help my computer is infected

[chantsday]

Logfile of HijackThis v1.99.1

Scan saved at 6:02:03 PM, on 5/8/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:Program FilesCommon FilesSymantec SharedccSetMgr.exe

C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE

C:Program FilesNorton AntiVirusIWPNPFMntor.exe

C:WINDOWSSystem32nvsvc32.exe

C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe

C:WINDOWSSystem32svchost.exe

C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe

C:WINDOWSExplorer.EXE

C:WINDOWSAGRSMMSG.exe

C:Program FilesCommon FilesSymantec SharedccApp.exe

C:Program FilesQuickTimeqttask.exe

C:Program FilesCommon FilesLogitechQCDriverLVCOMS.EXE

C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe

C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe

C:Program FilesHewlett-PackardToolbox2.0Apache Tomcat 4.0webappsToolboxStatusClientStatusClient.exe

C:Program FilesMSN AppsUpdater01.02.3000.1001en-usmsnappau.exe

C:Program FilesJavajre1.5.0_01binjusched.exe

C:PROGRA~1MYWEBS~1bar1.binmwsoemon.exe

C:Program FilesiTunesiTunesHelper.exe

C:program fileszangozango.exe

C:Program FilesJavajre1.5.0_01binjucheck.exe

C:Program FilesiPodbiniPodService.exe

C:Program FilesRoxioEasy CD Creator 6AudioCentralPlaylist.exe

C:WINDOWSSystem32svchost.exe

C:Program FilesHewlett-PackardToolbox2.0JavasoftJRE1.3.1binjavaw.exe

C:Program FilesMessengermsmsgs.exe

C:WINDOWSsystem32system.exe

C:WINDOWSsystem32ctfmon.exe

C:Program FilesAIMaim.exe

C:Program FilesSamsungDigimax Viewer 2.1STImgBrowser.exe

C:Program FilesMSN Messengermsnmsgr.exe

C:Program FilesInternet Exploreriexplore.exe

C:Documents and SettingsFamilyshell.exe

C:Program FilesInternet Exploreriexplore.exe

C:DOCUME~1FamilyLOCALS~1TempTemporary Directory 2 for hijackthis[2].zipHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.tt/

R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:Program FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:Program FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:Program FilesMyWebSearchbar1.binMWSBAR.DLL

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:Program FilesMSN AppsST01.02.3000.1002en-xustmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesMSN AppsMSN Toolbar01.02.3000.1001en-usmsntb.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0ycomp5_5_7_0.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:Program FilesAIM ToolbarAIMBar.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesMSN AppsMSN Toolbar01.02.3000.1001en-usmsntb.dll

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup

O4 - HKLM..Run: [nwiz] nwiz.exe /install

O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"

O4 - HKLM..Run: [symantec NetDriver Monitor] C:PROGRA~1SYMNET~1SNDMon.exe /Consumer

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime

O4 - HKLM..Run: [LVCOMS] C:Program FilesCommon FilesLogitechQCDriverLVCOMS.EXE

O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe"

O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"

O4 - HKLM..Run: [RoxioAudioCentral] "C:Program FilesRoxioEasy CD Creator 6AudioCentralRxMon.exe"

O4 - HKLM..Run: [statusClient] C:Program FilesHewlett-PackardToolbox2.0Apache Tomcat 4.0webappsToolboxStatusClientStatusClient.exe /auto

O4 - HKLM..Run: [TomcatStartup] C:Program FilesHewlett-PackardToolbox2.0hpbpsttp.exe

O4 - HKLM..Run: [msnappau] "C:Program FilesMSN AppsUpdater01.02.3000.1001en-usmsnappau.exe"

O4 - HKLM..Run: [sunJavaUpdateSched] C:Program FilesJavajre1.5.0_01binjusched.exe

O4 - HKLM..Run: [MyWebSearch Email Plugin] C:PROGRA~1MYWEBS~1bar1.binmwsoemon.exe

O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe

O4 - HKLM..Run: [zango] c:program fileszangozango.exe

O4 - HKLM..Run: [Windows] system.exe

O4 - HKLM..RunServices: [Windows] system.exe

O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe

O4 - HKCU..Run: [AIM] C:Program FilesAIMaim.exe -cnetwait.odl

O4 - HKCU..Run: [MyWebSearch Email Plugin] C:PROGRA~1MYWEBS~1bar1.binmwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:Program FilesMyWebSearchbar1.binMWSOEMON.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe

O4 - Global Startup: Digimax Viewer 2.1.lnk = ?

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:Program FilesMyWebSearchbar1.binMWSOEMON.EXE

O8 - Extra context menu item: &AIM Search - res://C:Program FilesAIM ToolbarAIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYTT

O8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_01binnpjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_01binnpjpi150_01.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIMaim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102455803468

O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.zango.com/GetZango/Download/zangoax.cab

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:Program FilesNorton AntiVirusIWPNPFMntor.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:Program FilesNorton AntiVirusSAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe

[bwt1953]

not infected, just overloaded with junk. you have every toolbar and search assistant known to man loading at startup. get rid of that yahoo, zango, and AIM stuff. your computer will run like new. you don't need to have all that stuff running all the time. You can disable things like CD creator, the HP toolbox, Quick Time and the iTunes helper so that it does not load and run continuously at startup.

You'd need a 3.0GHz machine with 3GB of ram to support all that running in the background. Its a waste of computer resources, and will bring your computer to a crawl.

Speaking from experience, my daughters machine looks like this from time to time. she loads everything. You can keep all this stuff if you actually need it, just at least disable its ability to run at startup, and close the app when you finish with it.

B

[disturbed]

clear them out...most of the O type objects can be delted safely - well at least removed temporarily

[moonlord]

i got infected one time and tried removing thru safe mode and low and be hold the thing was running in safe mode to so i had to format 

[chantsday]

after downloading spybot and adaware...it supposedly got rid of a lot of spyware... but the msn worm is still there... I restarted....put it in safe mode and followed all those instructions... but the virus is still there...anyone know what to do from here??

[Azag]

Sorry to hear another person fell victim to this. 

Get rid of My Web Search Assistant I am pretty sure it's spyware/crapware.

And read all the following links fully especially my posts. 

If you can or want to feel free to send me a copy of the MSN virus for my zoo (virus collection) in a WinRAR file  if possible and password protected (again if possible) as I would like to study it in a safe environment.

In any case you may want to try downloading and running a different Anti-Virus and Microsoft AntiSpyware Beta since it often finds other spyware/malware the other programs like Spybot Search & Destroy and Ad-Aware misses or leaves behind but don't get me wrong I use all those programs to and they are very good and useful.

Please refer to these links for more in depth info to clean MSN Worm and set up a pro-active scanner integration into MSN IM so it won't happen in the future hopefully...   Btw Norton sucks!

http://www.2-spyware.com/file-agrsmmsg-exe.html

https://testmy.net/forum/index.php?topic=4402.0

https://testmy.net/forum/index.php?topic=4852.0

Check back after all this and I wish you success in cleaning your system.

Also you may install multiple Anti-Viruses but only use one as an active monitor and the other(s) as configured for manual scans only.  More than one active monitor can cause major problems with several AV's especially with Norton's crappy software. 

Good luck.

Peace,

Azag

[Indestructable]

haha, nice comment about norton.

[Azag]

I hate to bash most software companies but the truth hurts. I have tested and used many AV solutions and Symantec Norton not only sucks since it doesn't have enough virus definitions and misnames many non-volitale hacker tools as Backdoors or Trojans when they are not but that's not all...

As I have said many times it will also intentionally fuck your system up if you have installed other competitors Anti-Virus solutions as well especially well know popular ones. To me this is unexceptable and borders on intentional savatage of ones OS and in some cases causes irreversible damge to OS which can lead to reformatting for some.  Ironically they own a big chunk of the market share as an AV company and the true reason why is advertising not good programming that is tragic but sadly all to many people are suckers for ads and get sucked into their flock of followers including big companies who use this crap for "corperate security".  If a corperation uses this piece of crap or any of Norton's other crappy products for security reasons they are friggin idiots and shouldn't be allowed to touch or be around any computers in my opinion any any consumers of these companies that do should take their business eleswhere if they have a brain cell.  I do not base my harsh opinions lightly for any Norton devotees out there I have testes and used multiple versions of Symantec Norton products on the market including testing Norton AntiVirus 2005 and my opinions are based solely on my and others experience and not some news article or other biased aggenda. As much as Norton has shaped up slightly at the AV game they still in my opinion suck    BIG TIME but if you must then judge for yourself and compare but be warned

My current AV solutions in order of importance and quality are Kaspersky Anti-Virus Personal Pro v4.5.095, ESET NOD32 v2.12.2, AVP (AntiViral Toolkit Pro by Eugene Kaspersky for DOS) and F-Prot v3.16b..

Peace,

Azag 

[xs1]

lol Iv used norton since er.. 99 im guessing?  Its only let me down once, missing a trojin in my system restore files. ( odd place huh? )  other then that i think nortons the best.... To each his own

[chantsday]

after doing all of the things u guys have suggested we still cant get rid of the msn worm...we even went to azags site to get rid of the kelvir virus which is what the problem is and it didnt work.  we've tried safe mode and all the other anti-virus scans and none are finding it and all are updated.  i'm all out of ideas... got anymore? 

[Azag]

Here are some free online scanners to try cleaning with:

PCPitstop AntiVirus Online Scan: http://www.pcpitstop.com/antivirus/avload.asp

Trend Micro's free online (Housecall) virus scanner: http://housecall.trendmicro.com/

Panda ActiveScan Online Virus Scan: http://www.pandasoftware.com/activescan/com/activescan_principal.htm

BitDefender Free Online Virus Scan: http://www.bitdefender.com/scan/licence.php

McAfee FreeScan: http://ts.mcafeehelp.com/freescan.asp

There are more just can't think of other good ones right now...

Here is some articles worth reading if you have time or any interest but I doubt they will help you much in the way of worm cleaning:     

http://www.theregister.co.uk/2005/04/15/im_worm_runs_amok/

http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=8192842

http://www.theregister.co.uk/2005/02/04/msn_messenger_bropia_worm/

Here is some manual details to disable to process or the worm in memory follow instructions on page or look for rougue process and terminate then shut down system restore if on then use your choice of any scanners to find and destroy any traces of worm.  With some knowlege of what processes normal run on your sytem and some luck this might work...let's hope.

Those online scans will take some time and patience but might pay off.  Just don't delete any critical files of the OS or you might have problems if you haven't a way to get the backup files before rebooting.  Hope your pc gets well soon.

Peace,

Azag