1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

funny.exe virus - msn contacts

Discussion in 'Virus & Other Malware Removal' started by renrutbor, Jan 24, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. renrutbor

    renrutbor Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    5
    When a contact signs in on msn messenger, something automatically sends a link and a file called funny.exe to them. I've been told its a worm and downloaded and ran Acronis Privacy Expert Suite Demo to try to find it. After running it, the files are still sent when a contact signs in. I'm on XP and use Mozilla Firefox. Any help is appreciated - Thanks

    Rob
     
  2. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    Hi renrutbor,

    Why don't you run Hijack This and post a log here for us to look at?

    download it here: http://tomcoyote.org/hjt (download it to its own folder, say a folder called HijackThis on the desktop or else C:\HijackThis)

    then run it and post the logfile from it here into this thread.

    Also, here are a couple of sites that have some programs to detect worms and trojans:

    http://www.ewido.net/en/?section=ess <--( EWIDO detects a bunch of junk)

    and

    http://www.trojanscan.com/ <-- a check for trojans


    Wayne
     
  3. renrutbor

    renrutbor Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    5
    Hi,
    I downloaded HIjackThis and ran it, about 3/4 of the way through, I got an error message saying

    "You have a particularly large amount of hijacked domains. It's probably better to delete the file itself than to fix each item (and create a backup)
    If you see the same IP address in all the reported O1 items, consider deleting your Hosts file, which is located at D:\WINDOWS\System32\drivers\etc\hosts."

    I clicked ok (the only option) and it finished.

    Here is the logfile.

    Logfile of HijackThis v1.99.0
    Scan saved at 01:05:35, on 25/01/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    d:\windows\system32\explorer.exe
    D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    d:\windows\rundll32.exe
    d:\windows\system32\IEXPLORE.EXE
    D:\WINDOWS\System32\drivers\CDAC11BA.EXE
    D:\WINDOWS\System32\CTsvcCDA.exe
    D:\WINDOWS\System32\MsPMSPSv.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\WINDOWS\System32\bcmwltry.exe
    D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    D:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
    D:\Program Files\Creative\ShareDLL\CtNotify.exe
    D:\PROGRA~1\3DMouse\3DMouse.EXE
    D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    D:\WINDOWS\System32\RunDll32.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
    D:\Program Files\Creative\Sharedll\Mediadet.exe
    D:\WINDOWS\System32\wuauclt.exe
    D:\WINDOWS\System32\svchost.exe
    D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    D:\WINDOWS\explorer.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit32.exe,
    O1 - Hosts: 222.89.98.219 www.wo365.com
    O1 - Hosts: 222.89.98.219 cmfu.com
    O1 - Hosts: 222.89.98.219 www.cmfu.com
    O1 - Hosts: 222.89.98.219 9i0.com
    O1 - Hosts: 222.89.98.219 www.9flash.com
    O1 - Hosts: 222.89.98.219 9flash.com
    O1 - Hosts: 222.89.98.219 www.nowok.net
    O1 - Hosts: 222.89.98.219 nowok.net
    O1 - Hosts: 222.89.98.219 wisa.com.cn
    O1 - Hosts: 222.89.98.219 www.sia.com.cn
    O1 - Hosts: 222.89.98.219 www.wisa.cn
    O1 - Hosts: 222.89.98.219 wisa.cn
    O1 - Hosts: 222.89.98.219 www.zhao99.com
    O1 - Hosts: 222.89.98.219 zhao99.com
    O1 - Hosts: 222.89.98.219 www.wo123.com
    O1 - Hosts: 222.89.98.219 wo123.com
    O1 - Hosts: 222.89.98.219 wo99.com
    O1 - Hosts: 222.89.98.219 www.wo99.com
    O1 - Hosts: 222.89.98.219 www.page.com.cn
    O1 - Hosts: 222.89.98.219 page.com.cn
    O1 - Hosts: 222.89.98.219 www.432.cn
    O1 - Hosts: 222.89.98.219 432.cn
    O1 - Hosts: 222.89.98.219 wysw.com
    O1 - Hosts: 222.89.98.219 14.com.cn
    O1 - Hosts: 222.89.98.219 www.14.com.cn
    O1 - Hosts: 222.89.98.219 cnww.net
    O1 - Hosts: 222.89.98.219 www.mv99.com
    O1 - Hosts: 222.89.98.219 mv99.com
    O1 - Hosts: 222.89.98.219 www.youav.com
    O1 - Hosts: 222.89.98.219 www.mtvav.com
    O1 - Hosts: 222.89.98.219 www.98983.com
    O1 - Hosts: 222.89.98.219 98983.com
    O1 - Hosts: 222.89.98.219 www.114.com.cn
    O1 - Hosts: 222.89.98.219 114.com.cn
    O1 - Hosts: 222.89.98.219 www.net114.com
    O1 - Hosts: 222.89.98.219 www.skywz.com
    O1 - Hosts: 222.89.98.219 skywz.com
    O1 - Hosts: 222.89.98.219 www.hao6.com
    O1 - Hosts: 222.89.98.219 hao6.com
    O1 - Hosts: 222.89.98.219 www.678a.com
    O1 - Hosts: 222.89.98.219 678a.com
    O1 - Hosts: 222.89.98.219 www.7510.com
    O1 - Hosts: 222.89.98.219 7510.com
    O1 - Hosts: 222.89.98.219 www.zzkan.com
    O1 - Hosts: 222.89.98.219 zzkan.com
    O1 - Hosts: 222.89.98.219 www.ca183.com
    O1 - Hosts: 222.89.98.219 ca183.com
    O1 - Hosts: 222.89.98.219 3tom.com
    O1 - Hosts: 222.89.98.219 www.yhjm.com
    O1 - Hosts: 222.89.98.219 yhjm.com
    O1 - Hosts: 222.89.98.219 www.k369.com
    O1 - Hosts: 222.89.98.219 www.xxwww.com
    O1 - Hosts: 222.89.98.219 xxwww.com
    O1 - Hosts: 222.89.98.219 www.fm1000.net
    O1 - Hosts: 222.89.98.219 fm1000.net
    O1 - Hosts: 222.89.98.219 www.ok135.com
    O1 - Hosts: 222.89.98.219 ok135.com
    O1 - Hosts: 222.89.98.219 www.link999.com
    O1 - Hosts: 222.89.98.219 link999.com
    O1 - Hosts: 222.89.98.219 www.001wz.com
    O1 - Hosts: 222.89.98.219 001wz.com
    O1 - Hosts: 222.89.98.219 www.7t7t.com
    O1 - Hosts: 222.89.98.219 7t7t.com
    O1 - Hosts: 222.89.98.219 www.7k7k.com
    O1 - Hosts: 222.89.98.219 7k7k.com
    O1 - Hosts: 222.89.98.219 www.webcool.net
    O1 - Hosts: 222.89.98.219 webcool.net
    O1 - Hosts: 222.89.98.219 www.51sobu.com
    O1 - Hosts: 222.89.98.219 51sobu.com
    O1 - Hosts: 222.89.98.219 cy.51sobu.com
    O1 - Hosts: 222.89.98.219 www.fj3721.com
    O1 - Hosts: 222.89.98.219 fj3721.com
    O1 - Hosts: 222.89.98.219 www.msncn.com
    O1 - Hosts: 222.89.98.219 msncn.com
    O1 - Hosts: 222.89.98.219 www.6235.com
    O1 - Hosts: 222.89.98.219 6235.com
    O1 - Hosts: 222.89.98.219 www.8goo.com
    O1 - Hosts: 222.89.98.219 8goo.com
    O1 - Hosts: 222.89.98.219 www.baimin.com
    O1 - Hosts: 222.89.98.219 baimin.com
    O1 - Hosts: 222.89.98.219 www.bwwz.com
    O1 - Hosts: 222.89.98.219 bwwz.com
    O1 - Hosts: 222.89.98.219 www.howow.net
    O1 - Hosts: 222.89.98.219 howow.net
    O1 - Hosts: 222.89.98.219 www.tongchi.com
    O1 - Hosts: 222.89.98.219 tongchi.com
    O1 - Hosts: 222.89.98.219 www.65658.com
    O1 - Hosts: 222.89.98.219 65658.com
    O1 - Hosts: 222.89.98.219 www.7o7o.com
    O1 - Hosts: 222.89.98.219 7o7o.com
    O1 - Hosts: 222.89.98.219 5126.net
    O1 - Hosts: 222.89.98.219 www.5126.net
    O1 - Hosts: 222.89.98.219 www.wangzhiku.com
    O1 - Hosts: 222.89.98.219 wangzhiku.com
    O1 - Hosts: 222.89.98.219 www.soyeah.com
    O1 - Hosts: 222.89.98.219 soyeah.com
    O1 - Hosts: 222.89.98.219 www.sowang.cn
    O1 - Hosts: 222.89.98.219 sowang.cn
    O1 - Hosts: 222.89.98.219 www.77177.com
    O1 - Hosts: 222.89.98.219 77177.com
    O1 - Hosts: 222.89.98.219 www.look8.net
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - D:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SearchUpgrader] D:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
    O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [NOMAD Detector] D:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
    O4 - HKLM\..\Run: [MMSystem] d:\windows\rundll32.exe "d:\windows\system32\mmsystem.dll"", RunDll32
    O4 - HKLM\..\Run: [3DMouse] D:\PROGRA~1\3DMouse\3DMouse.EXE
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [Acronis Popup Blocker] RunDll32.exe D:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll,Run
    O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [JB3Menu] "D:\Program Files\Creative\NOMAD Jukebox 3\Startup Menu\Jukebox.exe" /L:ENG
    O4 - HKCU\..\Run: [NOMAD Detector] "D:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [MMSystem] d:\windows\rundll32.exe "d:\windows\system32\mmsystem.dll"", RunDll32
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - D:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - D:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102266376388
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O23 - Service: Acronis Scheduler2 Service - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe

    I forgot to mention that i'm using a wireless lan, I don't know if that matters or not, but thought I should mention it.

    Thanks
     
  4. renrutbor

    renrutbor Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    5
    Since that last message, a friend reccomended that I download and run something. It was called panda software I think. After checking, it said that it had found 8 infected files and disinfected 5 of them. It said that I needed to restart for the changes to occur. I did, and when I tried to log back on, i typed in my password, it started logging me on, then before it got in, it logged me back off again. It does it with both the user accounts (mine and guest) and I dont have a clue what to do... Please help!!!

    Thanks, Rob
     
  5. sun_beam

    sun_beam

    Joined:
    Apr 18, 2004
    Messages:
    230
  6. renrutbor

    renrutbor Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    5
    thanks, i'll try that when i eventually manage to get logged on (XP wont let me sign on to any user accounts now)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323087

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice