PDA

View Full Version : Messenger Service: helpfixpc.com, registrycleanerxp.com



Tom Perry
2007-06-24, 18:01
Hello,

After numerous applications of Avast antivirus, Spybot, Ad Aware, CP Webscan Control, these programs say I'm clean. They have picked up Smitfraud-C, Win32:Trogan-gen, Virtumonde, Zenosearch, Zeno, and others. Currently, all is normal until I plug in to the internet, then windows Messenger Service advises me click to go to registrycleanerxp.com or helpfixpc.com. If I disable Messenger Service under Windows settings, when I reboot and reconnect to the internet, the Messenger Service box is active once again, with its message. One of the cookies I get when connecting to the net is from Doubleclick.net.

I would appreciate your help.


Logfile of HijackThis v1.99.1
Scan saved at 7:36:53 AM, on 6/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\LEXBCES.EXE
E:\WINNT\system32\spoolsv.exe
E:\WINNT\system32\LEXPPS.EXE
E:\WINNT\asuskbservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINNT\System32\svchost.exe
C:\XAMPP\mysql\bin\mysqld-nt.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\WINNT\SOUNDMAN.EXE
E:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
E:\WINNT\system32\hphmon04.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\WINNT\system32\shpc32.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINNT\system32\atiptaxx.exe
E:\WINNT\system32\desk95.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINNT\system32\HPHipm11.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\HiJackThis AntiSpyware\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/cci/home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {69F277D8-1429-4F9B-B9FD-FAA2EE267804} - E:\WINNT\system32\ssttr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] E:\WINNT\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "E:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PrinTray] E:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [xkstartup] RunDll32 insxk50c.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [{44-45-59-9E-ZN}] E:\winnt\system32\msdsregn.exe CHD003
O4 - HKCU\..\Run: [updateMgr] "E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Regscan] E:\WINNT\system32\regscan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://www.solidworks.com/plugins/edrawings/download.cfm?Release=rel
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - E:\WINNT\asuskbservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\XAMPP\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - E:\WINNT\system32\LEXBCES.EXE
O23 - Service: mysql - Unknown owner - C:\XAMPP\mysql\bin\mysqld-nt.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - E:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - E:\WINNT\system32\HPHipm11.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\XAMPP\service.exe

pskelley
2007-06-25, 16:25
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hi Tom, let's address the major issues first, this one:
E:\winnt\system32\msdsregn.exe
http://fileinfo.prevx.com/adware/qqbfdb98559033-MSDS42072969/MSDSREGN.EXE.html

and the VERY bad one: E:\WINNT\system32\regscan.exe
http://www.google.com/search?hl=en&q=regscan.exe&btnG=Search
I am not 100% sure which worm it is, you can scan it to find out if you wish:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

There is no doubt your security has been compromised, the only question is how badly and I need to provide you with this information for your own safety:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

You also appear to have removed a Vundo trojan recently so if you proceed, please mention any tools you ran.

Here is the Google on Windows Messenger Service:
http://www.google.com/search?hl=en&q=windows+Messenger+Service&btnG=Search
One of the most stupid things Microsoft ever did. I turn it of but you can delete it entirely if you wish, try "Shoot the Messenger". I had not heard of a malware that turns it back on but the hackers have nothing to do but count their $$$ and figure out ways to skrew up your computer.

Thanks...Phil

pskelley
2007-07-06, 16:27
No response in over ten days, topic is closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks