Please Help.. My brother clicked a link in msn..

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Sunday 9.3.2025 / 08:55

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > please help.. my brother clicked a link in msn..

Browse by topic

Forums

Start a new thread

Please Help.. My brother clicked a link in msn..

Jump to:

Posted

Message

jerezy

Inactive

27. March 2008 @ 22:07

Link to this message

Well he clicked a link on msn something to the effect of .. Is this really you? and a link followed he downloaded it and now my comuter sometimes oens mass internet explorer windows im running spybot the new one and it keeps asking if i want to change registry files/keys something about msn.com and i scanned with spybot and it found some registry keys so i removed em rebooted and it found it again but 5 entries instead of 4 the previous time i got AVG it moved some stuff to the cault i deleted everything from there rebooted my pc and it said a .dll was missing.. im thinking it was the virus now tea timer goes crazy blocking alerts i dont know what to do so i did a hijack this log and here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:23 AM, on 28/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\ctfmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [V0250Mon.exe] C:\Windows\V0250Mon.exe
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\qoMebbYP.dll,#1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Sol...wn.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80F8931B-881C-4D78-A8CB-19783C125681}: NameServer = 142.177.1.2 142.177.129.11
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5877 bytes

anything not suposed to be there?

[ + quote]

varnull

Suspended permanently

27. March 2008 @ 22:49

Link to this message

Yeah that is a trojan. I have a copy of the actual virus file here.

Some flags were related to vundo and others looked like smitfraud, but it was well written little beastie.

Rotary had it as well but fixed it by doing something or other. Your machine will probably be spreading this virus around to all your friends every time you log on.

I'm safe from these. Do you have the link it redirects to for the file?? I have been reporting the hacked servers which are hosting this nasty to their admins every time I come across them.

http://blog.zurka.us/index.php/2007/04/0...essenger-virus/

sample of mail sent/recieved

Quote:

From: Fernando <admin@xxxxxxxxx.com>
To: juliaskitchen <juliaskitchen@xxxxxxxxxx.com>
Subject: Re: Server Hacked?
Date: Tue, 5 Feb 2008 09:33:54 +0100 (08:33 GMT)

Hello xxxxxxxx,

Thank you for your message, we are investigating the issue now.

Regards,
Fernando

On Feb 5, 2008, at 8:21 AM, juliaskitchen wrote:

> Hello
>
> I believe the server at http://www.inmobiliarialusan.com/images/ has
> been hacked and files added.
>
> PIC006.JPG-www.photoshare.com 04-Feb-2008 19:58 129K
>
> viewimage.php 04-Feb-2008 19:55 347
>
> Do not seem to relate to the site in any way.
>
> The server has been linked to by spam messages circulated by exploited
> machines using the MSN chat networks.
>
> ##sample message##
>
> (23:02:14) Paul (AKA - Rotary): haha is this really you on this
> pic? :)
> http://www.inmobiliarialusan.com/images/viewimage.php?
> =xxxxxxxx@xxxxx.com
>
> ##
>
> Regards
>
> J.Richards
> administrator.
> Juliaskitchen.

[ + quote]

jerezy

Inactive

27. March 2008 @ 22:54

Link to this message

So how do i get rid of it.. i dont want my machine sending that out to my friends so im staying off msn messenger untill my machine is fixed any ideas ?

[ + quote]

Ltangel

Member

28. March 2008 @ 03:31

Link to this message

Hey jerezy,

Please be patient while I review your HijackThis log and follow the instructions below. Do not fix anything until you are instructed to. Thanks. :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Go!

~Ltangel~

[ + quote]

Windows and system security is my priority.

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > please help.. my brother clicked a link in msn..


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.