Social Viruses
Edit (April 30/07): This post has been generating a lot of traffic as the described worm virus spreads. For those looking for a solution, jump to here.
When you manage a group of PCs in an Internet-connected network, one of the top concerns always ends up being security. This is no easy task, since there is an enormous amount of effort in the underground community to create software that can defeat whatever software you’re using to keep it out.
We’ve all heard the stories of how hackers exploit holes in the Windows operating system, and Microsoft’s solution to this (with Vista) is to prompt the user for nearly everything – which brings me to today’s point. Even the best designed security system can (and likely will) fail at the user level.
There’s a virus worming itself around the Internet at the moment that exploits this relatively well. On an infected system it hijacks MSN Messenger, sending a message to all users on the contact list with rather innocent seeming text. It asks them if they are appearing in a particular picture on a website with a URL that seems to plausibly point to a social networking or photo hosting site. With the rising popularity of these kinds of sites (such as Facebook or MySpace) it’s almost forgivable to be duped by this. The particular message is ‘is that you on this photo [url not included] 
’.
Of course, once the link is clicked and Internet Explorer loads the URL, an application is downloaded and executed on the victim’s system – instantly hooking itself into the operating system and loading a bundle of adware, virus and malware onto the PC. It then hijacks MSN on the new host PC and continues to spread in the same manner.
If your Windows PC is up to date with service packs and updates, Explorer will prompt you, asking if you want to execute this application – clicking ‘no’ leaves your PC unaffected.
Clicking ‘yes’ will run an application named ‘oo.exe’ which will place itself in multiple locations on the hard-drive, as well as a file called ‘Net’ that looks like an application installer.
For non-technical people, here’s where things get really ugly. Instantly the adware starts loading pop-ups on your screen, the malware attacks MSN and attaches itself into your OS, and finally a couple of viruses start stealing your personal information and trying to open a back door into the system to enable remote control of the PC. Other than the pop-ups, you’d have no way of knowing this was happening.
Some of the virus activity will be detected by Norton Antivirus (or other available product) and deleted, however the other components (particularly the hook into the OS) go undetected. The virus that gets deleted will invariably reloaded within a half-hour if you’re still connected online.
The easy solution? Immediately pull the plug on your Internet connection, back up your data to a CD, and perform a system restore before your PC joins the zombie army.
Anyone who has had to do this before knows it’s a huge pain to doing a Windows restore, re-install your applications and recover your data. Now, before I get into the nitty-gritty geek details of the more difficult solution, let me just make a little prediction – with the shift in security focus from software to user on Vista, we’re going to see a lot more of these evil programs faking their way through, using the user themselves as the weakest link.
Ok, so you’ve got things to do and feel technically competent enough to take over where your security software failed. What follows is how I removed this particular threat from two PCs under my care. I make no guarantee that this will work for you, and cannot stress enough that you should make a backup of anything you don’t want to lose – one mistake and you could render your system unusable and be doing a system restore anyways!
Step 1) Reduce the Threat
Go to the Add or Remove Programs in the Control Panel and uninstall Messenger. Next, you need to open the Task Manager (by pressing ctrl-alt-delete) and kill all running processes related to MSN Messenger (generally ‘msnmsgr.exe’). Follow this by opening your Program Files folder and renaming all MSN Messenger related folders to something else. Since we can’t easily shutdown the virus on a live system (more on that in a minute) we need to do the next best thing and prevent it from being able to spread or reactivate itself further.
Step 2) Track Down the Source
From the Internet Options in the Control Panel, you need to clear your temporary files.
Next – you’re going to need is a copy of a program called ‘HijackThis!’. Scan your system – look for a strangely named .dll file in the c:\windows\system32\ directory that is listed as both a BHO (browser helper object) and further down as being part of ‘Winlogon Notify:‘. If you’re not familiar with the system32 directory they will all look like strange names – make sure it appears in the two listed places above, on a normal system that would not be the case.
Write down the name of this file. These entries also gave me a clue as to how this threat operates.
Step 3) Know Thine Enemy
By hooking into ‘winlogon.exe‘, the virulent .dll tricks Windows into protecting it from deletion – even in safe mode. This key component to the Windows operating system is even used in safe mode the same as normal. You cannot terminate the ‘winlogon.exe‘ process without the system crashing or restarting, so Windows prevents you from doing this. Since you can’t terminate the process, you can’t delete the file while the system is running. Since you can’t delete it, it loads with the OS at startup no matter what you do.
Step 4) Take a cue from the Daleks: EXTERMINATE!
Now, here’s where things get a little tricky – you need to restart the PC with a Windows XP install CD. If you’re running a brand name PC, you likely don’t have one, you’ll have a restore CD instead… This is not the same thing, and will be of no use for this purpose.
Be very-very careful at this point – selecting an incorrect option could render your system unusable, or erase all of your data!
Make sure you’re booting from the CD-ROM or DVD-ROM, not your hard-disc. Once everything is loaded you’ll be on a blue screen with three options – we want the second one, the Recovery Console. This will ask you which Windows installation you want to work with – in most cases there is just one, and you’ll enter 1, followed by your Administrator password when prompted.
This brings us to a command line reminiscent of DOS. Many old DOS commands work and will be used. First off, you need to type ‘cd system32′. Remember that file name we wrote down from ‘HijackThis!‘ … type ‘del {filename.dll}’. That effectively kills the virus’ OS hook. Type ‘exit’ and reboot normally.
Step 5) Cross Your Fingers
After you logon, it might appear to take a little longer than usual – this is OK, Windows is looking for the file we deleted and happily cannot find it.
Step 6) Clean Up Afterwards
Now that we’re back up, run ‘HijackThis!’ again, and click a check in the box beside the two entries from before. Click ‘fix’ and when it’s done, run a scan again. If those two entries are gone, congratulations! Make sure your anti-virus is up-to-date and run a full system scan. If they didn’t go away, it’s likely you have either a different virus, or other issues as well.
Running a complete spyware scan with one or many utilities available would likely be prudent at this point as well.
You’ll have to download and reinstall Messenger to be able to use it again. Although I’ve tried to be as basic and concise about these instructions, if you have doubts about any of these steps – just do the System Restore.
Step 6) Where To Go From Here
A few final technical notes – the virus generates several files in the system32 folder, which you’ll likely want to remove as well. Assuming you’re doing this right away after discovering the virus, sorting the files (in details view) by date should pop the recently created files to the top (or bottom) – check each one’s properties – if it doesn’t say it was created by Microsoft and was made on the same day or after you got the infection, you can (probably) delete it. You will also want to do a search for ‘oo.exe’ – open the folder each occurrence appears in and delete it as well as the Net application.
Did this help? I’ve recently edited the solution for clarity. Please leave a comment.
Themocracy
Hi Brian,
I am one of the unlucky few to get stricken by this virus. I found your description very clear and hence could identify it.
I have tried your solution but find no .dll which is listed as both BHO and Winlogon Notify when i used HijackTHis! to scan.
Here is my logfile, please assist:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:04 AM, on 22/1/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\tp4serv.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9c.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.singnet.com.sg/webmail/login.php?cb=http%3A%2F%2Fwebmail.singnet.com.sg%2Fhome%2Findex.php%3F
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 – Hosts: ::1 localhost
O2 – BHO: Adobe PDF Reader Link Helper – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 – BHO: ContributeBHO Class – {074C1DC5-9320-4A9A-947D-C042949C6216} – C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 – BHO: Adobe PDF Conversion Toolbar Helper – {AE7CD045-E861-484f-8273-0445EE161910} – C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 – Toolbar: Adobe PDF – {47833539-D0C5-4125-9FA8-0819E2EAAC93} – C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 – Toolbar: Contribute Toolbar – {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} – C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 – HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 – HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 – HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 – HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 – HKLM\..\Run: [TpShocks] TpShocks.exe
O4 – HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 – HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 – HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 – HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 – HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 – HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 – HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 – HKLM\..\Run: [DiskeeperSystray] “C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe”
O4 – HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 – HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 – HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 – HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath=”c:\swshare\firstrun.txt”
O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 – HKLM\..\Run: [OfficeScanNT Monitor] “C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe” -HideWindow
O4 – HKLM\..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 – HKLM\..\Run: [Acrobat Assistant 8.0] “C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe”
O4 – HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 – HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 – HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 – HKCU\..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 – HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 – HKCU\..\Run: [Veoh] “C:\Program Files\Veoh Networks\Veoh\VeohClient.exe” /VeohHide
O4 – HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 – HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 – HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O4 – Global Startup: Bluetooth.lnk = ?
O4 – Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 – Extra context menu item: Append to existing PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert link target to Adobe PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert link target to existing PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert selected links to Adobe PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 – Extra context menu item: Convert selected links to existing PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 – Extra context menu item: Convert selection to Adobe PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: Convert selection to existing PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 – Extra context menu item: Convert to Adobe PDF – res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 – Extra context menu item: Send image to &Bluetooth Device… – C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 – Extra context menu item: Send page to &Bluetooth Device… – C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 – Extra button: @btrez.dll,-4015 – {CCA281CA-C863-46ef-9331-5C8D4460577F} – C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 – Extra ‘Tools’ menuitem: @btrez.dll,-12650 – {CCA281CA-C863-46ef-9331-5C8D4460577F} – C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O13 – Gopher Prefix:
O16 – DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) – http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 – DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) – http://messenger.zone.msn.com/EN-SG/a-UNO1/GAME_UNO1.cab
O16 – DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) – http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stu.nus.edu.sg
O17 – HKLM\Software\..\Telephony: DomainName = stu.nus.edu.sg
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stu.nus.edu.sg
O20 – Winlogon Notify: avgwlntf – C:\Windows\SYSTEM32\avgwlntf.dll
O23 – Service: Adobe Version Cue CS3 – Adobe Systems Incorporated – C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 – Service: AVG7 Alert Manager Server (Avg7Alrt) – GRISOFT, s.r.o. – C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 – Service: AVG7 Update Service (Avg7UpdSvc) – GRISOFT, s.r.o. – C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 – Service: AVG7 Resident Shield Service (AvgCoreSvc) – GRISOFT, s.r.o. – C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 – Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) – Apple Computer, Inc. – C:\Program Files\Bonjour\mDNSResponder.exe
O23 – Service: Diskeeper – Diskeeper Corporation – C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 – Service: FLEXnet Licensing Service – Macrovision Europe Ltd. – C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 – Service: Google Updater Service (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: ThinkPad PM Service (IBMPMSVC) – Lenovo – C:\Windows\system32\ibmpmsvc.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 – Service: IPS Core Service (IPSSVC) – Lenovo Group Limited – C:\Windows\system32\IPSSVC.EXE
O23 – Service: OfficeScanNT RealTime Scan (ntrtscan) – Trend Micro Inc. – C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 – Service: System Update (SUService) – Lenovo Group Limited – C:\Program Files\Lenovo\System Update\SUService.exe
O23 – Service: ThinkVantage Registry Monitor Service – Lenovo Group Limited – C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 – Service: OfficeScan NT Listener (tmlisten) – Trend Micro Inc. – C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 – Service: OfficeScan NT Proxy Service (TmProxy) – Trend Micro Inc. – C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 – Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) – Lenovo. – C:\Windows\System32\TPHDEXLG.exe
O23 – Service: On Screen Display (TPHKSVC) – Unknown owner – C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 – Service: TVT Backup Protection Service – Unknown owner – C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 – Service: TVT Backup Service – Lenovo Group Limited – C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 – Service: TVT Scheduler – Lenovo Group Limited – c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 – Service: tvtnetwk – Unknown owner – C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 – Service: XAudioService – Conexant Systems, Inc. – C:\Windows\system32\DRIVERS\xaudio.exe
–
End of file – 13150 bytes
Thank you so much for your help thus far!
Best Regards,
Keith
It is quite possible that variations of this virus have cropped up since April of last year – I see nothing from your HijackThis log that jumps out at me as a problematic thing. Most of the more unusual entries appear to be portions of the IBM ThinkPad default software.
I see you’re also running Vista with AVG and Windows Defender – both of these programs now pick up the virus I described in my article, and the systems in question where running XP.
Sorry I cannot be of much help on this one from the info provided – if you gave me a list of running processes it might be of use.
Thanks Brian for your swift reply. I am pretty worried about my system crashing as i am using my it for school work which i cannot lose.
What happened was pretty much how you described it. A friend sent me a link through MSN and i clicked it unknowingly, thinking it was truly a picture that she wanted me to view. However, it started running unknown to me until i had friends asking me what i was sending them unknowingly. I immediately quit my MSN and haven’t logged since.
I have followed your instructions to uninstall it and rename the MSN folder. However, i am stuck cause i find nothing on my HijackThis! log.
Here’s my list of running processes:
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\tp4serv.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9c.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Really hope you can help, thanks once again!
Best Regards
Unfortunately there are many variations of this virus out there now, and these instructions are very specific to the particular one listed. New variants do not seem to be leaving the same telltale tracks. Make sure you keep your antivirus up-to-date and scan your system once a week.