Help! MSN Messenger Virus

[kanmm]

I recently accepted and ran something that came across MSN Messenger. It typed in for the person i was talking to "check this out" (or something to that effect) and i ran it. As soon as i did, it opened all the people on my MSN list and sent them the same file with a message from me saying "check this out." I checked taskmanager and there was a "project1.exe" running. I ended it and restarted my computer. Upon restart I got the messages "Cannot find 'C:\Program'", "Could not load or run 'C:\Program' specified in registry", "Cannot find 'C:\files\msn7\msn.exe' (I think it was 'C:\')" and "Could not load or run \files\msn7\msn.exe'" I did an AVG scan, Microsoft Antispyware scan, and Spybot S&D scan, with nothing other than a few tracking cookies showing up. I downloaded Hijackthis and Hijackthis analyzer and this is the log. Please help, I don't have a clue what to do. Thank you.

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:19:06 PM, on 4/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\winshvc.exe
C:\WINDOWS\system32\winshvc.exe
C:\Documents and Settings\Nic\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytelus.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytelus.com/
F3 - REG:win.ini: load=C:\Program Files\msn7\msn.exe
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [Windows Sz Host] winshvc.exe
O4 - HKLM\..\RunServices: [Windows Sz Host] winshvc.exe
O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe
O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111810597484
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[greyknight17]

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\system32\winshvc.exe
C:\WINDOWS\system32\winshvc.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F3 - REG:win.ini: load=C:\Program Files\msn7\msn.exe
O4 - HKLM\..\Run: [Windows Sz Host] winshvc.exe
O4 - HKLM\..\RunServices: [Windows Sz Host] winshvc.exe
O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe
O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\winshvc.exe
C:\Program Files\msn7\msn.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

[kanmm]

Thanks a million for your help. I ran the trendmicro scan and it found worm_sdbot.gen (avg didn't find it!?!), however I wasn't able to get a ticket number to have trendmicro remove it. I proceeded with the steps given and here is the latest hijack log (everything look ok?). Thanks again.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 6:22:52 PM, on 4/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Documents and Settings\Nic\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytelus.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytelus.com/
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111810597484
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[greyknight17]

So it's not removed then? OK, give us this log:

Download this virus checker and tool from eScan
Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it
continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here.

[kanmm]

No, it is gone, won't I make the fixes you suggested, I re-ran the online scan and it didn't find anything. So as far as I know it's gone. Thanks again for your help.

[greyknight17]

If you are ok now, then:

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

[kanmm]

Well, I guess I was wrong. I ran Mwav.exe like you suggested and it found the following:
C:\DOCUME~1\Nic\LOCALS~1\TEMPOR~1\Content.IE5\0FXZDLF6\nic_mack2@hotmail[1].com infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Nic\Local Settings\Temporary Internet Files\Content.IE5\0FXZDLF6\nic_mack2@hotmail[1].com infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{9FA653EE-D906-447D-8772-ABCF6F8B7BCB}\RP71\A0010426.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{9FA653EE-D906-447D-8772-ABCF6F8B7BCB}\RP71\A0010437.exe infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: No Action Taken.

I tried to locate these particular areas but couldn't find "Content.IE5" I also did a search for "0FXZDLF6" with no such luck. Is it alright to delete temporary internet files on a somewhat regular basis? As well, I recently did some online banking (thinking the virus was gone), is this a virus with a security threat? Thanks again.

[greyknight17]

Let's remove it now. These are definitely not good.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck that same box to enable System Restore.

Any problems now?

[kanmm]

Thanks. I ran Cleanup! and then Mwav and everything showed up clean. I think once and for all it is gone. Thanks again.