TechSpot

yahoo messenger problem

By gorgeousm
Oct 31, 2006
  1. Greetings,

    This is my first posting and hoping to get 100% results out of it.
    Yesterday i recvd a chat message on yahoo msngr from my friend and not knowing it to be a VIRUS,i clicked on one of the links in it. Now my messenger is sending msgs to all the users on my msngr list every now and then.Examples mentioned below:
    --------------------------------------------------------------------------
    wtf is this ? wanna give me a **** ? http://nsl-school.org/?id=news
    look at my new lover :

    you are virus infected . Use this tool to remove viruses from your PC :

    check this link for me : . Why I cannot surf this site ???

    have you ever seen such a silly man like this ?
    -------------------------------------------------------------------------
    Can you plz help me fight this virus off my laptop?
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hallo and welcome to Techspot.

    I have moved your post to it`s own thread in the correct forum.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. gorgeousm

    gorgeousm TS Rookie Topic Starter

    Hello there,

    I am facing problems with downloading TOOL 4. Rest all above is done. Plz help?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    What problem are you having exactly?

    Regards Howard :)

    This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. gorgeousm

    gorgeousm TS Rookie Topic Starter

    Tool 4 is Looktome-Destroyer.The dialogue box is opening for it to save or run it however its actually not downloading the appl.Its been a while now.The download is not taking place.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Maybe there`s a problem with the Atribune site at the moment.

    Skip that tool for now and follow the rest of the instructions.

    Regards Howard :)

    This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. gorgeousm

    gorgeousm TS Rookie Topic Starter

    Alright. Can you tell me now if i have to move to Safe mode to "turn off system restore" or can do it in normal mode? And as i understand the remaining tasks & full sys scan at the end should be done in safe mode right?


    Regds.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    After running the four tools, the instructions quite clearly state you should do the following in order.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Do not reboot into normal mode, until instructed to do so.

    Regards Howard :)

    This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. gorgeousm

    gorgeousm TS Rookie Topic Starter

    Hello,

    Plz find files attached.

    Regds.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    newdotnet <If it`s not listed in add remove programmes download and run this uninstaller HERE.

    Close control panel.


    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svhost32.exe
    svhost.exe<Not ot be confused with svchost.exe.
    PowerReg Scheduler.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080<Only fix this if you didn`t set this proxy your self, or don`t know what it is.

    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

    O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svhost32.exe

    O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svhost.exe

    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"

    O4 - Global Startup: PowerReg Scheduler.exe

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab

    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

    O17 - HKLM\System\CS1\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

    O17 - HKLM\System\CS2\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

    Only fix the above 017 entries if they don`t belong to your ISP.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\svhost.exe
    C:\WINDOWS\svhost32.exe
    C:\program files\newdotnet <Delete the entire folder.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\Install.dll
    PowerReg Scheduler.exe Search your system for this file and delete all instances of it.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post fresh HJT and AVG Antispyware logs and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. gorgeousm

    gorgeousm TS Rookie Topic Starter

    Hello,

    Can you explain me the below part plz.What are these numbers?


    "Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080<Only fix this if you didn`t set this proxy your self, or don`t know what it is.

    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

    O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svhost32.exe

    O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svhost.exe

    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"

    O4 - Global Startup: PowerReg Scheduler.exe

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab

    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

    O17 - HKLM\System\CS1\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

    O17 - HKLM\System\CS2\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

    Only fix the above 017 entries if they don`t belong to your ISP.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Awaiting for your reply!!
     
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    What`s to explain?

    The entries I have told you to fix are nasty and should be remove as per the instructions.

    I have analysed thousands of HJT logs, so I do know what I`m talking about.

    If you don`t believe me, please feel free to go elsewhere.

    If that seems harsh, then so be it. I simply don`t have the time to explain every single thing.

    If you follow the instructions, I`m sure you`ll see a vast improvement to your problems.

    Regards Howard :)

    This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.