msn picture virus?

[i.man]

Hello everyone,

Earlier today I received a message saying something along the lines of "Check out this picture I found of you: "whateveritwas.com/thing.jpg"

Not knowing it was .exe, I clicked it, and it downloaded some unrelated picture. I went digging through the 'msconfig' and the system32 folder and found an application file in both created just after the time I clicked the link. Its called '^^^^^^.exe'

When I run MSN messenger, it sends the same link to online contacts and then causes MSN to close through a critical error. I'm currently running a virus check through different programs.

Any help will be greatly appreciated. Thanks.

 

[14049752]

Get back to us after the virus scan.

 

[syst3merror]

http://www.symantec.com/security_response/writeup.jsp?docid=2005-030723-2605-99

 

[rainstorm77]

I did the same thing - my friend on MSN sent me an IM 'Is this your pic?' with a weird smilie with a crooked mouth.. and a link to "msn.galleries.com/(something like awesomewebspace)=(my MSN email address)" I did actually google ''awesome web space" (or whatever it was) to see if it was a genuine website, and it showed as as free webhosting site so I thought it was ok.. I guess not!

I downloaded the virus removal tool that was on Technibble and I am not sure if it worked - I can't find any of the files that it tells you to delete, which is good.. but I still don't have my desktop back, just the desktop picture. Everytime I reboot the computer, I get the Windows desktop for about 20 seconds (can't click anything while it's up) and then I get a small window asking if I want to run 'msn.com' because it's from an unknown source - I say no! Then the desktop disappears and I just get my desktop picture again. The only way I can get to anything on my computer is through taskmanager and 'run'. Everything works, although I can't get to my 'control panel' through the start menu folder, as it isn't showing.. I don't know what else to do! I have Spybot Search and Destroy, McAfee, Norton AND some PC Doctor thing on my computer and none of them have removed whatever it is that is killing my computer. Please help!!


*added* I thought I would also let you know what spybot keeps doing. Not all the time, but when it gets going, it won't stop. It asks if I want a programme changing a startup file. Of COURSE I say no.. unless it's spybot itself changing something. So I say no to this specific one, and it keeps denying it over and over again for.. pretty much as long as it wants until I have to reboot the computer. Right now it's been going for about ten minutes, probably more than once a second. It is a little box called 'Resident' (I took a screen shot but you can only add url pics on this forum, not upload them) and it says 'Registry change denied Identified as: User decision. Resident denied the change of {7D6CEB82-280C-44E1-BE4A-B6E21B23F8DC} (category Browser Helper Object) based on your black list'
What?! I have NO idea what that means, but it may be of more help to the techs.


thanks...

 

[evilfantasy]

MSN Virus Cleaning tool.

Download http://www.forospyware.com/Msncleaner/MsnCleaner.zip and save to you Desktop. In addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.

• Extract (unzip) the file to your desktop but DO NOT use it yet.
• Reboot your computer in Safe Mode using the F8 method.
• Double-click MsnCleaner.exe to run the tool.
• Click the Analyze button.
• A report will be created after the scan and will be saved to C:\MsnCleaner.txt
• If it finds an infection, click the Deleted button.
• Reboot normally.
• If you still need help post the contents of MsnCleaner.txt here.

 

[rainstorm77]

Thanks for your help. I did everything you suggested, but it picked up nothing. The MSNCleaner text had this:

- Logfile MSNCleaner 1.6.2 by (had to take out url as I haven't made enough posts) w w w .forospyware. com
- Created Logfile: 3/04/2008 on 5:27:43 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 0
Deleted file: 0
Undeleted Files: 0

<<<<<<< No file found >>>>>>>

Nothing has changed, I still don't have my Windows desktop

 

[evilfantasy]

If you've lost your desktop that sounds like a smitfraud infection. Try using SmitFraudFix.

http://siri.geekstogo.com/SmitfraudFix.php

 

[rainstorm77]

I tried the smitfraudfix but it didn't seem to change anything, other than removing my desktop picture. I am still having the same problems. I ran the FixVundo removal tool programme, it said it removed the trojan the first time I used it, but McAfee still warns me that it is there. I can't quarantine it, so it says to reboot and it will remove the trojan. I reboot, McAfee just gives me the 'trojan found' warning again.

When I run the FixVundo Removal Tool it gives me the following error:

Microsoft Visual C++ Runtime Library

Runtime Error

Program: C:/(blah blah)FixVundo.exe

R6034

An application has made an attempt to load the C Runtime Library incorrectly. Please contact the application's support team for more information.

I can still run the trojan remover, I am just not sure if the above error makes any difference to it's performance.


Also, when I do reboot and Windows starts loading, two DOS screens come up but they are only up for a split second. I managed to half read one of them that said a file in system32 does not exist, but it goes SO quickly that there is no chance to actually read it, and I can't see the first DOS screen because the second screen is covering it and I can't even manage to read the second screen, let alone the first one!

I am not sure what else to do I have tried so many virus removers and scanners. FixVundo tells me there is no trojan there, McAfee tells me a trojan IS there but it won't remove it when it says it will if I reboot. The trojan file (ljJYomNH.dll) was in my system32 folder before FixVundo Removal tool first removed it, I even tried to delete it myself but it says programmes were using it so I can't delete it.. but now it isn't there. Is McAfee on drugs and just being mean to me?

I still don't have my Windows desktop I am going crazy! Would an axe be the next best option??

Thanks for all your help on this so far, I really do appreciate it!

 

[evilfantasy]

Post a Hijackthis log so we can see what is going on and what is needed to fix it.

http://www.filehippo.com/download_hijackthis/

You may need to attach it.

• Click the Post Reply button
• Scroll down to Manage Attachments
• A window will open up.
• Click the Browse... button and find the file
• Then double click it to add it.
• Click the Upload button
• Wait until you see the file in Current Attachments
• Close the Manage Attachments window
• The attachment will be added in the post.

 

[rainstorm77]

Pop up screens don't seem to be working at the moment, so I can't attach anything So I am sorry for the LONG post...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:07 AM, on 8/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Windows live Messenger] msn.com
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[rainstorm77]

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYAU
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11917 bytes

 

[evilfantasy]

I see the MSN virus in the log. Sorry I have to munge the links as I don't have enough posts here yet.

Download MsnVirRem.exe to your desktop from one of the following mirrors.

http://downloads.malwareremoval.com/MsnVirRem.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9
http://www.greyknight17.com/spy/MsnVirRem.exe

• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it
• Once open, click the button labeled Search and Destroy
  • Your computer will now be scanned for Infected Files
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the REBOOT Button.
• After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
• A Message should popup from MsnVirRem if not, double click the program again and it will finish

Please Post the contents of C:\msnvirrem.log along with a fresh HijackThis log

 

[MHCG]

Yup, MSN worm.

 

[rainstorm77]

The MSN Virus Remover said there were no infected files...

Did you still want a hijackthis log?

 

[evilfantasy]

Run this first.

http://www.malwarebytes.org/mbam.php

Scroll down and click Download. There is a free and paid version, the free version works fine, it just doesn't offer real time protection.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad.
• Please copy and paste the log into your next reply

Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.

• Launch Malwarebytes' Anti-Malware.
• Click the Logs tab.
• Double-click log-mm.dd.yyyy [xxxxxx].txt

Post a new Hijackthis log after that scan is complete and the computer has been restarted.

 

[rainstorm77]

Don't breathe!! Don't look at my computer sideways... I think.. it might be fixed.....

I will attach the two logs.. just to be sure that it's clean.

The hijackthis log isn't dodgy - I had to save it as something else because this forum kept saying the file was not able to be uploaded so I c/p and made a new file to see if that worked.


Am I fixed??

 

[evilfantasy]

Looks much better. Sorry for it to have taken so long, I will NEVER suggest or use the MSN virus cleaning tools again!!

There are still some entries to fix with the Hijackthis.

Open Hijackthis and select Do a system scan only then place a check mark next to: (if there)

• R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
• O2 - BHO: (no name) - {035D61B5-6A2D-4ACD-9960-3BC8AAEAF219} - C:\WINDOWS\system32\urqOhHay.dll (file missing)
• O2 - BHO: (no name) - {07B5D65F-F2F0-485C-92C9-9455B892615B} - C:\WINDOWS\system32\xxyyaARl.dll (file missing)
• O2 - BHO: (no name) - {52D0CE38-26F4-47D4-8743-614765002BE1} - C:\WINDOWS\system32\iiffCsTL.dll (file missing)
• O2 - BHO: (no name) - {61AFDC59-F0F6-4A85-82CE-BF2F82AE98F2} - C:\WINDOWS\system32\urqqnNdb.dll (file missing)
• O2 - BHO: (no name) - {77D3A5B4-CFD1-4046-8909-7CD99A68311F} - (no file)
• O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
• O2 - BHO: (no name) - {AEC6D8FA-30C3-4D97-BE18-22FC1BAA4659} - C:\WINDOWS\system32\xxywVlLD.dll (file missing)
• O2 - BHO: (no name) - {D3F34050-8E5B-462E-A2BE-609B017F65D1} - C:\WINDOWS\system32\ssqNFyWM.dll (file missing)
• O2 - BHO: (no name) - {F4C3D175-CD44-4BEA-AC38-03A5ABEE00EC} - C:\WINDOWS\system32\mlJBUNEu.dll (file missing)
• O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
• O4 - HKLM\..\Run: [Windows live Messenger] msn.com
• O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
• O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
• O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
• O8 - Extra context menu item: &Search - ?p=ZKxdm021YYAU

Important: Close all browser windows except for Hijackthis and then click Fix checked.

----------

Now go to add remove programs and uninstall (if found)

• Windows live Messenger <--This is not the right version. You can download the current safe version from here: http://join.msn.com/messenger
• MyWebSearch Email Plugin
• My Web Search Bar Search Scope Monitor

Note: Uninstall anything with My Web Search in the name.

----------

Now go into My Computer and locate and then delete this folder (if still there)
C:\Program Files\My Web Search

----------

Now run CCleaner slim (No Yahoo Toolbar). If you don't have CCleaner get it here.

http://www.ccleaner.com/download/builds/downloading-slim

----------

I would now suggest running SUPERAntiSpyware to see if there is anything else hiding.

http://www.filehippo.com/download_superantispyware/

----------

How is everything now?

 

[rainstorm77]

I did everything you said and my computer looks pretty clean now.

I am SO grateful for your help, I definitely couldn't have done that by myself! If I wasn't over the other side of the world I would hug you! My best friend happens to be in Tulsa right now so I will tell her to hunt you down and give you a big hug from me.

Thank you again! You rock!!

 

[lazzo71]

Man, this stuff looks like gibberish to me. I am just getting into the hijack this logs, can you please direct me to the line in the log above so I can identify the MSN virus. I can't see it!!!!

 

[evilfantasy]

I did everything you said and my computer looks pretty clean now.

My best friend happens to be in Tulsa right now so I will tell her to hunt you down and give you a big hug from me.

Thank you again! You rock!!

Thanks for hanging in there with me. The MSN cleaners were useless and slowed us down.

Tell your friend I'm right here!!!!!

A few more things to do, these are easy.

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
• Click OK
• Click the More Options Tab.
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Safe surfing.............

Man, this stuff looks like gibberish to me. I am just getting into the hijack this logs, can you please direct me to the line in the log above so I can identify the MSN virus. I can't see it!!!!

O4 - HKLM\..\Run: [Windows live Messenger] msn.com

It shouldn't show up like that. Instead of msn.com there should be a file path. C:\Program Files...........