# MSN Messenger "foto" virus



## ineedhelp888 (Mar 10, 2008)

Hi,

I got the virus from opening a chatbox link to "foto.rar." It's the one that when opened it sends to everyone on the list. Already ran scans for viruses and all. I did your SDFix scan, I appreciate any help! here's the report:

*SDFix: Version 1.155 *

Run Mon 03/10/2008 at 02:21 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

*Checking Files *:

Trojan Files Found:

C:\DOCUME~1\mae\LOCALS~1\Temp\foto.zip - Deleted

Removing Temp Files

*ADS Check *:

*Final Check *:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 02:29:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C1B9E71E-00D9-F440-B1FC-2203350C4EDC}]
"dbjjpbeooificaedjnghlhifbjpjnpjeonimkkep"=hex:6b,61,68,6b,6a,61,70,65,69,6a,6a,61,6e,6c,69,67,61,64,70,6e,68,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 19

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"="C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1150832638\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1150832638\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1150832638\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1150832638\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Kuro\\Kuro.exe"="C:\\Program Files\\Kuro\\Kuro.exe:*:Enabled:Kuro"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\IBMTOOLS\\Apps\\DVD7\\WinDVD.exe"="C:\\Program Files\\IBMTOOLS\\Apps\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\Yahoo!\\Yahoo! c_¬_-æ¬3q\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! c_¬_-æ¬3q\\YahooMusicEngine.exe:*:Enabled:Yahoo!?????"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*isabled:Veoh Client"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"C:\\Program Files\\FlashGet Network\\Flashget\\FlashGet.exe"="C:\\Program Files\\FlashGet Network\\Flashget\\FlashGet.exe:*:Enabled:Flashget2"
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdate.exe"="C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdate.exe:*:Enabled:FGLiveUpdate"
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"="C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe:*:Enabled:FGLiveUpdateEx"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\36.exe"="C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\36.exe:*:Enabledxpsp2res.dll,-22005"
"C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\77.exe"="C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\77.exe:*:Enabledxpsp2res.dll,-22005"
"C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\82.exe"="C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\82.exe:*:Enabledxpsp2res.dll,-22005"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\53.exe"="C:\\DOCUME~1\\mae\\LOCALS~1\\Temp\\53.exe:*:Enabledxpsp2res.dll,-22005"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"="C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

*Remaining Files *:

File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Tue 12 Jul 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe"
Tue 12 Jul 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe"
Sat 27 Oct 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Sat 27 Oct 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Sat 27 Oct 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Fri 4 Nov 2005 4,126,240 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sun 9 Mar 2008 76,288 A.SHR --- "C:\WINDOWS\system32\svcthread.exe"
Wed 18 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 7 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2C.tmp"
Fri 7 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT2B.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT13.tmp"
Wed 5 Dec 2007 96,072 ...H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"

*Finished!*

Thanks!


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. 

Please download (save) *MsnCleaner.zip* to your desktop. 
Extract the content of MsnCleaner.zip to your Desktop.
Restart in Safe Mode.

To boot up in Safe mode, continuously tap the F8 key while starting your computer. 
You should see a black screen displaying the Windows Advanced Menu Options. 
Using your keyboard's arrow keys, select Safe mode, then hit Enter.

Double-click MsnCleaner.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please post the contents of C:\MsnCleaner.txt in a reply to this post.

Visit *this webpage* for instructions for downloading and running ComboFix.

Post the log from ComboFix along with a new HijackThis log.


----------

