Computer infected by MSN Virus

system · November 17, 2007, 8:51am

Help me, my computer infected by a MSN virus. Got someone send me a file named image21.zip and I scan with avast before extract the file but avast failed to detect anything. So, i thought the file is safe and open it, but after that I realised my msn automatic send the file image21.zip to my online contact. This is the scan result from VirusTotal of the file image21.zip:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2007.11.17 Possibly a new variant of W32/Threat-HLLSI-based!Maximus
Avast 4.7.1074.0 2007.11.16 -
AVG 7.5.0.503 2007.11.17 -
BitDefender 7.2 2007.11.17 Trojan.Peed.Gen
CAT-QuickHeal 9.00 2007.11.16 -
ClamAV 0.91.2 2007.11.17 -
DrWeb 4.44.0.09170 2007.11.16 BackDoor.IRC.Tiny
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5302 2007.11.17 Win32/Slenfbot!generic
Ewido 4.0 2007.11.16 -
FileAdvisor 1 2007.11.17 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 W32/Threat-HLLSI-based!Maximus
F-Secure 6.70.13030.0 2007.11.16 -
Ikarus T3.1.1.12 2007.11.17 -
Kaspersky 7.0.0.125 2007.11.17 Heur.Trojan.Generic
McAfee 5165 2007.11.16 W32/Opanki.worm.gen
Microsoft 1.3007 2007.11.17 Trojan:Win32/SystemHijack.gen
NOD32v2 2665 2007.11.17 Win32/IRCBot.AAH
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Suspicious file
Prevx1 V2 2007.11.17 MSNLive-Image:Worm-a
Rising 20.18.50.00 2007.11.17 Backdoor.Win32.IRCbot.vim
Sophos 4.23.0 2007.11.17 Mal/HckPk-A
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.17 W32.IRCBot
TheHacker 6.2.9.132 2007.11.16 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.16 -
Webwasher-Gateway 6.0.1 2007.11.16 Trojan.Crypt.ULPM.Gen

system · November 17, 2007, 8:52am

This is my hijackthis log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:50 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\smesvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\ADSL\ADSL USB MODEM\dslmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\Magnify.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Collections\Download\HiJackThis\HijackThis.exe

O3 - Toolbar: NVRIEbar.IEbar - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalSoft\FreeVersion65\NVRIEbar.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Protect] SHVRTF.EXE
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Dewan Eja Pro Config] C:\PROGRA~1\THENAM~1\DEWANE~1\deconfig.exe
O4 - HKLM..\Run: [DEProWotd] C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
O4 - HKLM..\Run: [Dewan Eja Pro] C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe autostart
O4 - HKLM..\Run: [Google IME Autoupdater] C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
O4 - HKLM..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM..\Run: [lxczbmgr.exe] “C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s
O4 - HKLM..\Run: [System Terminal Monitor] smesvc.exe
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\mnyexpr.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: 蓝牙控制盘.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.38/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3FA213D6-E85F-11D3-84DA-00600836C654} (Project1.SeahMedia) - file://F:\TLM\Primary\BM\Year2\BM02U2\element\ActiveX\media\SeahMedia.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126858001537
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O17 - HKLM\System\CCS\Services\Tcpip..{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS3\Services\Tcpip..{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

–
End of file - 8567 bytes

oldman960 · November 17, 2007, 9:07am

To remove your posts from the other thread, just click “modify” in the upper right hand corner, in the box that appears, delete all the text. click save. 8)

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

system · November 17, 2007, 9:27am

Since the content is too long, I upload it as attachments, ok? And I can’t delete the previous post by clearing all the text.

oldman960 · November 17, 2007, 9:31am

hmm…did you click the modify in the post?

system · November 17, 2007, 9:37am

I click modify and delete all the text, but after I click save, this message shown:
The following error or errors occurred while posting this message:
The message body was left empty.

oldman960 · November 17, 2007, 9:48am

Type removed in the rply box ;D

As for the file, no don’t need it. you should leave a link to a live virus, someone could click on it. Please remove it.

I’ve found some vundo so far. This program has had good success with it lately. We’ll let it get most of it then do the rest mnually.

Download superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quaranine.

leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post/attach the log in your next reply along with a new hjt log.

I’ll keep looking at the DSS log.

oldman960 · November 17, 2007, 9:58am

Before running hijackthis again do the following

Delete the hijackthis shortcut from the desktop then

Navigate to this folder D:\My Collections\Download\HiJackThis
In the right hand panel, find HijackThis.exe and rename it to hijackzfc.exe or whatever you want. Right click on the renamed file and select send to desktop(create shortcut)

Vundo is hiding all ready, this will bring him out. ;D

oldman960 · November 17, 2007, 10:50am

The malware changed your system authority

Download ERUNT from

http://www.larshederer.homepage.t-online.de/erunt/

and backup your registry

Now for the fix

REGISTRY FIX

REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and the reg fix is done.

system · November 17, 2007, 11:26am

After scanning for almost an hour, I lost my patient and stop it. Here is the scan log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/17/2007 at 07:01 PM

Application Version : 3.9.1008

Core Rules Database Version : 3346
Trace Rules Database Version: 1347

Scan type : Complete Scan
Total Scan Time : 00:58:59

Memory items scanned : 451
Memory threats detected : 2
Registry items scanned : 6200
Registry threats detected : 13
File items scanned : 12189
File threats detected : 2

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\SSQONLJ.DLL
C:\WINDOWS\SYSTEM32\SSQONLJ.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ssqonlj

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\MLLJH.DLL
C:\WINDOWS\SYSTEM32\MLLJH.DLL
HKLM\Software\Classes\CLSID{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
HKCR\CLSID{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
HKCR\CLSID{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}\InprocServer32
HKCR\CLSID{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID{36EE9B28-DB9B-4E20-A92D-0F431858FD43}
HKCR\CLSID{36EE9B28-DB9B-4E20-A92D-0F431858FD43}
HKCR\CLSID{36EE9B28-DB9B-4E20-A92D-0F431858FD43}\InprocServer32
HKCR\CLSID{36EE9B28-DB9B-4E20-A92D-0F431858FD43}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{36EE9B28-DB9B-4E20-A92D-0F431858FD43}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}
HKCR\CLSID{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}

system · November 17, 2007, 11:27am

Logfile of hijack this after rename it to hijackzfc.exe:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:46 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\smesvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ADSL\ADSL USB MODEM\dslmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\Magnify.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\My Collections\Download\HiJackThis\Hijackzfc.exe

O2 - BHO: {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - {0B1B0D47-95F7-4bad-9309-A945B655AE61} - C:\WINDOWS\SYSTEM32\regsvr32.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: NVRIEbar.IEbar - {BCBF738C-4891-4B9A-959A-C6BF7F608C3A} - C:\Program Files\NaturalSoft\FreeVersion65\NVRIEbar.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Protect] SHVRTF.EXE
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Dewan Eja Pro Config] C:\PROGRA~1\THENAM~1\DEWANE~1\deconfig.exe
O4 - HKLM..\Run: [DEProWotd] C:\Program Files\The Name Technology\Dewan Eja Pro\DEProWotd.exe
O4 - HKLM..\Run: [Dewan Eja Pro] C:\Program Files\The Name Technology\Dewan Eja Pro\DewanEjaPro.exe autostart
O4 - HKLM..\Run: [Google IME Autoupdater] C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
O4 - HKLM..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKLM..\Run: [lxczbmgr.exe] “C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe”
O4 - HKLM..\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s
O4 - HKLM..\Run: [System Terminal Monitor] smesvc.exe
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\mnyexpr.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: 蓝牙控制盘.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.38/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {3FA213D6-E85F-11D3-84DA-00600836C654} (Project1.SeahMedia) - file://F:\TLM\Primary\BM\Year2\BM02U2\element\ActiveX\media\SeahMedia.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126858001537
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O17 - HKLM\System\CS3\Services\Tcpip..{2BBCF0FE-7F2E-4049-B091-26C94E72D879}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

–
End of file - 9196 bytes

system · November 17, 2007, 12:04pm

Still can’t fix it, my msn still sending the file image21.zip to my online contact. The file keep reappear in C:\Documents and Settings\apichat\Local Settings\Temp although I have delete it many times! I have try using these program but none of them can delete the virus permanently:
http://blog.miccas.net/2007/windows-livemsn-virus-lurking-around-imagezip/
http://billys-recondite-ramblings.blogspot.com/2007/04/msn-photo-album-virus.html
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip from http://www.d-a-l.com/help/showthread.php?p=153529

oldman960 · November 17, 2007, 4:49pm

After scanning for almost an hour, I lost my patient and stop it. Here is the scan log:

That’s too bad, because it was removing the vundo.

I need you to search for the following file(s) and delete if found

c:\windows\MS32DLL.dll.vbs and c:\windows\system32\MS32DLL.dll.vbs

You will have to show all files first.

Open the Folder Options in the Control Panel. On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files and Hide known extentions are not checked. Click OK.

Another registry fix. Did you do the other one?

Use erunt again for backup and do the following fix

REGISTRY FIX

REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0596c96a-bfe2-11db-8307-4d6564696130}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{561f6757-c3d8-11db-8311-4d6564696130}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and the reg fix is done.

Open hjt (Hijackzfc), run system scan only, place a check next to these lines

[b]O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

Close all windows/browser execpt for HJT, click fix.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a DSS log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

oldman960 · November 17, 2007, 5:49pm

You need a bit of patience. So far, with the exception of SAS we’ve just been finding what needs to be removed. Starting with combofix and the reg fixes, we’ll be going after and removing the problem. ;D

You will have to stop messenger untill we get the files that are sending the image to your friends, or they may end up here. I think it is bringing you a new copy.

The reg fixes are an important part of all this. SAS did remove the vundo that the key in the first fix was pointed at.

By changing the name of HJT, we can now see vundo with HJT. It may not seem like it, but a lot of progress has been made. ;D ;D

DavidR · November 17, 2007, 6:01pm

Patience is most certainly a virtue and a requirement in this task virus clean-up, as having stopped SAS when by the look of the bit of log it had done the lions share of the scan and you may end up having to run it again.

If my system were infected the only thing on my mind would be getting it clean no matter what that took.

oldman960 · November 17, 2007, 6:45pm

Yes, it got quite a chunk done. If we do use it again, I’ll have zfc also check mark “Ignore files larger than 4MB”. It will speed things up a bit. I’ve seen a couple of cases where a critter crawled into a large file, that’s why I like to check them at least initially.

Just updated SAS, updates include 10 vundo and 8 smitfraud.

system · November 18, 2007, 2:46am

I can’t find c:\windows\MS32DLL.dll.vbs and c:\windows\system32\MS32DLL.dll.vbs. I know that is the things that change my Internet Explorer title to hacked by godzilla and make me can’t open disk by double clicking. Well, I fix this problem long time ago.

I did both registry fix already.

I can’t run the Combofix, a dialog box appear and state that the copy of Combofix has been expired and ask me to download the newer version of ComboFix.

Now I’m scanning my computer using SAS. I choose custom scan and scan for my whole C: drive only as SAS already completed the scanning of memory items and registry items yesterday.

oldman960 · November 18, 2007, 3:03am

I thought those keys may have been from an earlier infection.

Delete the copy of combofix, (default location is C:\ComboFix), you have and download a fresh one. It is updated daily. Then finish the instructions in my earlier post.

system · November 18, 2007, 3:07am

But from where I can download the fresh new version of Combofix?

oldman960 · November 18, 2007, 3:10am

Click the word “Here” in my other post. ;D

Computer infected by MSN Virus

Announcements