my friend has that msn virus with zip file sending. i looked on his hijack this log and im not sure about few lines in it. so if someone could help please take a look. i couldnt help but noticing that theres no BHO lines in it. so heres his hijack this log: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system\lsass.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\v.exe C:\WINDOWS\system\lsass.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\rmcgoxoc.exe C:\WINDOWS\system\svchost32.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\WinRAR\WinRAR.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.hr/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [Windows Lsass Services] C:\WINDOWS\system\lsass.exe O4 - HKLM\..\Run: [v] C:\WINDOWS\system32\v.exe O4 - HKLM\..\Run: [60c0fd81] rundll32.exe "C:\WINDOWS\system32\peikfhnq.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?0d0e49230914487188c9928ee88fd87d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?0d0e49230914487188c9928ee88fd87d O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: DomainService - - C:\WINDOWS\system32\rmcgoxoc.exe O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe O23 - Service: Windows Network Services (SvcHost32) - Unknown owner - C:\WINDOWS\system\svchost32.exe O23 - Service: Print Spooler Service (u8lnoyks) - Unknown owner - C:\WINDOWS\system32\v.exe -- End of file - 4389 bytes
C:\WINDOWS\system\lsass.exe C:\WINDOWS\system\lsass.exe (there are two entries) C:\WINDOWS\system32\rmcgoxoc.exe O4 - HKLM\..\Run: [Windows Lsass Services] C:\WINDOWS\system\lsass.exe O4 - HKLM\..\Run: [60c0fd81] rundll32.exe "C:\WINDOWS\system32\peikfhnq.dll",b O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe O23 - Service: Windows Network Services (SvcHost32) - Unknown owner - C:\WINDOWS\system\svchost32.exe A lot of system32 files are infected. Boto into safe mode to get rid of the processes, fix the rest while in safe mode also. After that: 1.Download Spybot Search and Destroy. Update, scan, fix. After, use the immunize option. 2.Download AVG anti spyware. Update, full system scan, fix. 3.Download Ccleaner. Click the registry tab, fix all bad entry references. When done, reboot your pc and post another log.
