nevyana2006
asked on
MSN worm
A colegue of mine got an IM from my his contact list on MSN that said click on this link to view a picture. He clocked on the link and nstalled the program. Now h eis sending out that link to everyone in the contact list. Symantec Endpoint protection does not show the PC affected, neither does SPYBot S&D. We reinstalled IM on that PC and its still going on as soon as we enable MSN. Has anyone expereinced this issue. Any ideas to clen it up are appreciated.
cohenphil
I saw this one this morning as well - however it was related to some software stating "See if your blocked on msn" Has your friend installed any MSN addons?
this one looks similar - https://www.experts-exchange.com/questions/23193786/Cant-seem-to-remove-virus-from-MSN-Live-Messenger-virus-scan-comes-up-empty.html
it's not solved yet but may help you with the diags.
it's not solved yet but may help you with the diags.
ASKER
No, no addons are installed.
ASKER
yeah, its does. Let me try these fixes.
The link that cohenphil posted have those tools that I think will help you.
Try the MSNCleaner first and see if that will take care of it. If not, then show us a hijackthis log so we can check if this is related to SDBot/IRCBot which is also an msn infection.
Download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
Do the scan in Safe Mode.
Try the MSNCleaner first and see if that will take care of it. If not, then show us a hijackthis log so we can check if this is related to SDBot/IRCBot which is also an msn infection.
Download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
Do the scan in Safe Mode.
ASKER
Tried the MsnCleaner in safe mode and it didn't detect any issue. The lof file is empty. It was strange it did not run very long. This is the exact message we are getting:
hey , it's your image ? *-)
and this one
hey , this looks alot like you! :S
***Direct file downloads infected with Backdoor.Win32.SdBot.dbo and Backdoor:W32/IRCBot.GKX.
Links removed by rpggamergirl, Zone Advisor***
hey , it's your image ? *-)
and this one
hey , this looks alot like you! :S
***Direct file downloads infected with Backdoor.Win32.SdBot.dbo and Backdoor:W32/IRCBot.GKX.
Links removed by rpggamergirl, Zone Advisor***
The links you posted were virus infected.
Can you run Hijackthis and show us the log please?
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile.
Can you run Hijackthis and show us the log please?
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile.
ASKER
Here is the log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:15 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools
C:\Program Files\Google\Common\Google
C:\PROGRA~1\MTCSPE~1\MTCIS
C:\PROGRA~1\MTCSPE~1\MTCSr
C:\PROGRA~1\MTCSPE~1\MTCTC
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\system32\HPZipm
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {3451DEDE-631F-421C-8127-F
O16 - DPF: {39B0684F-D7BF-4743-B050-F
O16 - DPF: {44990200-3C9D-426D-81DF-A
O16 - DPF: {44990301-3C9D-426D-81DF-A
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O17 - HKLM\System\CCS\Services\T
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: MTC ISA Device Controller (MTCISASvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCIS
O23 - Service: MTCSrvr - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCSr
O23 - Service: MTC TCP Remote Access (MTCTCPSvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCTC
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8016 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:15 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools
C:\Program Files\Google\Common\Google
C:\PROGRA~1\MTCSPE~1\MTCIS
C:\PROGRA~1\MTCSPE~1\MTCSr
C:\PROGRA~1\MTCSPE~1\MTCTC
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\system32\HPZipm
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {3451DEDE-631F-421C-8127-F
O16 - DPF: {39B0684F-D7BF-4743-B050-F
O16 - DPF: {44990200-3C9D-426D-81DF-A
O16 - DPF: {44990301-3C9D-426D-81DF-A
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O17 - HKLM\System\CCS\Services\T
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: MTC ISA Device Controller (MTCISASvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCIS
O23 - Service: MTCSrvr - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCSr
O23 - Service: MTC TCP Remote Access (MTCTCPSvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCTC
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8016 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.