG:win.ini: load=F:\WINDOWS\System32\saoyqqiot\csrss.exe
F3 - REG:win.ini: run=F:\WINDOWS\System32\saoyqqiot\csrss.exe
F2 - REG:system.ini: UserInit=F:\WINDOWS\\system32\userinit.exe,
O4 - Startup: csrss.lnk = F:\WINDOWS\system32\saoyqqiot\csrss.exe
O4 - Startup: LimeWire On Startup.lnk = F:\Program Files\LimeWire\LimeWire.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c9.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

F:\WINDOWS\System32\saoyqqiot\

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users