chantsday Posted May 8, 2005 CID Share Posted May 8, 2005 Logfile of HijackThis v1.99.1 Scan saved at 6:02:03 PM, on 5/8/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:WINDOWSSystem32smss.exe C:WINDOWSsystem32winlogon.exe C:WINDOWSsystem32services.exe C:WINDOWSsystem32lsass.exe C:WINDOWSsystem32svchost.exe C:WINDOWSSystem32svchost.exe C:WINDOWSsystem32spoolsv.exe C:Program FilesCommon FilesSymantec SharedccSetMgr.exe C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE C:Program FilesNorton AntiVirusIWPNPFMntor.exe C:WINDOWSSystem32nvsvc32.exe C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe C:WINDOWSSystem32svchost.exe C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe C:WINDOWSExplorer.EXE C:WINDOWSAGRSMMSG.exe C:Program FilesCommon FilesSymantec SharedccApp.exe C:Program FilesQuickTimeqttask.exe C:Program FilesCommon FilesLogitechQCDriverLVCOMS.EXE C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe C:Program FilesHewlett-PackardToolbox2.0Apache Tomcat 4.0webappsToolboxStatusClientStatusClient.exe C:Program FilesMSN AppsUpdater01.02.3000.1001en-usmsnappau.exe C:Program FilesJavajre1.5.0_01binjusched.exe C:PROGRA~1MYWEBS~1bar1.binmwsoemon.exe C:Program FilesiTunesiTunesHelper.exe C:program fileszangozango.exe C:Program FilesJavajre1.5.0_01binjucheck.exe C:Program FilesiPodbiniPodService.exe C:Program FilesRoxioEasy CD Creator 6AudioCentralPlaylist.exe C:WINDOWSSystem32svchost.exe C:Program FilesHewlett-PackardToolbox2.0JavasoftJRE1.3.1binjavaw.exe C:Program FilesMessengermsmsgs.exe C:WINDOWSsystem32system.exe C:WINDOWSsystem32ctfmon.exe C:Program FilesAIMaim.exe C:Program FilesSamsungDigimax Viewer 2.1STImgBrowser.exe C:Program FilesMSN Messengermsnmsgr.exe C:Program FilesInternet Exploreriexplore.exe C:Documents and SettingsFamilyshell.exe C:Program FilesInternet Exploreriexplore.exe C:DOCUME~1FamilyLOCALS~1TempTemporary Directory 2 for hijackthis[2].zipHijackThis.exe R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.tt/ R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:Program FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:Program FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:Program FilesMyWebSearchbar1.binMWSBAR.DLL O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:Program FilesMSN AppsST01.02.3000.1002en-xustmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesMSN AppsMSN Toolbar01.02.3000.1001en-usmsntb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_5_7_0.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:Program FilesAIM ToolbarAIMBar.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesMSN AppsMSN Toolbar01.02.3000.1001en-usmsntb.dll O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup O4 - HKLM..Run: [nwiz] nwiz.exe /install O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe" O4 - HKLM..Run: [symantec NetDriver Monitor] C:PROGRA~1SYMNET~1SNDMon.exe /Consumer O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime O4 - HKLM..Run: [LVCOMS] C:Program FilesCommon FilesLogitechQCDriverLVCOMS.EXE O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe" O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe" O4 - HKLM..Run: [RoxioAudioCentral] "C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe" O4 - HKLM..Run: [statusClient] C:Program FilesHewlett-PackardToolbox2.0Apache Tomcat 4.0webappsToolboxStatusClientStatusClient.exe /auto O4 - HKLM..Run: [TomcatStartup] C:Program FilesHewlett-PackardToolbox2.0hpbpsttp.exe O4 - HKLM..Run: [msnappau] "C:Program FilesMSN AppsUpdater01.02.3000.1001en-usmsnappau.exe" O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe O4 - HKLM..Run: [MyWebSearch Email Plugin] C:PROGRA~1MYWEBS~1bar1.binmwsoemon.exe O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe O4 - HKLM..Run: [zango] c:program fileszangozango.exe O4 - HKLM..Run: [Windows] system.exe O4 - HKLM..RunServices: [Windows] system.exe O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe O4 - HKCU..Run: [AIM] C:Program FilesAIMaim.exe -cnetwait.odl O4 - HKCU..Run: [MyWebSearch Email Plugin] C:PROGRA~1MYWEBS~1bar1.binmwsoemon.exe O4 - Startup: MyWebSearch Email Plugin.lnk = C:Program FilesMyWebSearchbar1.binMWSOEMON.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe O4 - Global Startup: Digimax Viewer 2.1.lnk = ? O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:Program FilesMyWebSearchbar1.binMWSOEMON.EXE O8 - Extra context menu item: &AIM Search - res://C:Program FilesAIM ToolbarAIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYTT O8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_01binnpjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_01binnpjpi150_01.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIMaim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102455803468 O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.zango.com/GetZango/Download/zangoax.cab O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:Program FilesNorton AntiVirusIWPNPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:Program FilesNorton AntiVirusSAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe Link to comment Share on other sites More sharing options...
bwt1953 Posted May 8, 2005 CID Share Posted May 8, 2005 not infected, just overloaded with junk. you have every toolbar and search assistant known to man loading at startup. get rid of that yahoo, zango, and AIM stuff. your computer will run like new. you don't need to have all that stuff running all the time. You can disable things like CD creator, the HP toolbox, Quick Time and the iTunes helper so that it does not load and run continuously at startup. You'd need a 3.0GHz machine with 3GB of ram to support all that running in the background. Its a waste of computer resources, and will bring your computer to a crawl. Speaking from experience, my daughters machine looks like this from time to time. she loads everything. You can keep all this stuff if you actually need it, just at least disable its ability to run at startup, and close the app when you finish with it. B Link to comment Share on other sites More sharing options...
disturbed Posted May 9, 2005 CID Share Posted May 9, 2005 clear them out...most of the O type objects can be delted safely - well at least removed temporarily Link to comment Share on other sites More sharing options...
moonlord Posted May 9, 2005 CID Share Posted May 9, 2005 i got infected one time and tried removing thru safe mode and low and be hold the thing was running in safe mode to so i had to format Link to comment Share on other sites More sharing options...
chantsday Posted May 9, 2005 Author CID Share Posted May 9, 2005 after downloading spybot and adaware...it supposedly got rid of a lot of spyware... but the msn worm is still there... I restarted....put it in safe mode and followed all those instructions... but the virus is still there...anyone know what to do from here?? Link to comment Share on other sites More sharing options...
Azag Posted May 9, 2005 CID Share Posted May 9, 2005 Sorry to hear another person fell victim to this. Get rid of My Web Search Assistant I am pretty sure it's spyware/crapware. And read all the following links fully especially my posts. If you can or want to feel free to send me a copy of the MSN virus for my zoo (virus collection) in a WinRAR file if possible and password protected (again if possible) as I would like to study it in a safe environment. In any case you may want to try downloading and running a different Anti-Virus and Microsoft AntiSpyware Beta since it often finds other spyware/malware the other programs like Spybot Search & Destroy and Ad-Aware misses or leaves behind but don't get me wrong I use all those programs to and they are very good and useful. Please refer to these links for more in depth info to clean MSN Worm and set up a pro-active scanner integration into MSN IM so it won't happen in the future hopefully... Btw Norton sucks! http://www.2-spyware.com/file-agrsmmsg-exe.html https://testmy.net/forum/index.php?topic=4402.0 https://testmy.net/forum/index.php?topic=4852.0 Check back after all this and I wish you success in cleaning your system. Also you may install multiple Anti-Viruses but only use one as an active monitor and the other(s) as configured for manual scans only. More than one active monitor can cause major problems with several AV's especially with Norton's crappy software. Good luck. Peace, Azag Link to comment Share on other sites More sharing options...
Indestructable Posted May 9, 2005 CID Share Posted May 9, 2005 haha, nice comment about norton. Link to comment Share on other sites More sharing options...
Azag Posted May 9, 2005 CID Share Posted May 9, 2005 I hate to bash most software companies but the truth hurts. I have tested and used many AV solutions and Symantec Norton not only sucks since it doesn't have enough virus definitions and misnames many non-volitale hacker tools as Backdoors or Trojans when they are not but that's not all... As I have said many times it will also intentionally fuck your system up if you have installed other competitors Anti-Virus solutions as well especially well know popular ones. To me this is unexceptable and borders on intentional savatage of ones OS and in some cases causes irreversible damge to OS which can lead to reformatting for some. Ironically they own a big chunk of the market share as an AV company and the true reason why is advertising not good programming that is tragic but sadly all to many people are suckers for ads and get sucked into their flock of followers including big companies who use this crap for "corperate security". If a corperation uses this piece of crap or any of Norton's other crappy products for security reasons they are friggin idiots and shouldn't be allowed to touch or be around any computers in my opinion any any consumers of these companies that do should take their business eleswhere if they have a brain cell. I do not base my harsh opinions lightly for any Norton devotees out there I have testes and used multiple versions of Symantec Norton products on the market including testing Norton AntiVirus 2005 and my opinions are based solely on my and others experience and not some news article or other biased aggenda. As much as Norton has shaped up slightly at the AV game they still in my opinion suck BIG TIME but if you must then judge for yourself and compare but be warned My current AV solutions in order of importance and quality are Kaspersky Anti-Virus Personal Pro v4.5.095, ESET NOD32 v2.12.2, AVP (AntiViral Toolkit Pro by Eugene Kaspersky for DOS) and F-Prot v3.16b.. Peace, Azag Link to comment Share on other sites More sharing options...
xs1 Posted May 9, 2005 CID Share Posted May 9, 2005 lol Iv used norton since er.. 99 im guessing? Its only let me down once, missing a trojin in my system restore files. ( odd place huh? ) other then that i think nortons the best.... To each his own Link to comment Share on other sites More sharing options...
chantsday Posted May 9, 2005 Author CID Share Posted May 9, 2005 after doing all of the things u guys have suggested we still cant get rid of the msn worm...we even went to azags site to get rid of the kelvir virus which is what the problem is and it didnt work. we've tried safe mode and all the other anti-virus scans and none are finding it and all are updated. i'm all out of ideas... got anymore? Link to comment Share on other sites More sharing options...
Azag Posted May 9, 2005 CID Share Posted May 9, 2005 Here are some free online scanners to try cleaning with: PCPitstop AntiVirus Online Scan: http://www.pcpitstop.com/antivirus/avload.asp Trend Micro's free online (Housecall) virus scanner: http://housecall.trendmicro.com/ Panda ActiveScan Online Virus Scan: http://www.pandasoftware.com/activescan/com/activescan_principal.htm BitDefender Free Online Virus Scan: http://www.bitdefender.com/scan/licence.php McAfee FreeScan: http://ts.mcafeehelp.com/freescan.asp There are more just can't think of other good ones right now... Here is some articles worth reading if you have time or any interest but I doubt they will help you much in the way of worm cleaning: http://www.theregister.co.uk/2005/04/15/im_worm_runs_amok/ http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=8192842 http://www.theregister.co.uk/2005/02/04/msn_messenger_bropia_worm/ Here is some manual details to disable to process or the worm in memory follow instructions on page or look for rougue process and terminate then shut down system restore if on then use your choice of any scanners to find and destroy any traces of worm. With some knowlege of what processes normal run on your sytem and some luck this might work...let's hope. Those online scans will take some time and patience but might pay off. Just don't delete any critical files of the OS or you might have problems if you haven't a way to get the backup files before rebooting. Hope your pc gets well soon. Peace, Azag Link to comment Share on other sites More sharing options...
Recommended Posts