Vape Posted October 24, 2005 Share Posted October 24, 2005 back from holidays. Info is down a few posts. http://forum.tip.it/viewtopic.php?p=2251938#2251938 ----Old---- Last night I was on the phone for several hours trying to get our home pc fixed up as it seemed my brother had installed some viruses on it. Aftter quizzing him it seemed he'd clicked on a link in msn from someone asking if a link containing his email was him. Well guess what, tonight I get a message from someone with just such a link. Surprise surprise. Searched around the net, seems it's a fairly new thing, could only find references to it in the last few days. Once your computer has been infected, your msn then automatically sends the links to everyone else on your contacts list. I don't have any other details, but my brother said that on our pc at home he can't run any antivirus software and the internet doesn't work. I found a reference on a forum to one person having to reinstall windows to get rid of it. We had the latest Norton Internet Security which auto-updates, but it's no substitute for common sense. Visiting the link in Firefox I simply get asked to download an exe file, but it's possible that if you're using an old version of windows/IE then just clicking the link itself might be enough to check your pc in to the emergency ward. So yeah, if someone says this to you: Infected_User says: Heh, is this really you? www-messengertools.org/msn.php?session=y8670&[email protected] DO NOT CLICK TEH LINK! Where the bloody hell are you? Link to comment Share on other sites More sharing options...
Mercifull Posted October 24, 2005 Share Posted October 24, 2005 pffft Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
Mercifull Posted October 24, 2005 Share Posted October 24, 2005 pfft Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
Mercifull Posted October 24, 2005 Share Posted October 24, 2005 About having to reinstall windows to fix. You cant really take this as being the only solution to fix. People panic when they get a virus and something goes horribly wrong and novice users dont really know what to do so they reformat. Ive had to try and fix computers absolutely riddled with crap in the past and have always managed to clean up without the need for reinstalling windows. MSN virus are spread because people click links and accept files from their friends regardless of how suspect it looks. Always make sure to check with your friend that he/she is meaning to send you something. Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
Vape Posted October 24, 2005 Author Share Posted October 24, 2005 What sort of newb do you take me for merc? :P Clarification: I am on holidays, I was assisting my brother in fixing the pc. We were, however, unsuccesful. I guess it'll have to wait until I get home. As for the comment about reinstalling windows, that was mostly just to increase the fear factor :P Where the bloody hell are you? Link to comment Share on other sites More sharing options...
Mercifull Posted October 24, 2005 Share Posted October 24, 2005 After investigation of that site it apears it tries to get you to download an exe file. This should also send alarm bells ringing. This virus is so obvious i dont understand how someone with up to date Windows and Anti-virus can be fooled. The site also appears to be run by a spammer who is probably more interested in your surfing habits to serve spyware than infect your computer with an irrepeairable virus. Up to date Anti virus software should also be able to remove it easily, it is only a variant of an already existing virus. It drops a file called "svshost" into a hidden directory in the system32 folder and blocks the task manager and regedit which is what scares people. Of course theres more than one way into the registry to you can clean it in safe mode or with HJT Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
coltm4carbine Posted October 24, 2005 Share Posted October 24, 2005 lol 1 thing for sure and that is i ain't gonna click on the links unless i know which virus it is. lol reinstalling... Link to comment Share on other sites More sharing options...
Vape Posted October 25, 2005 Author Share Posted October 25, 2005 My brother was telling me it was blocking hijackthis in regular mode, but the hijackthis log didn't seem to show anything evil in safe mode. Might ring him again tonight. Where the bloody hell are you? Link to comment Share on other sites More sharing options...
coltm4carbine Posted October 26, 2005 Share Posted October 26, 2005 you will need an older version of hjt but out of all the logs i have seen only a few infections stop hjt from working. Link to comment Share on other sites More sharing options...
Vape Posted November 2, 2005 Author Share Posted November 2, 2005 Just got back from holiday, jumped on pc and it's rooted. Did a quick hjt scan but nothing stands out in the log, could someone have a look at it please and I'll go grab myself some beauty sleep and see what I can do tomorrow. Thanks :) Symptoms I've observed atm (Ignore what I said in my previous posts, that was secondhand info from my brother.) No internet in regular windows mode. Norton Internet Security doesn't automatically start in regular windows mode If you attempt to start NIS through start -> all programs etc., you get the microsoft error message "Symantec Integrator has encountered a problem and needs to close. We are sorry for the inconvenience." Please tell microsoft about this problem etc. Internet works in safe mode with networking. Can't start NIS in safe mode either, if you send an error report, the more info link from MS doesn't give you any useful info. Going to run a Norton Antivirus scan in safe mode while I'm sleeping. I suspect NIS may just be corrupted in some way and all that is required may be a reinstall... I might try that tomorrow. Hijackthis log from regular windows mode: Logfile of HijackThis v1.99.1 Scan saved at 11:00:49 PM, on 02/11/05 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile] C:\WINDOWS\mHotkey[Caution: ExecutableFile] C:\WINDOWS\SOUNDMAN[Caution: ExecutableFile] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile] C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile] C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile] C:\Program Files\Folding@Home\FAH502-Console[Caution: ExecutableFile] C:\Program Files\Symantec\LiveUpdate\AUpdate[Caution: ExecutableFile] C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32[Caution: ExecutableFile] C:\Program Files\Folding@Home\FahCore_82[Caution: ExecutableFile] C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile] C:\Program Files\HijackThis\HijackThis[Caution: ExecutableFile] R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [PRONoMgr[Caution: ExecutableFile]] C:\Program Files\Intel\NCS\PROSet\PRONoMgr[Caution: ExecutableFile] O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile] O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]" O4 - HKLM\..\Run: [CHotkey] mHotkey[Caution: ExecutableFile] O4 - HKLM\..\Run: [soundMan] SOUNDMAN[Caution: ExecutableFile] O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: ExecutableFile]" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]" /background O4 - Startup: FAH502-Console[Caution: ExecutableFile].lnk = C:\Program Files\Folding@Home\FAH502-Console[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader[Caution: ExecutableFile].lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl[Caution: ExecutableFile] O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA[Caution: ExecutableFile] O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3582809406 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3370516062 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b30149.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: MsgPlusLoader.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile] O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile] O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc[Caution: ExecutableFile] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile] O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile] Where the bloody hell are you? Link to comment Share on other sites More sharing options...
ale_jrb Posted November 2, 2005 Share Posted November 2, 2005 I'm not great with HiJack this, so I can't answer your problem, but if you are willing to spend money and are worried, the best really is ZoneAlarm (not the free version - most of the others). It will auto-start when windows runs and is very hard to stop unless the user absolutely agrees. It can detect programs attempting to do things like block the task manager, run other programs, change the registry, duplicate itself, close programs, set itself to auto-run and much more. It will then pop-up a confirmation dialouge where you can choose whether you want to allow it. If you choose no, I can almost guaratee it will stop whatever is causing the problem. Its great. "Charm is a way of getting the answer 'yes' without asking a question." Link to comment Share on other sites More sharing options...
Vape Posted November 3, 2005 Author Share Posted November 3, 2005 I don't need software reccomendations ale_jrb, shoo off outta my topic. Where the bloody hell are you? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now