AIM WORM/VIRUS

Discussion in 'malware problems & news' started by billy, Sep 5, 2003.

Thread Status:
Not open for further replies.
  1. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    Hey,
    I got a worm i cant get rid of that types "Hey check out the tits on this chick......" and gives a web site address. The virus does this about ever 30seconds to a minute so i think its on clock work. I have windows XP and a compact presario. I tryed totally uninstalling AIM and redownloding it but it still did it. I tyred norton anti virus 2003, spybot, and addware 6.0 as well as these internet scans

    http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym&plfid=20&pkj=IHWFVYZZALEWNSWLWKA
    http://housecall.trendmicro.com/
    http://www.ravantivirus.com/scan/

    but nothing works!! it must be somewhere in my computer but where. Im not to familure with the programs you need for this stuff so i kind of need someone to coach me though the whole process. My e-mail is <removed>I haven't heard of anyone else having this problem

    Heres what it says exactly WARNING dont click on this link it might give you the virus

    "Look at the tits on this girl http://shesgota.com/hugerack"

    I really could use anyones help because this is a hard fish to fry!!!
    Thanks Billy
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi billy,

    Welcome at Wilders. :)

    I removed your e-mail address from your post, so the spambots won't find it.

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    Hey pieter,
    Thanks for you help here are the results

    Logfile of HijackThis v1.96.4
    Scan saved at 9:49:00 PM, on 9/5/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\M-Audio USB Duo\Install\Dinst.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\mscommand.exe
    C:\WINDOWS\wordwsx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system\MMAUSBCD.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1000goodmornings.com/news.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://1000goodmornings.com/news.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/go/photosu03cq
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [System Efficiency Monitor] mscommand.exe
    O4 - HKLM\..\Run: [wordwsx] C:\WINDOWS\wordwsx.exe
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\RunServices: [System Efficiency Monitor] mscommand.exe
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
    O4 - Startup: spamsubtract.lnk.disabled
    O4 - Global Startup: MMAUSBCD.LNK = C:\WINDOWS\system\MMAUSBCD.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

    hope we can get this one!
    Billy
     
  4. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    actually if that tells you anything about my computer that i need to fix besides the virus i would like to know that to!! :D
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi billy,

    First, closed down as many programs and windows as possible (just to narrow down what's happening on your system). Then in Task Manager kill this process: c:\Windows\System32\mscommand.exe it is a bad guy per Symantec. Once killed, you should be able to delete that file.

    Also, check these items in HijackThis and fix them:

    O4 - HKLM\..\Run: [System Efficiency Monitor] mscommand.exe
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe
    O4 - HKLM\..\RunServices: [System Efficiency Monitor] mscommand.exe
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe

    Try to delete the RunDll16.exe, it may be in the Windows directory or the Windows\System32 area like mscommand.exe. If you can't delete either or both of these files, make the following reboot a reboot into Safe Mode and try from there.

    Reboot, run HijackThis again, and post a new log here so we can see if those items stay gone.

    There is spyware / browser hijack stuff in your log as well, but I'll leave that for people who know more about those items.
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Also, I don't find anything about this process and startup item:

    Do you know what that is? Can you right-click on it and get any meaningful properties from it? I think files that you can't find any information on are suspicious. :doubt: Is it something you know about and installed yourself?
     
  7. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    i dont know what that is... what should i do about it!?
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Well, you can "fix it" in HijackThis at the same time you fix those other malware files in the post above.

    You don't actually have to delete wordwsx.exe just yet. The fix should keep it from running. You can leave it, and see if something is missing or if it's needed later. (Actually, you could rename it so it can't automatically run, maybe rename it to "wordwsx.aaa".)

    But basically, fixing it in HijackThis just prevents it from starting at boot time.
     
  9. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    Well i cant find the rundll16.exe and for sure cant find 2 of them. I look for them in system 32 but they arnt there. Should i go ahead and fix the stuff on hijack this?

    Billy
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    There aren't really two of each of those files, they are just being started twice - in fact, a lot of malware does just that - puts 2 startups to itself to make sure it really runs.

    The rundll16.exe may have already been removed at some other time. :doubt:

    Still - fix the items I mentioned above, and delete the mscommand.exe, but, remember to kill that process first in Ctrl-Alt-Del...

    Themn reboot and do another HijackThis!
     
  11. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    Ok i fixed the stuff. here are the results... do i need to keep the backup files? is the problem fixed? Should i still try to find rundll16.exe?

    Logfile of HijackThis v1.96.4
    Scan saved at 12:37:55 AM, on 9/6/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\M-Audio USB Duo\Install\Dinst.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\wordwsx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system\MMAUSBCD.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1000goodmornings.com/news.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://1000goodmornings.com/news.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/go/photosu03cq
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wordwsx] C:\WINDOWS\wordwsx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - Startup: spamsubtract.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: MMAUSBCD.LNK = C:\WINDOWS\system\MMAUSBCD.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

    thanks
    Billy
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Save the backups for just a day or two.

    As for rundll16.exe, it'd be nice to know where it came from and where it went to, but, if it's not there, it's not there. (Have you ever had another virus of trojan infection that your anti-virus fixed? It may have deleted the actual rundll16 file back then, but left the registry keys. In any case, rundll16's startup is not back, so that's a good sign.)

    You still have spyware there, I think, and someone else will be by to help you with that. Check back here later for what to clean / fix for that.

    Finally, I guess you decided not to fix wordwsx.exe after all? It is both a running process and still in a startup key. (You can leave it of course, or just fix the startup entry and see what happens when you reboot. Either is okay unless someone comes by later and says they know for sure what it is.)
     
  13. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    Hey,
    Thanks for your help!!! Its doesnt seem to be doning the message on AIM anymore!!! But i would like to find out more about the spyware, so ill keep checking back
    Billy
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi billy,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wordwsx] C:\WINDOWS\wordwsx.exe

    Then reboot, preferably into safe mode and find:
    C:\WINDOWS\wordwsx.exe
    Please mail a copy of the file to the address in my profile and rename it to wordwsx.bak
    I'll let you know what it is as soon as I can.

    Another one I can't find anything about is:
    O4 - Global Startup: MMAUSBCD.LNK = C:\WINDOWS\system\MMAUSBCD.exe
    If you don't know what it is either follow the same procedure as for wordwsx.exe

    The lines I gave in bold are orphaned entries, the other ones are optional. They are unnecessarily starting up at boot IMO.

    Regards,

    Pieter
     
  15. Jen

    Jen Guest

    Ok...I have the same worm.. I did everything that it says to do the only thing is I can't find the Items you are talking about fixing... This is my results:
    Logfile of HijackThis v1.96.4
    Scan saved at 12:34:56 AM, on 9/7/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\mmtask.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Common Files\eAcceleration\download.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Kill Popup\KillPopup.exe
    C:\WINDOWS\System32\EXPLORER.EXE
    C:\WINDOWS\System32\mptask.exe
    C:\Program Files\KaZaA\Kazaa.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\Program Files\Common Files\eAcceleration\systimer.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\Documents and Settings\Jen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://i-lookup.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pittsburghlive.com/x/tribune-review/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/?.intl=us
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Kill Popup] C:\Program Files\Kill Popup\KillPopup.exe
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\System32\EXPLORER.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MPtask Services] C:\WINDOWS\System32\mptask.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\Kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [MMtask Service] mmtask.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [WindowsMGM] C:\WINDOWS\winmgm32.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.yahoo.com/games/clients/y/pos1_x.cab
    O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} - http://www.real.com/vivo/index.html
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/SpywareNuker_com/SpywareNukerInstaller.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab
    O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.catyxxx.com/movies2/movies_viewer_plugin_file.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} - http://toolbar2.i-lookup.com/toolbar/ineb.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_3_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C01060FC-E59B-40E6-B948-159A18A40A93}: NameServer = 204.117.214.10 199.2.252.10

    Please help!!! Please e-mail me back with a reply ASAPo_O? I would really appreciate it!
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi Jen,

    There are a few files that immediately standout as Virus or Trojan related on your system. Also, it looks like your have RapidBlaster there and some eAcceleration stuff.

    Have you done any scans with an Anti-Virus product? I see you have Norton, but I'm concerned it's let some things through for some reason. Is Norton up to date?

    I really think a virus scan would be a good first step. Perhaps using the online Panda Scanner. See link to Panda on our Free Services page. You may also want to make sure you NAV is up to date and do a full scan with that.

    You should do these scans and check back here later for the list of items that you need to fix.
     
  17. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    Ill get it to you in a day or 2 because im moving to school and there is no connection in my room yet.. im using my home computer in case you are wondering.
    BTW i dont have any info on that files so i will send you a copy asap.

    Thanks for all your help
    Billy
     
  18. Jen

    Jen Guest

    I think that is the same e-mail address I used for the first one... I ran the Norton AntiVirus... It is updated... No viruses were found, repaired, or deleted... I am going to run the Panda ActiveScan in the morning.
     
  19. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Just an FYI - Clicking on that link given in the very first post didn't result in anything other than being re-directed to the main page: http://shesgota.com/ , which didn't result in any harm.

    (What with my scientific, hunting-related interest in antelope, elk, deer and meese's - I wanted to see some of those "hugeracks" :eek: ). Pete
     
  20. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    ok i fixed those files in hijack this but im not sure if you wanted me to fix this file too.
    O4 - Global Startup: MMAUSBCD.LNK = C:\WINDOWS\system\MMAUSBCD.exe
    Or did you just want me to e-mail it to you.
    Billy
     
  21. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    i dont have an email program that will alow me to veiw your email address so i cant email you the files unless you give you email to me
    Billy
     
  22. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    Nevermind i found your email address. lol.
    Billy
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi billy,

    This is what I found on wordwsx.exe you sent me:

    http://www.pestpatrol.com/PestInfo/db/p/project1_exe.asp

    If you look at the real name of the file in properties, you'll see that it is project1.exe.

    I haven't received MMAUSBCD.exe yet. Is that correct?

    Regards,

    Pieter
     
  24. billy

    billy Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    23
    I actually do know what the other file is for. It runs my external sound card, manufactured by M-Audio its called the "DUO" do still need the file... might it contain a virus??
    Thanks for your Help
    Billy
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi billy,

    No problem if you know what it is for.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.