Our November Competition
User Reviews - Add Yours!
The PCHF Lounge
Go Back   PC Help Forum » Operating Systems » Windows XP/2000
Register for a Free Account

Windows XP/2000 - MSN virus help!! posted in the Operating Systems forums; My friend clicked one of those MSN links which asks something along the lines "Is this a picture of you?" They have the usual homepage has been hijacked,windows opening on ...


Reply
Free PC Performance Scan
Old 10-03-2006   #1
Bronze Member
 
Join Date: Sep 2006
Location: Scotland
Posts: 3
Default MSN virus help!!

My friend clicked one of those MSN links which asks something along the lines "Is this a picture of you?"

They have the usual homepage has been hijacked,windows opening on there own.They have avast installed but unfortunatly it didnt catch this virus it detects it tho but it just keeps copying itself over and over.

neways here is the HJT log
Attached Files
File Type: txt hijackthisll.txt (7.1 KB, 6 views)
vanbommel1888 is offline   Reply With Quote
Advertisement - Register to Remove
Old 10-03-2006   #2
Elite Member
 
Join Date: May 2006
Location: New Brunswick,Canada
Posts: 625
Default

hello vanbommel1888 and welcome to pchf,

unfortunatly none of the security team are online at the moment but they will be here shortly to help you with that problem i know how you feel it just happened to my brother 10 minutes ago

genie3251
genie3251 is offline   Reply With Quote
Old 10-03-2006   #3
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,865
PC Experience: Elite PC Guru
Default

Hi....
Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Do not proceed with the rest of the fix if you fail to run combofix
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Go to Start > Run and type
cmd
and OK. Type the below commands and hit "Enter" after each line
sc stop cmdService
sc delete cmdService

Type Exit to close.


Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL= http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = FindTheWebsiteYouNeed
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Locksgramactivespam] C:\Documents and Settings\All Users\Application Data\dent stupid locks gram\glue iso.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e20.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e19.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e19.exe
O4 - HKCU\..\Run: [New Wipe] C:\DOCUME~1\Dan\APPLIC~1\INTRAP~1\NameChic.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zang...ridge-c356.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\ir4ml5h11.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe (file missing)

Open Windows Explorer and delete the following highlighted file/s
Also delete the following red folder/s

C:\WINDOWS\system32\ir4ml5h11.dll
C:\Program Files\RXToolBar
C:\Program Files\outlook

Reboot.....................
Post back a new HJT log and the Combo fix.
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is offline   Reply With Quote
Old 10-03-2006   #4
Bronze Member
 
Join Date: Dec 2005
Posts: 22
Default

i have heard of this virus and many of my friends have it and it is a pain. I heard a couple of my mates saying that when you download it places a file in the C: root directory. I have had one before that was like this as well. It is probably a good idea to run programs such as Spybot or Ad-Aware as well as an anti virus program
JD
__________________
MY RIG
AMD AthlonXP 2000+
Gigabyte 7VTXE+ mobo
GeForce 4 Ti4200 128mb with VIVO
512mb RAM
Lite-On CD Burner
LG 16x Dual Layer DVD Burner
Antec TruePower 350W
jd16591 is offline   Reply With Quote

Reply


Bookmarks

Tags
msn, virus

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On




All times are GMT. The time now is 02:40 AM.
Powered by vBulletin
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2