Help with the [email protected] worm

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.
J

jpsimon1978

Thread Starter
I just got infected with this stupid worm and Norton Anti-Virus sure didn't detect it either. I keep it regularly updated but it still messed my computer up and now Norton Anti-Virus won't run right and some files have errors. I tried to check out Norton's website but it just tells how to do it manually and I couldn't get the Registry Editor to stay open due to the worm infecting the computer. Can someone please help me remove this annoying thing? I have to reinstall Norton but it didn't work.
 
Joined
Mar 9, 2003
Messages
4,699
Let's see what we can do to help.

Go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the “Scan” button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. IF you happen to be using a proxy server, please mention it in your post. Most of what it finds is harmless, so do not do anything yet. Someone will be glad to help you sort out any of the baddies that may be in there.
 
Joined
Sep 27, 2002
Messages
867
Well jpsimon1978,

You need to follow the Step 4 instructions from Symantec to repair your registry and get it to stay open.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


4. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
--------------------------------------------------------------------------------

a. Click Start, and then click Run. (The Run dialog box appears.)


b. Type:

notepad

and then click OK. (Notepad opens a text file.)


c. Type, or copy and paste, the following text into the text file (without the NOTE part):

The part below in bold, starting with REGEDIT4, is what you want to copy and paste to note pad

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[-HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
(NOTE: That is, type the following characters:
at-equal-quote-backslash-quote-percent-one-backslash-quote-space-percent-asterisk-quote.)

[-HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
@="\"%1\" %*"

[-HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
@="\"%1\" %*"

[-HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
@="\"%1\" %*"

[-HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command]
@="\"%1\" %*"

[-HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
[HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
@="\"%1\" %*"



d. Save the file as:

repair.reg

in the root folder (usually C:\).


e. Click Start, then Run.


f. Type:

regedit -s \repair.reg

and then click OK.


g. Click Start, and then click Run.


h. Type: regedit

Then click OK. (The Registry Editor opens.)


i. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


j. In the right pane, delete the randomly named value that the worm created.


k. Exit the Registry Editor.
 
J

jpsimon1978

Thread Starter
OK, I just downloaded HijackThis and did the Scan. Here are the results of it. I hope someone can help me out with them and what to do too. Thanks!

Logfile of HijackThis v1.97.2
Scan saved at 12:49:08 AM, on 9/19/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\POPLIB.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ymvg] npxtky.exe autorun
O4 - HKLM\..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MSGTAG] "C:\PROGRAM FILES\MSGTAG\MSGTAG.EXE" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.9095601852
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/187aebc293ba4e5ad903/netzip/RdxIE601.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4294/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
 
Joined
Mar 9, 2003
Messages
4,699
Have HJT fix these two:

O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4...20/cpbrxpie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/187aebc293ba4e...ip/RdxIE601.cab

I can't find any information on this one, but I don't like the looks of it. Do you know what it is?
Right click and then click on Properties and on the Version tab look at the description and also the company name.

O4 - HKLM\..\Run: [ymvg] npxtky.exe autorun
 
J

jpsimon1978

Thread Starter
It says this part of the Scan checks for several suspicious that autoload when Windows starts. Autoloading can load a Registry Script, VB Script or JavaScript file, possibly causing the IE Start Page, Search Page, Search Bar and Search Assistant to revert back to a HiJacker's after a system reboot.

That's what it says about that one entry. Hope that helps and please advise me what to do about it, thanks!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top