Author Topic: Mass-mailing worms? (Read 9926 times)

linoleum · « **on:** October 12, 2008, 04:41:46 PM »

Hi every one, This is my first post on the forum so if i do anything wrong go easy on me

I'm currently using SpyWare doctor and Avast! on my PC, every day they find something new (probably bad), however the other day when i was MSN IM i received a message from my friend asking me to look at his "dream car" i opened the message and there was nothing inside, I asked him about it and, he claims never to have sent the message, I then realised it was a virus. Ever since then Avast! Mail scanner alerts me every couple of minutes with a pop-up screen telling me about a suspicious message
"There are too many identical emails in appointed time

Sender: "Harry Cox" <mthreonine@net-security.org>
Recipient: <tmillis@trcsolutions.com>,<tnelson@trcsolutions.com,<smills@trcsolutions.com
Subject: Forget the doctor, get meds online"

I have ran both avast! and Spyware doctor and they can find nothing. Do you have any suggestions on how to fix my problem ?
many thanks Jacob
P.s I'm a total noob so please treat me like one

Very sorry I think i have just found another post which seems to have the same problem, I'm reading the advice on their page.

DavidR · « **Reply #1 on:** October 12, 2008, 05:57:11 PM »

It may be that the spambot is either hidden or undetected, so we can try some other tools.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

1. SUPERantispyware On-Demand only in free version.

2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Lisandro · « **Reply #2 on:** October 12, 2008, 08:47:30 PM »

Quote from: linoleum on October 12, 2008, 04:41:46 PM

Very sorry I think i have just found another post which seems to have the same problem, I'm reading the advice on their page.

Welcome to forums.
Did that page solve your problem?

spg SCOTT · « **Reply #3 on:** October 12, 2008, 09:11:18 PM »

I really think that alwil should look into im viruses, I've been hit by it as well

It might be a good idea not to sign into msn again or change your screen name telling people not to accept anything you send them or not to talk to you unless it's necessary because now that your infected it tries to infect all of your online contact as well, thats how I found out I had the virus, one of my friends said that I was trying to send him a .rar file and its been doom and gllom ever since

hope you have better luck with it than me

linoleum · « **Reply #4 on:** October 12, 2008, 09:22:31 PM »

I read you post and i think we have the same problem spg SCOTT, and i have already notified my friends not to accept any files from me. As I've apparently been sending the m left right and centre. $:-\$
I've tried using Superantispyware and all it found were a few Trojan droppers and some cookies.
I also found the original folder i was sent and deleted it since then I'm no longer sending out as many emails, about one every 10-20 minutes now.
I'm currently running a scan with MalwareBytes Anti-Malware freeware version, I will post later with the results.

linoleum · « **Reply #5 on:** October 12, 2008, 09:37:14 PM »

OK results are in.... its not good Malwarebytes fun 6 more infections, I know how to paste the actual report in so I'll write it out
Two Trojan.FakeAlert.H
One Trojan.FBrowsingAdvisor
Three Adware.Navipromo.H
Could any of these be my problem ?

spg SCOTT · « **Reply #6 on:** October 12, 2008, 09:42:32 PM »

I managed to find what I think is the file (you probably saw it in the post) and I have managed to stop the emails by killing the process with a process manager (task manager, in the processes tab might work if you can find put the name of the file) but it is still there and is still working on startup.

Have a look in the C:\windows\system32 folder and if, by some chance you have the same virus as me, and the file

C:\WINDOWS\system32\hojyr.exe

is there then that may be it and you can kill it from task manager (I've found this stops the emails until you turn the pc off, meaning on startup, but it makes life that bit easier)

Quote from: linoleum on October 12, 2008, 09:37:14 PM

OK results are in.... its not good Malwarebytes fun 6 more infections, I know how to paste the actual report in so I'll write it out
Two Trojan.FakeAlert.H
One Trojan.FBrowsingAdvisor
Three Adware.Navipromo.H
Could any of these be my problem ?

Not sure but really I think the quys in the forum need the filenames and locations to make an accurate judgement, can you attach the actual log file? (probably too long to fit in a post)

linoleum · « **Reply #7 on:** October 12, 2008, 09:55:13 PM »

Malwarebytes' Anti-Malware 1.28
Database version: 1261
Windows 5.1.2600 Service Pack 2

12/10/2008 20:38:27
mbam-log-2008-10-12 (20-38-27).txt

Scan type: Quick Scan
Objects scanned: 57820
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vefefe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Matt\Local Settings\Application Data\seqiueg_navps.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\seqiueg_nav.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\seqiueg.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\diwoohout.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

This is the log, for the scan i did earlier, and i can't find hojyr.exe so i don't think i've got it, however i did find diwoohout.exe hiding away in my C:\WINDOWS\system32 folder

DavidR · « **Reply #8 on:** October 12, 2008, 11:34:43 PM »

@ spg SCOTT
Upload C:\WINDOWS\system32\hojyr.exe to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Might also be worth seeing if you have the same file that linoleum is reporting.

@ linoleum
Same drill as above for this file:
C:\WINDOWS\system32\diwoohout.exe

Zero hits on google which is suspect in its own right for a file in the system32 folder.

linoleum · « **Reply #9 on:** October 13, 2008, 07:11:31 PM »

Antivirus Version Last Update Result
AhnLab-V3 2008.10.14.0 2008.10.13 -
AntiVir 7.8.1.34 2008.10.13 -
Authentium 5.1.0.4 2008.10.13 -
Avast 4.8.1248.0 2008.10.12 -
AVG 8.0.0.161 2008.10.13 -
BitDefender 7.2 2008.10.13 Backdoor.Oderoor.EI
CAT-QuickHeal 9.50 2008.10.13 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.10.13 -
DrWeb 4.44.0.09170 2008.10.13 -
eSafe 7.0.17.0 2008.10.12 -
eTrust-Vet 31.6.6146 2008.10.13 -
Ewido 4.0 2008.10.13 -
F-Prot 4.4.4.56 2008.10.12 -
F-Secure 8.0.14332.0 2008.10.13 -
Fortinet 3.113.0.0 2008.10.13 -
GData 19 2008.10.13 Backdoor.Oderoor.EI
Ikarus T3.1.1.34.0 2008.10.13 Backdoor.Win32.Oderoor.D
K7AntiVirus 7.10.492 2008.10.13 -
Kaspersky 7.0.0.125 2008.10.13 -
McAfee 5403 2008.10.11 -
Microsoft 1.4005 2008.10.13 Backdoor:Win32/Oderoor.gen!D
NOD32 3518 2008.10.13 a variant of Win32/Meslice.A
Norman 5.80.02 2008.10.13 -
Panda 9.0.0.4 2008.10.13 -
PCTools 4.4.2.0 2008.10.13 -
Rising 20.66.02.00 2008.10.13 Trojan.Win32.Undef.rcu
SecureWeb-Gateway 6.7.6 2008.10.13 -
Sophos 4.34.0 2008.10.13 Mal/EncPk-CK
Sunbelt 3.1.1719.1 2008.10.13 -
Symantec 10 2008.10.13 -
TheHacker 6.3.1.0.108 2008.10.11 -
TrendMicro 8.700.0.1004 2008.10.13 -
VBA32 3.12.8.6 2008.10.13 -
ViRobot 2008.10.13.1417 2008.10.13 -
VirusBuster 4.5.11.0 2008.10.13 -

These are the results of the scan, how do i remove the threat ?

FreewheelinFrank · « **Reply #10 on:** October 13, 2008, 07:17:12 PM »

Try some online scans. (Disable avast! while scanning.)

BitDefender
ESET Online Scanner

These two both detect the malware.

DavidR · « **Reply #11 on:** October 13, 2008, 07:26:30 PM »

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

I'm surprised that SAS, MBAM failed to detect this one (did you run these scans from safe mode? ), but there are enough detections on VT to send the sample to avast for further analysis.

Moving the file to the avast chest may help however, it may be set-up as a service also which would mean it would be in use, check that there isn't an entry for it in the Task Manager. If so, end the process before moving it to the chest once you have a copy in the chest delete the original file in the system32 folder.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste or attach the .log file) into this topic, you may need to split it over two or more posts depending on how large it is.

linoleum · « **Reply #12 on:** October 13, 2008, 09:03:46 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:14, on 13/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

This is the first part my hjack this scan

linoleum · « **Reply #13 on:** October 13, 2008, 09:04:25 PM »

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [vefefe] C:\WINDOWS\system32\diwoohout.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Home Hub\Help\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202683909046
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: SmartLinkService (eyizydeoytarv1z) - Unknown owner - C:\WINDOWS\system32\hoonnuro.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10699 bytes

above is the results of my scan not really sure what it means as i'm still reading through the tutorial

FreewheelinFrank · « **Reply #14 on:** October 13, 2008, 09:39:46 PM »

These are the nasties:

O4 - HKLM\..\Run: [vefefe] C:\WINDOWS\system32\diwoohout.exe
O23 - Service: SmartLinkService (eyizydeoytarv1z) - Unknown owner - C:\WINDOWS\system32\hoonnuro.exe

If diwoohout.exe is visible in Task Manager, kill it.

Click "Start" > "Run" and type "Services.msc" (without quotes) then hit "Ok".
Click the "Extended" tab.
Scroll down and find the service called SmartLinkService (eyizydeoytarv1z)

Click once on the service to highlight it.
Click "Stop".
Right-click on the service.
Click on "Properties".
Select the "General" tab.
Click the Arrow-down tab on the right-hand side on the "Start-up Type" box.
From the drop-down menu, click on "Disabled".
Click "Apply", then "OK".

Now, run HijackThis again and when it finishes, put a check before the following lines:

O4 - HKLM\..\Run: [vefefe] C:\WINDOWS\system32\diwoohout.exe
O23 - Service: SmartLinkService (eyizydeoytarv1z) - Unknown owner - C:\WINDOWS\system32\hoonnuro.exe

Then, make sure ALL windows except HijackThis are closed and hit the "Fix Checked" button.

Reboot.

Open HijackThis.
Click on the "Open Misc. tools section" button.
Click on the "Delete an NT service" button.
Type eyizydeoytarv1z in the space provided and click OK.
The program will ask you to reboot. Accept.

This may not be enough to remove this malware, but it's worth a try, as are the online scans I linked to above.

Author Topic: Mass-mailing worms? (Read 9926 times)

linoleum

Mass-mailing worms?

DavidR

Re: Mass-mailing worms?

Lisandro

Re: Mass-mailing worms?

spg SCOTT

Re: Mass-mailing worms?

linoleum

Re: Mass-mailing worms?

linoleum

Re: Mass-mailing worms?

spg SCOTT

Re: Mass-mailing worms?

linoleum

Re: Mass-mailing worms?

DavidR

Re: Mass-mailing worms?

linoleum

Re: Mass-mailing worms?

FreewheelinFrank

Re: Mass-mailing worms?

DavidR

Re: Mass-mailing worms?

linoleum

Re: Mass-mailing worms?

linoleum

Re: Mass-mailing worms?

FreewheelinFrank

Re: Mass-mailing worms?