yahoo messenger problem

[gorgeousm]

Greetings,

This is my first posting and hoping to get 100% results out of it.
Yesterday i recvd a chat message on yahoo msngr from my friend and not knowing it to be a VIRUS,i clicked on one of the links in it. Now my messenger is sending msgs to all the users on my msngr list every now and then.Examples mentioned below:
--------------------------------------------------------------------------
wtf is this ? wanna give me a **** ? http://nsl-school.org/?id=news
look at my new lover :

you are virus infected . Use this tool to remove viruses from your PC :

check this link for me : . Why I cannot surf this site ???

have you ever seen such a silly man like this ?
-------------------------------------------------------------------------
Can you plz help me fight this virus off my laptop?

 

[howard_hopkinso]

Hallo and welcome to Techspot.

I have moved your post to it`s own thread in the correct forum.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gorgeousm]

Hello there,

I am facing problems with downloading TOOL 4. Rest all above is done. Plz help?

 

[howard_hopkinso]

What problem are you having exactly?

Regards Howard

This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gorgeousm]

Tool 4 is Looktome-Destroyer.The dialogue box is opening for it to save or run it however its actually not downloading the appl.Its been a while now.The download is not taking place.

 

[howard_hopkinso]

Maybe there`s a problem with the Atribune site at the moment.

Skip that tool for now and follow the rest of the instructions.

Regards Howard

This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gorgeousm]

Alright. Can you tell me now if i have to move to Safe mode to "turn off system restore" or can do it in normal mode? And as i understand the remaining tasks & full sys scan at the end should be done in safe mode right?


Regds.

 

[howard_hopkinso]

After running the four tools, the instructions quite clearly state you should do the following in order.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Do not reboot into normal mode, until instructed to do so.

Regards Howard

This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gorgeousm]

Hello,

Plz find files attached.

Regds.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

newdotnet <If it`s not listed in add remove programmes download and run this uninstaller HERE.

Close control panel.


Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

svhost32.exe
svhost.exe<Not ot be confused with svchost.exe.
PowerReg Scheduler.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080<Only fix this if you didn`t set this proxy your self, or don`t know what it is.

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svhost32.exe

O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svhost.exe

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"

O4 - Global Startup: PowerReg Scheduler.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

O17 - HKLM\System\CS2\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

Only fix the above 017 entries if they don`t belong to your ISP.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\svhost.exe
C:\WINDOWS\svhost32.exe
C:\program files\newdotnet <Delete the entire folder.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\Install.dll
PowerReg Scheduler.exe Search your system for this file and delete all instances of it.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post fresh HJT and AVG Antispyware logs and let me know how your system is running.

Regards Howard

This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gorgeousm]

Hello,

Can you explain me the below part plz.What are these numbers?


"Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080<Only fix this if you didn`t set this proxy your self, or don`t know what it is.

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svhost32.exe

O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svhost.exe

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"

O4 - Global Startup: PowerReg Scheduler.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

O17 - HKLM\System\CS2\Services\Tcpip\..\{14426513-FC8C-4CEC-B56C-74C69F0E34D1}: NameServer = 213.42.20.20,195.229.241.222

Only fix the above 017 entries if they don`t belong to your ISP.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Click on the fix checked button.

Awaiting for your reply!!

 

[howard_hopkinso]

What`s to explain?

The entries I have told you to fix are nasty and should be remove as per the instructions.

I have analysed thousands of HJT logs, so I do know what I`m talking about.

If you don`t believe me, please feel free to go elsewhere.

If that seems harsh, then so be it. I simply don`t have the time to explain every single thing.

If you follow the instructions, I`m sure you`ll see a vast improvement to your problems.

Regards Howard

This thread is for the use of gorgeousm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.