Can't delete MSN Worm

I recently accepted a file from a friend without thinking of what it could be. It said "Do you mind if I put this picture of us on facebook?" and since it was from a friend, I accepted. Well, when I accepted, it didn't open a picture, but it did install a worm on my system. Now my MSN sends out messages to me friends asking them similar things. I've looked at the different threads on this site already, as well as other sites, and I can't fix it. I've also reinstalled my MSN Messenger. Does anyone know anything to do? Thanks, all help is appreciated.

 

Hi drummerboy4,
Welcome to Major Geeks!

I'm looking at your logs, but there are a couple of questions I have to look into before I post your instructions to you. This can take time, so thanks for being patient.

abri

 

Hi drummerboy4
Welcome to Major Geeks!

Do you know what the following files are? Do they belong to something to do with land use?

C:\Documents and Settings\All Users\Application Data\xml16F.tmp
C:\Documents and Settings\All Users\Application Data\xml170.tmp
C:\Documents and Settings\All Users\Application Data\xml171.tmp

Please continue as follows:

1) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
Java(TM) 6 Update 2
Java(TM) 6 Update 3

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Next we need to delete an NTService and then fix some entries with HijackThis.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Print Spooler Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste na7o2kmydainto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tuvfczs] C:\WINDOWS\system32\tuvfczs.exe
O4 - HKLM\..\Run: [nlylabtj] C:\WINDOWS\system32\nlylabtj.exe
O4 - HKLM\..\RunServices: [nlylabtj] C:\WINDOWS\system32\nlylabtj.exe
O4 - HKLM\..\RunServices: [tuvfczs] C:\WINDOWS\system32\tuvfczs.exe
O23 - Service: Print Spooler Service (na7o2kmyda) - Unknown owner - C:\WINDOWS\system32\tuvfczs.exe

After you click fix, just close hijackthis.


6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Well, first off I want to thank you for your help thus far, it's a life saver. But anyway, I'm not sure if I still have the worm as of now, because the only way I know I have it is if someone sends me a message telling me that the "picture" that the worm is sending won't open. As that hasn't happened yet, I really don't know if it is gone. But thanks for your help so far! For some reason, it's not giving me the button to attach files. Any idea why? Thanks.

 

Hi drummerboy4,
There are sometimes problems with attachments here. Please be sure the Remember Me button is checked when you log on. Also, it is helpful sometimes to empty your browser cache or to use a different browser. I think if you try again it will work.
abri

 

Here they are, I don't know why, I didn't change anything, but it's letting me attach now, so here goes. I hope these are the right files. Thanks.

 

Hi drummerboy4,
You missed my first question in post 3 about the tmp files.

Please go to post 3 and rerun step 5 only this time try shutting down your computer, disconnecting from the internet, booting back up and disabling any antispyware and antivirus software that is running. All the entries are gone except for the service I asked you to disable and then the 023 entry that needs to be fixed with HijackThis once this service has been disabled. Something is preventing it from getting fixed.

Let me know how this goes. Also, please have HijackThis (called analyse.exe) produce a log when you get done so I can see if that 023 line is actually gone. You can check it yourself, but let me know.

Thanks.
abri

 

Well, first off, no I do not know what those three files are. And secondly, I tried to run step 5 again, but all of the files were missing, including the 023 file. I'm sorry, but I'm lost. I've done everything that I thought I was suppose to do. And the HijackThis did nothing, so it didn't produce a log. Like there were no files to delete, so it did nothing.

 

Hi drummerboy4,

If the 023 line is gone from HijackThis, that is good.

If these three files are still on your computer, please delete them:

C:\Documents and Settings\All Users\Application Data\xml16F.tmp
C:\Documents and Settings\All Users\Application Data\xml170.tmp
C:\Documents and Settings\All Users\Application Data\xml171.tmp

How are things going now?

If things are running well and you don't have further malware symptoms, then you can go ahead with the final cleanup stops which involves taking out the tools and logs you have on your computer from the cleanup steps.

 

As far as I know, I have shown no symptoms of the worm lately. Thank you so much for helping me out with this, I was beginning to worry what else might have been in the worm (back door, trojan, etc.) so you have no idea how thankful I am. I love this site.

 

Hi drummerboy4,
I'm glad to hear it. I like this site too.
Enjoy your computer and do read the How to protect yourself from malware thread.
Happy surfing!
abri