Help! messenger worm and other nasties [Archive]

View Full Version : Help! messenger worm and other nasties

Dolphinsmile

2006-11-30, 00:35

I was recently a victim of the yahoo messenger worm. I need to get rid of that and fix any other problems I have.

Here goes:
SmitFraudFix v2.125

Scan done at 11:41:09.65, Wed 11/29/2006
Run from C:\Documents and Settings\sams club 8261\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:32:25 PM 11/29/2006

+ Scan result:

C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
E:\STUFF\Programs\New Programs\hacking passes.zip/ad3_hola2.exe/CD_Gif.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
E:\STUFF\Programs\New Programs\hacking passes.zip/ad3_hola2.exe/cd_clint.dll -> Adware.Cydoor : Cleaned with backup (quarantined).
E:\STUFF\Programs\New Programs\hacking passes.zip/ad3_hola2.exe/cd_load.exe -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1555576864-3477723857-56604596-1005\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1555576864-3477723857-56604596-1005\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175964.exe -> Adware.DropSpam : Cleaned with backup (quarantined).
C:\Program Files\iWon\iWonBar\1.bin\I1POPSWT.DLL -> Adware.Funweb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1142\A0175891.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175934.dll -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175940.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175947.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175948.EXE -> Adware.FunWeb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175951.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
HKU\S-1-5-21-1555576864-3477723857-56604596-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2DEA8791-C2B7-48E1-8992-8E8E6A6FE789} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175907.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175911.dll -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1164\A0178424.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1164\A0178427.dll -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175954.DLL -> Adware.IWon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175970.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_34.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_80.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\appupdate.exe -> Adware.Nexus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1206\A0186236.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1206\A0186237.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1206\A0186238.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1206\A0186240.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1206\A0186241.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00105633.exe -> Adware.Wildtangent : Cleaned with backup (quarantined).
C:\WINDOWS\IFinst25.exe -> Backdoor.Ifinst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1143\A0175942.DLL -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe -> Downloader.Poplite.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe -> Downloader.Poplite.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe -> Downloader.Poplite.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe -> Downloader.Poplite.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1205\A0186151.exe -> Downloader.Small : Cleaned with backup (quarantined).
E:\STUFF\Davids Folder\FUNNY STUFF\9coronas.exe -> Not-A-Virus.BadJoke.Win32.Stupen.c : Ignored.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@adserv.internetfuel[1].txt -> TrackingCookie.Internetfuel : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@nitrous.internetfuel[1].txt -> TrackingCookie.Internetfuel : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@oxcash[2].txt -> TrackingCookie.Oxcash : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@www.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Linda Younger\Cookies\linda younger@x10[1].txt -> TrackingCookie.X10 : Cleaned.
C:\System Volume Information\_restore{D0AB5F7B-0459-416C-9608-1E15FDE4DE5A}\RP1206\A0186232.exe -> Trojan.Imiserv.c : Cleaned with backup (quarantined).
C:\WINDOWS\aad.exe -> Trojan.Imiserv.c : Cleaned with backup (quarantined).

::Report end

hijackthis log on next post

Dolphinsmile

2006-11-30, 00:36

Logfile of HijackThis v1.99.1
Scan saved at 5:11:31 PM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\skeys.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sams club 8261\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,SKEYS,userinit.exe,SKEYS /I
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download2.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iWonPMSetup_8_1,0,2,5.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamps.com/download/us/cab/stamps/stamps.cab?r=0.409881591796875&file=stamps.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pskelley

2006-12-04, 12:44

Hello and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.
tashi has created this link: http://forums.spybot.info/showthread.php?t=1137 to keep you from being missed.

If you still need help, I see some junk that should go, please post a fresh HJT log and describe your problem in as much detail as possible. If you are receiving error messages, post them "word for word". I will respond as soon as possible after you post.

Thanks

tashi

2006-12-11, 17:28

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.