Virus from noreply@yahoo.com

C

cyberarmy

Expert Member
Joined
Aug 21, 2006
Messages
3,400
Maybe Dr.web hasn't update their CureIT! tool yet since they do regular update on this freeby

Have you try send that sample to AVG's virus sample submission service/email they provide?

I didn't recommend Bitdefender's online scan (although I am using their Antivirus) is that saw analysis that this WORM will corrupt your antivirus while antivirus will not be able to remove it when it's running. And Web based Active X virus scan plugin is quite useless against this kind of woms, Although you can give it a try.

If that online scan can not remove this worm, you don't want to wait for a AVG update, and you are willing to trust me and I am offering help to remove this one with a tool, Go download this and unzip it. http://www.merijn.org/files/hijackthis.zip
Run, click 'scan and save a log'. Then Post the log file here........(Please don not just fix anything you see in that program)
 
S

sihen

Well-Known Member
Joined
Apr 25, 2004
Messages
339
Logfile of HijackThis v1.99.1
Scan saved at 06:09:42 PM, on 2006/10/01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX07.313\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MacroVirus] C:\Program Files\MacroVirus\MacroVirus.exe -boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: mslo32.dll - {190AC4F8-44CA-BBA1-CD29-56D0B0FDFFF5} - c:\windows\system32\mslo32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
 
S

sihen

Well-Known Member
Joined
Apr 25, 2004
Messages
339
cyberarmy,
"Have you try send that sample to AVG's virus sample submission service/email they provide?"
You got a URL for this?
 
S

sihen

Well-Known Member
Joined
Apr 25, 2004
Messages
339
AVG just poped up with a few viruses etc.. I healed them...
Outlook has not crashed in the last 5 mins and my mail is coming down :)

Maybe its fixed?
 
C

cyberarmy

Expert Member
Joined
Aug 21, 2006
Messages
3,400
Well maybe AVG has updated and remove that worm for you, Can you post the AVG log so can see what virus it removed for you? also the infected file path.
Do you mind scan a new hijackthis log and put it up to confirm?
This one looks guilty to me....
O4 - HKLM\..\Run: [MacroVirus] C:\Program Files\MacroVirus\MacroVirus.exe -boot
 
S

sihen

Well-Known Member
Joined
Apr 25, 2004
Messages
339
hey Cyberarmy, new hijack log below:

Logfile of HijackThis v1.99.1
Scan saved at 09:12:19 PM, on 2006/10/01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.968\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MacroVirus] C:\Program Files\MacroVirus\MacroVirus.exe -boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: mslo32.dll - {190AC4F8-44CA-BBA1-CD29-56D0B0FDFFF5} - c:\windows\system32\mslo32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
 
S

sihen

Well-Known Member
Joined
Apr 25, 2004
Messages
339
AVG LOG:

rec>
- <rec time="2006/10/01 14:20:44" user="SYSTEM" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP23\A0005799.exe</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Generic.MQR</attr>
</rec>
- <rec time="2006/10/01 17:36:23" user="SYSTEM" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP23\A0005799.exe</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Generic.MQR</attr>
</rec>
- <rec time="2006/10/01 18:12:39" user="User" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP23\A0005799.exe</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Generic.MQR</attr>
</rec>
- <rec time="2006/10/01 18:12:50" user="User" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP23\A0005799.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/10/01 18:14:08" user="User" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP32\A0010129.exe</attr>
<attr name="finding">@EID_Id_trj</attr>
<attr name="virusname">Generic.MQR</attr>
</rec>
- <rec time="2006/10/01 18:14:12" user="User" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP33\A0010166.dll</attr>
<attr name="finding">@EID_Id_vir</attr>
<attr name="virusname">Worm/Feebs.FU</attr>
</rec>
- <rec time="2006/10/01 18:14:15" user="User" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP32\A0010129.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/10/01 18:14:20" user="User" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\System Volume Information\_restore{E9CDBDCC-AA71-4564-AFE4-D8B9710355D3}\RP33\A0010166.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/10/01 18:25:38" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:811-810;iavi:470-469;</attr>
</rec>
- <rec time="2006/10/01 18:31:09" user="User" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\system32\msmi.exe</attr>
<attr name="finding">@EID_Id_vir</attr>
<attr name="virusname">Worm/Feebs.FT</attr>
</rec>
- <rec time="2006/10/01 18:31:09" user="User" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\WINDOWS\system32\msnh</attr>
<attr name="finding">@EID_Id_vir</attr>
<attr name="virusname">Worm/Feebs.FT</attr>
</rec>
- <rec time="2006/10/01 18:31:29" user="User" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINDOWS\system32\msmi.exe</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/10/01 18:31:35" user="User" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\WINDOWS\system32\msnh</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/10/01 18:42:27" user="User" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2006/10/01 19:17:16" user="User" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
 
C

cyberarmy

Expert Member
Joined
Aug 21, 2006
Messages
3,400
Congrates! Worm/Feebs.FT has been removed by AVG, just check if this C:\Program Files\MacroVirus\ is something you installed, which I doubt. If not I suggest you to first try uninstall it from program manual or add/remove program, if no where to be found, use hijackthis to fix this then reboot your PC and delete the MacroVirus folder
 
You must log in or register to reply here.
Top