AIM WORM-hijackthis log inside.HELP.

oword57 · Sep 20, 2003

i have the same worm as most people here. it sends "yO! Check out this digi cam from best buy <link>. I am running Nortons antivirus 2004, spybot s&d, ad-aware, and none of them detected it. here is my hijackthis log. please let me know of any changed to optimize my system. thank you
Logfile of HijackThis v1.97.2
Scan saved at 3:37:39 PM, on 9/20/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\winupdat.exe
C:\WINDOWS\System32\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Josh1\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.8053125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Dan Perez · Sep 20, 2003

Hi,

Are you sure you are not just receiving AIM spam? I don't see anything wrong with your HT log. You might want to check that your AIM privacy settings are set to allow messages only from people on your contact list.

If it is already set this way and you receive these messages in any case please let us know and we will see if we can dig up any more info.

HTH,

Dan

Pieter_Arntz · Sep 20, 2003

Hi oword57,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe

Then reboot and delete:
C:\WINDOWS\winupdat.exe

Regards,

Pieter

LowWaterMark · Sep 20, 2003

Well, I'm not sure, but these two don't look good:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe

Pieter's had someone fix UpdReg.EXE before and Tony just had someone send winupdat.exe in as something new. But this is all I see in the log.

I think winupdat.exe should be killed in task manager and then close all windows except HijackThis and fix the two items above. Reboot and see if that fixes it.

Pieter_Arntz · Sep 20, 2003

Hmm. In that case could you mail me a copy of C:\WINDOWS\winupdat.exe before you delete it?

Not sure if Tony received that file.

Regards,

Pieter

oword57 · Sep 20, 2003

i will try that stuff now. thanks for the fast reply

TonyKlein · Sep 20, 2003

quoting: Pieter_Arntz link=board=31;threadid=14036;start=0#msg88990 date=1064088697]
Hmm. In that case could you mail me a copy of C:\WINDOWS\winupdat.exe before you delete it?

Not sure if Tony received that file.
Click to expand...

Not sure if Tony received that file.

Regards,

Pieter
Got it. Will shoot you a copy.

This is what the Dialogue Science AV checker thinks of it:

Pieter_Arntz · Sep 20, 2003

Thanks, got it.

Nice job Tony, as always.

Regards,

Pieter

Log in or Sign up

AIM WORM-hijackthis log inside.HELP.

oword57 Guest

Dan Perez Retired Moderator

Pieter_Arntz Spyware Veteran

LowWaterMark Administrator

Pieter_Arntz Spyware Veteran

oword57 Guest

TonyKlein Security Expert

Attached Files:

DRWeb.jpg

Pieter_Arntz Spyware Veteran

Log in or Sign up

AIM WORM-hijackthis log inside.HELP.

oword57 Guest

Dan Perez Retired Moderator

Pieter_Arntz Spyware Veteran

LowWaterMark Administrator

Pieter_Arntz Spyware Veteran

oword57 Guest

TonyKlein Security Expert

Attached Files:

DRWeb.jpg

Pieter_Arntz Spyware Veteran

Useful Searches