AIM Worm?

Discussion in 'adware, spyware & hijack cleaning' started by sillamo, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. sillamo

    sillamo Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    3
    Hello folks :D

    I believe I have a worm on my computer, but it's not confirmed because the scans that I do (PC-Cillin) aren't picking them up. The online scans aren't working, either.

    Whenever I sign on AIM, an away message automatically turns up. It says:
    "OMFG http://www.angelfire.com/ar3/spin3/bestfriend.scr !!!" If I take the away message off, it comes back every now and then. I haven't timed
    how long it takes, but it's not as often as the incident in the next paragraph.

    And if I'm not on AIM, a window pops up every about 30 seconds and tells me to sign on, because apparently I've "clicked" on some hyperlink and it can't lead me to this link if I'm not signed on. Then a new browser window opens and says that I must click "Yes" in order to be able to properly access the Internet. The link is http://members.lycos.co.uk/xeno44/staff.html.
    It wants to install some some sort of program called MediaTickets.

    The only thing I want to know is how to get rid of this thing. Here's my log.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:48:53 PM, on 6/15/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\2Wire\Gateway\2PortalMon.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\WINDOWS\System32\audldll.exe
    C:\WINDOWS\System32\YAHOOMSG.EXE
    C:\WINDOWS\System32\YahooMsgr.exe
    C:\WINDOWS\System32\audldll.exe
    C:\WINDOWS\System32\nmmapi.exe
    C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
    C:\Program Files\Yahoo!\browser\YBrowser.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Documents and Settings\Vy.HOME-TI\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.211.105.68/index.php?v=6&aff=3431957
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.windowenhancer.com/nph-search.cgi?affid=sesm1&look=stmpl1&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    www.zestyfind.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} -
    C:\Program Files\TV Media\TvmBho.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -
    C:\WINDOWS\bxxs5.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program
    Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin
    2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin
    2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin
    2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
    Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program
    Files\scbar\v9\scbar.exe" /H
    O4 - HKLM\..\Run: [slbuim] C:\WINDOWS\System32\slbuim.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKLM\..\Run: [l5] C:\documents and settings\vy.home-ti\local
    settings\temp\l5.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AutoLoaderuFxo1ddQMOaV]
    "C:\WINDOWS\System32\audldll.exe" /PC="AM.ICMD2"
    /HideUninstall /HideDir
    O4 - HKLM\..\Run: [Yahoo Messenger] YAHOOMSG.EXE
    O4 - HKLM\..\Run: [Yahoo Instant Messengar] YahooMsgr.exe
    O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\VY3E56~1.HOM\LOCALS~1\Temp\app1D.tmp
    O4 - HKLM\..\Run: [usEU3pg] audldll.exe
    O4 - HKLM\..\RunServices: [Yahoo Instant Messengar] YahooMsgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [jet500] C:\WINDOWS\System32\jet500.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKCU\..\Run: [fBx8RfM8X] nmmapi.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [Yahoo Messenger] YAHOOMSG.EXE
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Rebates - file://C:\Program
    Files\WebRebates\System\Temp\topr1150_script0.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
    O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/activelauncher/activelaunchersetup.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {D0E2D4C6-F65D-4967-A22C-BB0C6245A631} (HanafosDN Control) - http://bin.hanafos.com/HanafosDN/new2_1/HanafosDN.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://bannerfarm.ace.advertising.com/bannerfarm/47041/VBouncerOuter1137040505.EXE
    O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/cab/SysUpd.CAB
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab

    Thanks for your time & help! 'Twould take me forever to begin to sort outand
    find which system files are evil and cause the joy of the Internet to be sucked out of my very fingertips.

    Sorry if the log is somewhat skewed. It's been somewhat reformatted by an e-mail server.
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Sillamo, from your HijackThis logfile, I can see that you are infected by a piece of spyware called: Wildtangent
    There could be some other extremely malicious spyware on your computer which i think is causing your problems. Your computer is very seriously infected.
     
  3. sillamo

    sillamo Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    3
    Oh man...how do I get rid of all of this?
     
  4. sillamo

    sillamo Registered Member

    Joined:
    Jun 15, 2004
    Posts:
    3
    Hello...?
     
Thread Status:
Not open for further replies.