Author Topic: Computer infected by MSN Virus  (Read 28743 times)

0 Members and 1 Guest are viewing this topic.

zfc

  • Guest
Computer infected by MSN Virus
« on: November 17, 2007, 09:51:29 AM »
Help me, my computer infected by a MSN virus. Got someone send me a file named image21.zip and I scan with avast before extract the file but avast failed to detect anything. So, i thought the file is safe and open it, but after that I realised my msn automatic send the file image21.zip to my online contact. This is the scan result from VirusTotal of the file image21.zip:   

Antivirus    Version    Last Update    Result
AhnLab-V3   2007.11.17.0   2007.11.16   -
AntiVir   7.6.0.34   2007.11.16   TR/Crypt.ULPM.Gen
Authentium   4.93.8   2007.11.17   Possibly a new variant of W32/Threat-HLLSI-based!Maximus
Avast   4.7.1074.0   2007.11.16   -
AVG   7.5.0.503   2007.11.17   -
BitDefender   7.2   2007.11.17   Trojan.Peed.Gen
CAT-QuickHeal   9.00   2007.11.16   -
ClamAV   0.91.2   2007.11.17   -
DrWeb   4.44.0.09170   2007.11.16   BackDoor.IRC.Tiny
eSafe   7.0.15.0   2007.11.14   suspicious Trojan/Worm
eTrust-Vet   31.2.5302   2007.11.17   Win32/Slenfbot!generic
Ewido   4.0   2007.11.16   -
FileAdvisor   1   2007.11.17   -
Fortinet   3.11.0.0   2007.10.19   -
F-Prot   4.4.2.54   2007.11.16   W32/Threat-HLLSI-based!Maximus
F-Secure   6.70.13030.0   2007.11.16   -
Ikarus   T3.1.1.12   2007.11.17   -
Kaspersky   7.0.0.125   2007.11.17   Heur.Trojan.Generic
McAfee   5165   2007.11.16   W32/Opanki.worm.gen
Microsoft   1.3007   2007.11.17   Trojan:Win32/SystemHijack.gen
NOD32v2   2665   2007.11.17   Win32/IRCBot.AAH
Norman   5.80.02   2007.11.16   -
Panda   9.0.0.4   2007.11.17   Suspicious file
Prevx1   V2   2007.11.17   MSNLive-Image:Worm-a
Rising   20.18.50.00   2007.11.17   Backdoor.Win32.IRCbot.vim
Sophos   4.23.0   2007.11.17   Mal/HckPk-A
Sunbelt   2.2.907.0   2007.11.17   -
Symantec   10   2007.11.17   W32.IRCBot
TheHacker   6.2.9.132   2007.11.16   -
VBA32   3.12.2.5   2007.11.16   -
VirusBuster   4.3.26:9   2007.11.16   -
Webwasher-Gateway   6.0.1   2007.11.16   Trojan.Crypt.ULPM.Gen

zfc

  • Guest
Re: Computer infected by MSN Virus
« Reply #1 on: November 17, 2007, 09:52:07 AM »
This is my hijackthis log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:50 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\smesvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\ADSL\ADSL USB MODEM\dslmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\Magnify.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Collections\Download\HiJackThis\HijackThis.exe

O3 - Toolbar: NVRIEbar.IEbar - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalSoft\FreeVersion65\NVRIEbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dewan Eja Pro Config] C:\PROGRA~1\THENAM~1\DEWANE~1\deconfig.exe
O4 - HKLM\..\Run: [DEProWotd] C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
O4 - HKLM\..\Run: [Dewan Eja Pro] C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe autostart
O4 - HKLM\..\Run: [Google IME Autoupdater] C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [System Terminal Monitor] smesvc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: 蓝牙控制盘.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.38/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3FA213D6-E85F-11D3-84DA-00600836C654} (Project1.SeahMedia) - file://F:\TLM\Primary\BM\Year2\BM02U2\element\ActiveX\media\SeahMedia.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126858001537
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device -   - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8567 bytes

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Computer infected by MSN Virus
« Reply #2 on: November 17, 2007, 10:07:29 AM »
To remove your posts from the other thread, just click "modify" in the upper right hand corner, in the box that appears, delete all the text. click save.  8)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

zfc

  • Guest
Re: Computer infected by MSN Virus
« Reply #3 on: November 17, 2007, 10:27:10 AM »
Since the content is too long, I upload it as attachments, ok? And I can't delete the previous post by clearing all the text.
« Last Edit: November 17, 2007, 10:29:18 AM by zfc »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Computer infected by MSN Virus
« Reply #4 on: November 17, 2007, 10:31:35 AM »
And I can't delete the previous post by clearing all the text.

hmm....did you click the modify in the post?

zfc

  • Guest
Re: Computer infected by MSN Virus
« Reply #5 on: November 17, 2007, 10:37:37 AM »
And I can't delete the previous post by clearing all the text.

hmm....did you click the modify in the post?
I click modify and delete all the text, but after I click save, this message shown:
The following error or errors occurred while posting this message:
The message body was left empty.
« Last Edit: November 17, 2007, 10:51:09 AM by zfc »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Computer infected by MSN Virus
« Reply #6 on: November 17, 2007, 10:48:49 AM »
Type removed in the rply box  ;D

As for the file, no don't need it. you should leave a link to a live virus, someone could click on it.  ;) Please remove it.

I've found some vundo so far. This program has had good success with it lately. We'll let it get most of it then do the rest mnually.

Download  superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quaranine.

 leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post/attach the log in your next reply along with a new hjt log.

I'll keep looking at the DSS log.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Computer infected by MSN Virus
« Reply #7 on: November 17, 2007, 10:58:59 AM »
Before running hijackthis again do the following

Delete the hijackthis shortcut from the desktop then

Navigate to this folder D:\My Collections\Download\HiJackThis
In the right hand panel, find HijackThis.exe and rename it to hijackzfc.exe or whatever you want. Right click on the renamed file and select send to desktop(create shortcut)

Vundo is hiding all ready, this will bring him out.  ;D

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Computer infected by MSN Virus
« Reply #8 on: November 17, 2007, 11:50:15 AM »
 The malware changed your system authority

Download ERUNT from

http://www.larshederer.homepage.t-online.de/erunt/

and backup your registry


Now for the fix

REGISTRY FIX
Quote
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and the reg fix is done.


zfc

  • Guest
Re: Computer infected by MSN Virus
« Reply #9 on: November 17, 2007, 12:26:39 PM »
After scanning for almost an hour, I lost my patient and stop it. Here is the scan log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/17/2007 at 07:01 PM

Application Version : 3.9.1008

Core Rules Database Version : 3346
Trace Rules Database Version: 1347

Scan type       : Complete Scan
Total Scan Time : 00:58:59

Memory items scanned      : 451
Memory threats detected   : 2
Registry items scanned    : 6200
Registry threats detected : 13
File items scanned        : 12189
File threats detected     : 2

Adware.Vundo-Variant/Small
   C:\WINDOWS\SYSTEM32\SSQONLJ.DLL
   C:\WINDOWS\SYSTEM32\SSQONLJ.DLL
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ssqonlj

Adware.Vundo Variant
   C:\WINDOWS\SYSTEM32\MLLJH.DLL
   C:\WINDOWS\SYSTEM32\MLLJH.DLL
   HKLM\Software\Classes\CLSID\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
   HKCR\CLSID\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
   HKCR\CLSID\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}\InprocServer32
   HKCR\CLSID\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}\InprocServer32#ThreadingModel
   HKLM\Software\Classes\CLSID\{36EE9B28-DB9B-4E20-A92D-0F431858FD43}
   HKCR\CLSID\{36EE9B28-DB9B-4E20-A92D-0F431858FD43}
   HKCR\CLSID\{36EE9B28-DB9B-4E20-A92D-0F431858FD43}\InprocServer32
   HKCR\CLSID\{36EE9B28-DB9B-4E20-A92D-0F431858FD43}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36EE9B28-DB9B-4E20-A92D-0F431858FD43}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
   HKCR\CLSID\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}

zfc

  • Guest
Re: Computer infected by MSN Virus
« Reply #10 on: November 17, 2007, 12:27:33 PM »
Logfile of hijack this after rename it to hijackzfc.exe:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:46 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\smesvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ADSL\ADSL USB MODEM\dslmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\Magnify.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\My Collections\Download\HiJackThis\Hijackzfc.exe

O2 - BHO: {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - {0B1B0D47-95F7-4bad-9309-A945B655AE61} - C:\WINDOWS\SYSTEM32\regsvr32.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: NVRIEbar.IEbar - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalSoft\FreeVersion65\NVRIEbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dewan Eja Pro Config] C:\PROGRA~1\THENAM~1\DEWANE~1\deconfig.exe
O4 - HKLM\..\Run: [DEProWotd] C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
O4 - HKLM\..\Run: [Dewan Eja Pro] C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe autostart
O4 - HKLM\..\Run: [Google IME Autoupdater] C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [System Terminal Monitor] smesvc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: 蓝牙控制盘.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.38/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3FA213D6-E85F-11D3-84DA-00600836C654} (Project1.SeahMedia) - file://F:\TLM\Primary\BM\Year2\BM02U2\element\ActiveX\media\SeahMedia.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126858001537
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O17 - HKLM\System\CS3\Services\Tcpip\..\{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device -   - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9196 bytes

zfc

  • Guest
Re: Computer infected by MSN Virus
« Reply #11 on: November 17, 2007, 01:04:16 PM »
Still can't fix it, my msn still sending the file image21.zip to my online contact. The file keep reappear in C:\Documents and Settings\apichat\Local Settings\Temp although I have delete it many times! I have try using these program but none of them can delete the virus permanently:
http://blog.miccas.net/2007/windows-livemsn-virus-lurking-around-imagezip/
http://billys-recondite-ramblings.blogspot.com/2007/04/msn-photo-album-virus.html
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip from http://www.d-a-l.com/help/showthread.php?p=153529

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Computer infected by MSN Virus
« Reply #12 on: November 17, 2007, 05:49:43 PM »
Quote
After scanning for almost an hour, I lost my patient and stop it. Here is the scan log:

That's too bad, because it was removing the vundo.


I need you to search for the following file(s) and delete if found

c:\windows\MS32DLL.dll.vbs  and c:\windows\system32\MS32DLL.dll.vbs

You will have to show all files first.

Open the Folder Options in the Control Panel.  On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files and Hide known extentions are not checked.  Click OK.

Another registry fix. Did you do the other one?

Use erunt again for backup and do the following fix


REGISTRY FIX
Quote
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0596c96a-bfe2-11db-8307-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561f6757-c3d8-11db-8311-4d6564696130}]



Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and the reg fix is done.



Open hjt (Hijackzfc), run system scan only, place a check next to these lines

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

Close all windows/browser execpt for HJT, click fix.



Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a DSS log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Computer infected by MSN Virus
« Reply #13 on: November 17, 2007, 06:49:23 PM »
Still can't fix it, my msn still sending the file image21.zip to my online contact. The file keep reappear in C:\Documents and Settings\apichat\Local Settings\Temp although I have delete it many times! I have try using these program but none of them can delete the virus permanently:


You need a bit of patience.  :D So far, with the exception of SAS we've just been finding what needs to be removed. Starting with combofix and the reg fixes, we'll be going after and removing the problem.  ;D

You will have to stop messenger untill we get the files that are sending the image to your friends, or they may end up here.  ;) I think it is bringing you a new copy.

The reg fixes are an important part of all this. SAS did remove the vundo that the key in the first fix was pointed at.

By changing the name of HJT, we can now see vundo with HJT. It may not seem like it, but a lot of progress has been made.  ;D  ;D

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Computer infected by MSN Virus
« Reply #14 on: November 17, 2007, 07:01:12 PM »
Quote
After scanning for almost an hour, I lost my patient and stop it. Here is the scan log:

That's too bad, because it was removing the vundo.

Patience is most certainly a virtue and a requirement in this task virus clean-up, as having stopped SAS when by the look of the bit of log it had done the lions share of the scan and you may end up having to run it again.

If my system were infected the only thing on my mind would be getting it clean no matter what that took.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security