Messenger Service Warnings

**robertdwhite** · May 15th, 2006, 05:39 AM

I have picked up a virus which puts Messenger Service warnings on my screen. The virus operates by putting an .EXE file in the WINNT temp diretory the .EXE is named a variation on cf8se3.exe. I can stop its operation for one cycle by changing the .exe to another form ie. .dud but the next reboot the exe has been regenerated as another variation on the name and registry have been accordingly changed and I have to do it again. I don't have the tool to track what file generates the .exe and registry entry. Can you give me any advice? What is this and how do you clean it. Trend office, spybot and adaware all miss it. Thanks

**Ferrit** · May 15th, 2006, 08:39 AM

yes do an online scan at
www,bitdefender.com
Are you saying you have no antivirus?

**robertdwhite** · May 15th, 2006, 09:51 AM

Originally Posted by Ferrit

yes do an online scan at
www,bitdefender.com
Are you saying you have no antivirus?

No actually it has got past each of trend office, AVG, spybot and adaware. I will try that online scan as soon as I get home. Hate to do anything on line I have onlyy dial up and it is death slow.

**robertdwhite** · May 15th, 2006, 02:40 PM

Here is some hijack this stuff if it helps
StartupList report, 5/15/2006, 3:15:03 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Lori\My Documents\Hijackthis\HijackThis.EXE
Detected: Windows 2000 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\TEMP\XK68E5.EXE
C:\WINNT\Explorer.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Connection Keeper\ConKeepM.exe
C:\Documents and Settings\Lori\My Documents\Hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
IgfxTray = C:\WINNT\System32\igfxtray.exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
OfficeScanNT Monitor = "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
GWMDMMSG = GWMDMMSG.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
OfficeScanNT RealTime Scan: C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe (autostart)
OfficeScanNT Personal Firewall: C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Trend Micro Filter: \??\C:\Program Files\Trend Micro\OfficeScan Client\TmFilter.sys (autostart)
OfficeScanNT Listener: C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Trend Micro VSAPI NT: \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,920 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Safe mode scan
Logfile of HijackThis v1.99.1
Scan saved at 3:23:18 PM, on 5/15/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Lori\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Battelle
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Thanksfor any help you can provide.

**Zonie** · May 16th, 2006, 08:18 AM

First things first, if you are running WINXP, turn system restore off. Also if it is XP, do you have service pack 2 installed? Download Xcleaner, & Ewido. Update the ewido but do not run yet. Restart PC in safe mode, run xcleaner, spybot and ewido. If this is xp without service pack 2, go to start>control panel> administrative tools> services. Scroll down to messenger, double click and stop service, then disable. Be sure to install service pack 2. Also download "windows defender".

**robertdwhite** · May 16th, 2006, 12:26 PM

Sorry I am only up to win2000. How do I do it in the old system?

**Mayet** · May 16th, 2006, 03:52 PM

Did you try the bitdefender option?

**robertdwhite** · May 18th, 2006, 06:40 AM

Could not get thru a on line scan due to slow connection and problems. Problems got real intense. I am going back to zero. Not sure if I am cross doing the problem or had dual infection. I am going to take the whole system down, install the protection Adaware, spybot, AVG, and spyblaster, turn off messenger service and see what I got from scratch. I will post Hijack logs when I am back up.

**Ferrit** · May 18th, 2006, 08:27 AM

You might as well install nothing as install AVG.
In my opinion thats nothing more then a false sense of security

**robertdwhite** · May 19th, 2006, 05:50 AM

Originally Posted by Ferrit

You might as well install nothing as install AVG.
In my opinion thats nothing more then a false sense of security

Do you have a recommendation for a good freeware AV? The problem seems to be a combination of the messenger service opening (now Closed) and just a lot of attacks while I was installing. But would sure welcome a good recommendation for AV.

**Zonie** · May 19th, 2006, 09:05 AM

Everyone is entitled to their opinion and I respect that. I have been using AVG for over three years on my systems (5) at home and have not had a single problem. I believe using good judgement as to what you do, where you go on the web is just as important. Not everything protects 100% and I don't care what product it is. I have seen them all at some point on my client's PC's during the years become infected. Enough said, try the AVG see how it works and hope you get your system back up.

**robertdwhite** · May 19th, 2006, 10:14 AM

Thanks the system is up and appears to be fine. For the moment at least. I have also had good experience with AVG but am always willing to hear new information. I will advise of my experiences with this installation as it comes to pass.