|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Text spammer virus?
Today I just received an annoying virus. It auto text spams into almost anything. It automatically sends random sayings such as "lol you retard" several times onto many programs whether it is everyone on my msn list, opening a browser and it will redirect to google and type it in, even if I log onto a game it will spam the message. In fact, while I was typing this message, it typed it at least 20 times. I've ran AVG free edition without finding it and adaware without any luck. What should I do? Post a hijackthis log? Any help is appreciated. Thanks.
|
#2
|
||||
|
||||
go ahead and post the hijackthis log.
|
#3
|
|||
|
|||
Hi, thanks for your reply. After I posted I tried a few free virus/adware scanners without any luck as well as trying a system restore. I then used panda online scan and it seemed to have fixed my dreaded problem I'll post a log anyways to check if everything is clean now though.
Logfile of HijackThis v1.99.1 Scan saved at 7:21:34 AM, on 5/27/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\msspnp.exe C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\WINDOWS\System32\devldr32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Microsoft System Services] msmsgr.exe O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe O4 - HKLM\..\RunServices: [ctfmon.exe] ctfmon.exe O4 - HKLM\..\RunServices: [Microsoft System Services] msmsgr.exe O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe O4 - HKLM\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe O4 - HKCU\..\Run: [Microsoft System Services] msmsgr.exe O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe O4 - HKCU\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe O4 - HKCU\..\RunServices: [Compaq Service Drivers] msnsvc.exe O4 - HKCU\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O18 - Protocol: bw+0 - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe |
#4
|
|||
|
|||
Hi PeaTearGriffin
Pandascan has probably found and deleted the files below, but FIX the entries and double-check the files are not present 2. Close ALL Internet Explorer Windows, only have HijackThis running. In HijackThis, tick the boxes for the below entries, then click on "Fix checked" O4 - HKLM\..\Run: [Microsoft System Services] msmsgr.exe O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe O4 - HKLM\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe O4 - HKLM\..\RunServices: [Microsoft System Services] msmsgr.exe O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe O4 - HKLM\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe O4 - HKCU\..\Run: [Microsoft System Services] msmsgr.exe O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe O4 - HKCU\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe O4 - HKCU\..\RunServices: [Compaq Service Drivers] msnsvc.exe O4 - HKCU\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe 3. REBOOT INTO SAFE MODE...--> How to reboot to Safe Mode -->(reboot and tap F8 immediately after BIOS screen ( the Bios screen is the first black and white screen you see)....choose Safe Mode from menu) MAKE SURE YOU CAN SEE HIDDEN FILES and FOLDERS --> How to show Hidden Files and Folders Then delete the below files , if present C:\WINDOWS\System32\msspnp.exe<--- delete the file C:\WINDOWS\System32\msmsgr.exe<--- delete the file C:\WINDOWS\System32\mspci.exe<--- delete the file C:\WINDOWS\System32\msnsvc.exe<--- delete the file Reboot computer and post back a new HJT log to this thread, please. THe nasties were installed because of no patches/updates from Microsoft........and will happen again unless you update. Your computer is an open door to too many exploits with out updates/fixes from microsoft. Please goto:http://windowsupdate.microsoft.com and download all "Critical Updates and Service Packs". OR How to obtain the latest Windows XP service pack on CD Also available on Magazine cover CD at newsagent. Check computer manafacturer`s website for any necessary upgrades prior to installing XPSP2. Cheers. See HOW TO PREVENT RE-INFECTION for added protection with Adaware, Spybot S+D, SpywareBlaster, SpywareGuard, MVPS HOSTS file. |
#5
|
|||
|
|||
Ok how is it now:
Logfile of HijackThis v1.99.1 Scan saved at 1:26:13 AM, on 5/29/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\RunServices: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O18 - Protocol: bw+0 - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe Also, when I was in local disk I found a text file named "pws" with all usernames and passwords from my computer =/ Does that mean I have a keylogger on my computer? I deleted the text file, but was it already sent to someone? What should I do? |
#6
|
|||
|
|||
Hi PeaTearGriffin
The log looks good now. The pws.txt file may have been a log of passwords collected. Immediately change all usernames and passwords for all sites you visit and for all users of the computer. It is critical for your security you update at Microsoft to stop these exploits reoccuring. Check with computer maker if it needs any patches, before installing XPSP2. Also critical for your security, before updating at MS, download one of these firewalls ( disable XP firewall....only run one firewall at a time)..... Free Firewalls ( disable XP Firewall after installing any other firewall ) SYGATE: http://soho.sygate.com/free/default.php ZONEALARM: http://www.zonelabs.com/ The firewall will ask for each program that tries to access internet, as the worms you had would have been doing....and also stop the same exploits accessing your computer,.......but you need to be aware that the firewall will ask to allow acces, it is up to you to allow/disallow programs. Trust only programs you use...ie: Internet Explorer, Outlook Express, AVG, ...make all other progs ask each time they need access. As for a keylogger, it probaly will not show in HijackThis, ad-aware or Spybot, etc. You can try a trial version of : AntiKeylogger http://www.anti-keyloggers.com/ or Who'sWatchingMe http://www.trapware.com/index.html Cheers |
#7
|
|||
|
|||
Ok, I'll work on the firewall today.
Hmm, I couldn't get antikeylogger to work. I tried the other one though and it couldn't find anything. I was told there is no point in changing my passwords if I cannot find the keylogger since it will just log all my new passwords? |
#8
|
|||
|
|||
Hi PeaTearGriffin
I`m not sure if a keylogger is on board, but please change passwords, especially any bank sites,etc....and for logon to computer. The worms you had were also backdoors and they collect info/passwords for access.( but mainly for access to your computer). Dont forget MS updates. Cheers |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Posible Virus that starts writing text | rrodulfo | Malware Removal | 20 | June 24th, 2013 06:48 AM |
Two things: CTRL+C plain text, and hotkey to insert text? | IHateCaptchasSo | Applications | 1 | October 5th, 2011 05:26 PM |
Possible Virus? - Dialogue Box with no Text | hseqdirector | Internet / Browsers | 0 | December 9th, 2008 12:10 AM |
Text erasing/ windows shutting by themself, virus??? | larryphrank | Malware Removal | 10 | August 31st, 2005 10:15 PM |
All times are GMT +1. The time now is 09:18 PM.