Text spammer virus?

[PeaTearGriffin]

Today I just received an annoying virus. It auto text spams into almost anything. It automatically sends random sayings such as "lol you retard" several times onto many programs whether it is everyone on my msn list, opening a browser and it will redirect to google and type it in, even if I log onto a game it will spam the message. In fact, while I was typing this message, it typed it at least 20 times. I've ran AVG free edition without finding it and adaware without any luck. What should I do? Post a hijackthis log? Any help is appreciated. Thanks.

[renegade600]

go ahead and post the hijackthis log.

[PeaTearGriffin]

Hi, thanks for your reply. After I posted I tried a few free virus/adware scanners without any luck as well as trying a system restore. I then used panda online scan and it seemed to have fixed my dreaded problem I'll post a log anyways to check if everything is clean now though.


Logfile of HijackThis v1.99.1
Scan saved at 7:21:34 AM, on 5/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\msspnp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft System Services] msmsgr.exe
O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe
O4 - HKLM\..\RunServices: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\RunServices: [Microsoft System Services] msmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [Microsoft System Services] msmsgr.exe
O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe
O4 - HKCU\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe
O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] msnsvc.exe
O4 - HKCU\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: bw+0 - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

[mike]

Hi PeaTearGriffin
Pandascan has probably found and deleted the files below, but FIX the entries and double-check the files are not present


2.
Close ALL Internet Explorer Windows, only have HijackThis running.
In HijackThis, tick the boxes for the below entries, then click on "Fix checked"

O4 - HKLM\..\Run: [Microsoft System Services] msmsgr.exe

O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe

O4 - HKLM\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe

O4 - HKLM\..\RunServices: [Microsoft System Services] msmsgr.exe

O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe

O4 - HKLM\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe

O4 - HKCU\..\Run: [Microsoft System Services] msmsgr.exe

O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe

O4 - HKCU\..\Run: [Microsoft Windows XP SP2 Networking Process] msspnp.exe

O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe

O4 - HKCU\..\RunServices: [Compaq Service Drivers] msnsvc.exe

O4 - HKCU\..\RunServices: [Microsoft Windows XP SP2 Networking Process] msspnp.exe


3.
REBOOT INTO SAFE MODE...--> How to reboot to Safe Mode -->(reboot and tap F8 immediately after BIOS screen ( the Bios screen is the first black and white screen you see)....choose Safe Mode from menu)

MAKE SURE YOU CAN SEE HIDDEN FILES and FOLDERS --> How to show Hidden Files and Folders

Then delete the below files , if present


C:\WINDOWS\System32\msspnp.exe<--- delete the file

C:\WINDOWS\System32\msmsgr.exe<--- delete the file

C:\WINDOWS\System32\mspci.exe<--- delete the file

C:\WINDOWS\System32\msnsvc.exe<--- delete the file


Reboot computer and post back a new HJT log to this thread, please.


THe nasties were installed because of no patches/updates from Microsoft........and will happen again unless you update.
Your computer is an open door to too many exploits with out updates/fixes from microsoft.
Please goto:http://windowsupdate.microsoft.com
and download all "Critical Updates and Service Packs".
OR
How to obtain the latest Windows XP service pack on CD
Also available on Magazine cover CD at newsagent.
Check computer manafacturer`s website for any necessary upgrades prior to installing XPSP2.

Cheers.

See HOW TO PREVENT RE-INFECTION for added protection with Adaware, Spybot S+D, SpywareBlaster, SpywareGuard, MVPS HOSTS file.

[PeaTearGriffin]

Ok how is it now:
Logfile of HijackThis v1.99.1
Scan saved at 1:26:13 AM, on 5/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: bw+0 - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {63AB93A7-D3D5-49D4-9C1A-9249A0BA4D26} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe


Also, when I was in local disk I found a text file named "pws" with all usernames and passwords from my computer =/ Does that mean I have a keylogger on my computer? I deleted the text file, but was it already sent to someone? What should I do?

[mike]

Hi PeaTearGriffin

The log looks good now.
The pws.txt file may have been a log of passwords collected.
Immediately change all usernames and passwords for all sites you visit and for all users of the computer.

It is critical for your security you update at Microsoft to stop these exploits reoccuring.
Check with computer maker if it needs any patches, before installing XPSP2.

Also critical for your security, before updating at MS, download one of these firewalls ( disable XP firewall....only run one firewall at a time).....

Free Firewalls ( disable XP Firewall after installing any other firewall )
SYGATE: http://soho.sygate.com/free/default.php
ZONEALARM: http://www.zonelabs.com/

The firewall will ask for each program that tries to access internet, as the worms you had would have been doing....and also stop the same exploits accessing your computer,.......but you need to be aware that the firewall will ask to allow acces, it is up to you to allow/disallow programs. Trust only programs you use...ie: Internet Explorer, Outlook Express, AVG, ...make all other progs ask each time they need access.

As for a keylogger, it probaly will not show in HijackThis, ad-aware or Spybot, etc.
You can try a trial version of :
AntiKeylogger http://www.anti-keyloggers.com/
or
Who'sWatchingMe http://www.trapware.com/index.html

Cheers

[PeaTearGriffin]

Ok, I'll work on the firewall today.

Hmm, I couldn't get antikeylogger to work. I tried the other one though and it couldn't find anything. I was told there is no point in changing my passwords if I cannot find the keylogger since it will just log all my new passwords?

[mike]

Hi PeaTearGriffin

I`m not sure if a keylogger is on board, but please change passwords, especially any bank sites,etc....and for logon to computer.
The worms you had were also backdoors and they collect info/passwords for access.( but mainly for access to your computer).

Dont forget MS updates.

Cheers