nevyana2006
asked on
MSN worm
A colegue of mine got an IM from my his contact list on MSN that said click on this link to view a picture. He clocked on the link and nstalled the program. Now h eis sending out that link to everyone in the contact list. Symantec Endpoint protection does not show the PC affected, neither does SPYBot S&D. We reinstalled IM on that PC and its still going on as soon as we enable MSN. Has anyone expereinced this issue. Any ideas to clen it up are appreciated.
I saw this one this morning as well - however it was related to some software stating "See if your blocked on msn" Has your friend installed any MSN addons?
this one looks similar - https://www.experts-exchange.com/questions/23193786/Cant-seem-to-remove-virus-from-MSN-Live-Messenger-virus-scan-comes-up-empty.html
it's not solved yet but may help you with the diags.
it's not solved yet but may help you with the diags.
ASKER
No, no addons are installed.
ASKER
yeah, its does. Let me try these fixes.
The link that cohenphil posted have those tools that I think will help you.
Try the MSNCleaner first and see if that will take care of it. If not, then show us a hijackthis log so we can check if this is related to SDBot/IRCBot which is also an msn infection.
Download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
Do the scan in Safe Mode.
Try the MSNCleaner first and see if that will take care of it. If not, then show us a hijackthis log so we can check if this is related to SDBot/IRCBot which is also an msn infection.
Download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
Do the scan in Safe Mode.
ASKER
Tried the MsnCleaner in safe mode and it didn't detect any issue. The lof file is empty. It was strange it did not run very long. This is the exact message we are getting:
hey , it's your image ? *-)
and this one
hey , this looks alot like you! :S
***Direct file downloads infected with Backdoor.Win32.SdBot.dbo and Backdoor:W32/IRCBot.GKX.
Links removed by rpggamergirl, Zone Advisor***
hey , it's your image ? *-)
and this one
hey , this looks alot like you! :S
***Direct file downloads infected with Backdoor.Win32.SdBot.dbo and Backdoor:W32/IRCBot.GKX.
Links removed by rpggamergirl, Zone Advisor***
The links you posted were virus infected.
Can you run Hijackthis and show us the log please?
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile.
Can you run Hijackthis and show us the log please?
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile.
ASKER
Here is the log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:15 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
C:\PROGRA~1\MTCSPE~1\MTCIS ASvc.exe
C:\PROGRA~1\MTCSPE~1\MTCSr vr.exe
C:\PROGRA~1\MTCSPE~1\MTCTC PSvc.exe
C:\WINDOWS\System32\nvsvc3 2.exe
C:\WINDOWS\system32\HPZipm 12.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://208.0.102.151/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en -us\msntb. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe " /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap. htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms. htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\shdocv w.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\shdocv w.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\Program Files\Yahoo!\Common\yiesrv c.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\System32\Shdocv w.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9 BD8C29F7F7 5} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-f a1d4f56a2a b} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsth elper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-F D793AFC6CC 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-F DC3F48F7E3 B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {44990200-3C9D-426D-81DF-A AB636FA434 5} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-A AB636FA434 5} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173733636234
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0 0104B06BDE 3} (CamImage Class) - http://208.52.115.128/activex/AxisCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5 95F0A5519F F} (MsnMessengerSetupDownload Control Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{9 D98A70F-3A 73-4DA4-B9 C8-59C2747 D4587}: NameServer = 208.52.112.4,208.52.0.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: MTC ISA Device Controller (MTCISASvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCIS ASvc.exe
O23 - Service: MTCSrvr - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCSr vr.exe
O23 - Service: MTC TCP Remote Access (MTCTCPSvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCTC PSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv c.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3 2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8016 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:15 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools
C:\Program Files\Google\Common\Google
C:\PROGRA~1\MTCSPE~1\MTCIS
C:\PROGRA~1\MTCSPE~1\MTCSr
C:\PROGRA~1\MTCSPE~1\MTCTC
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\system32\HPZipm
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-6
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {3451DEDE-631F-421C-8127-F
O16 - DPF: {39B0684F-D7BF-4743-B050-F
O16 - DPF: {44990200-3C9D-426D-81DF-A
O16 - DPF: {44990301-3C9D-426D-81DF-A
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O17 - HKLM\System\CCS\Services\T
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: MTC ISA Device Controller (MTCISASvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCIS
O23 - Service: MTCSrvr - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCSr
O23 - Service: MTC TCP Remote Access (MTCTCPSvc) - Morrow Technologies Corporation - C:\PROGRA~1\MTCSPE~1\MTCTC
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8016 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.