Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Live Messenger Contact Window Popup


  • This topic is locked This topic is locked
25 replies to this topic

#1 ragjaws

ragjaws

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 09 March 2008 - 12:12 AM

I have a windows xp pro sp2 operating system, I am getting a popup from two windows Live Messenger contacts to open a link to a website. These contacts are never online and then a window will popup showing they have signed in and another asking to open a link, please see the following pics, as you can see it is from two different contacts so far. I have cleaned my computer with Spybot, Ad-Aware 2007, AVG Antispyware, Super Antispyware, CCleaner and Cleanup. Hope you can help

http://www.flickr.com/photos/7317384@N06/2320469336/

http://www.flickr.com/photos/7317384@N06/2319657377/

http://www.flickr.com/photos/7317384@N06/2319657397/

http://www.flickr.com/photos/7317384@N06/2320469408/

BC AdBot (Login to Remove)

 


#2 Teenage.Zombiee

Teenage.Zombiee

  • Members
  • 831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Western Sydney, Australia.
  • Local time:12:37 AM

Posted 09 March 2008 - 12:50 AM

I was getting those from contacts.
Its not you who is infected. Its them.

My advice is to block them. Or send them a very threatening email about getting theur comuter disinfected.

Teenage.Zombiee is back ! :halloween:


#3 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 09 March 2008 - 07:41 AM

I was getting those from contacts.
Its not you who is infected. Its them.

My advice is to block them. Or send them a very threatening email about getting theur comuter disinfected.

Thanks for such a quick response, one of these contacts is my daughter so I just spent a good part of the night cleaning her computer.

I am still getting the popups.

One thing I did not mention is my wife is also getting these popups on her laptop which is running Windows Vista Home Basic, I have also used the same methods to clean her laptop.

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:02:37 PM

Posted 09 March 2008 - 09:00 AM

I just spent a good part of the night cleaning her computer.
I am still getting the popups.

What programs did you use to clean up the computer?

BBPP6nz.png


#5 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 09 March 2008 - 11:26 AM

I just spent a good part of the night cleaning her computer.
I am still getting the popups.

What programs did you use to clean up the computer?

Initialy I use Cleanup 4.0, then CCleaner. I go into Safe Mode (therefore not on the internet) and run Spybot until it showed no infections, I restarted ran Ad-aware 2007 in Normal mode because the fonts are difficult to see in Safe Mode. I went back into Safe Mode ran Avg Antispyware, restarted back into Safe Mode and ran Super antispyware.

Again I ran most of these a couple times to ensure no possible infections.

While sitting here typing this I got another popup.

Edited by ragjaws, 09 March 2008 - 11:26 AM.


#6 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 10 March 2008 - 06:34 PM

Any suggestions anyone??

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 10 March 2008 - 06:54 PM

Get the infected computer to reinstall Messenger. That should get rid of the hijacking.

#8 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 10 March 2008 - 07:17 PM

Thanks will try that and get back to you

#9 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 12 March 2008 - 07:59 AM

Well I thought it was licked because I had no problems all day yesterday after reinstalling Windows Live Messenger. But first thing this morning while working on my daughter's computer with my login, another popup occured.

Edited by ragjaws, 12 March 2008 - 07:59 AM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 12 March 2008 - 09:15 AM

Well since the hijack was not removed by a reinstall, it is probably running as a .exe or as an extension under the Messenger. We will take a process and dll (process entension) list of the messenger program.

The following should be done on the infected computer.
  • Please download HijackThis to your desktop. No install is needed.
  • Open HJT. Your will be brought to a window to choose functions. Select "Misc Tools Section". Select "Process Manager"
  • You should now be at a list of the running processes, similar to Task Manager. Find the process "msnmsgr.exe". Click on it. Check the box that says "Show dlls". A smaller plane will appear under the process list to show the extensions of "msnmsgr.exe".
  • Click the briefcase button to copy the list onto your your clipboard. You will recieve a message saying that the list has been copied. Paste the list back here in your next post.
Please DO NOT use the other functions of HJT without being instructed. It could seriously damage your computer.

UPDATE: The infection has been identified as W32/Sohanad.B Worm. After your next response, we will run a removal tool.

Edited by PropagandaPanda, 12 March 2008 - 11:42 AM.


#11 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 12 March 2008 - 05:58 PM

Thanks here is the Process List


Process list saved on 6:57:06 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
668 D:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
760 D:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
808 D:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
820 D:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
980 D:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1408 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1428 D:\Program Files\Ahead\InCD\InCDsrv.exe 4.2.4.2 Ahead Software AG
1896 D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe 7.0.2.6 Lavasoft
1912 D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 4.7.1098.0 ALWIL Software
1964 D:\Program Files\Alwil Software\Avast4\ashServ.exe 4.7.1098.0 ALWIL Software
396 D:\WINDOWS\system32\LEXBCES.EXE 7.1.0.0 Lexmark International, Inc.
420 D:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
472 D:\WINDOWS\system32\LEXPPS.EXE 7.1.0.0 Lexmark International, Inc.
616 D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 1.14.0.0 Apple, Inc.
636 D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.1.36 GRISOFT s.r.o.
720 D:\Program Files\LogMeIn\x86\RaMaint.exe 4.0.0.680 LogMeIn, Inc.
1164 D:\Program Files\LogMeIn\x86\LogMeIn.exe 3.0.0.596 LogMeIn, Inc.
1312 D:\WINDOWS\system32\nvsvc32.exe 6.14.10.9371 NVIDIA Corporation
1572 D:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1832 E:\My Documents\UltraVNC\WinVNC.exe 1.1.0.2 UltraVNC
1584 D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 4.7.1098.0 ALWIL Software
1792 D:\Program Files\Alwil Software\Avast4\ashWebSv.exe 4.7.1098.0 ALWIL Software
3276 D:\WINDOWS\Explorer.EXE 6.0.2900.3156 Microsoft Corporation
3532 D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 4.7.1098.0 ALWIL Software
3544 D:\Program Files\Microsoft IntelliPoint\ipoint.exe 5.5.662.0 Microsoft Corporation
3552 D:\Program Files\LogMeIn\x86\LogMeInSystray.exe 3.0.0.596 LogMeIn, Inc.
3628 D:\Program Files\iTunes\iTunesHelper.exe 7.6.1.9 Apple Inc.
3636 D:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
3736 D:\Program Files\Hamachi\hamachi.exe 1.0.2.4 LogMeIn Inc.
928 D:\Program Files\iPod\bin\iPodService.exe 7.6.1.9 Apple Inc.
3764 D:\Program Files\Windows Live\installer\WLSetupSvc.exe 12.0.1471.1025 Microsoft Corporation
2600 D:\Program Files\Windows Live\Messenger\msnmsgr.exe 8.5.1302.1018 Microsoft Corporation
996 D:\Program Files\Windows Live\Messenger\usnsvc.exe 8.5.1302.1018 Microsoft Corporation
6152 D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe 6.0.50.13 Sun Microsystems, Inc.
3836 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe 8.1.0.421 Yahoo! Inc.
6648 D:\Program Files\Internet Explorer\iexplore.exe 7.0.6000.16608 Microsoft Corporation
4884 D:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3427 RealNetworks, Inc.
6980 D:\hjt\HiJackThis_v2.exe 2.0.0.0 Trend Micro Inc.


DLLs loaded by process D:\Program Files\Windows Live\Messenger\msnmsgr.exe:

[full path to filename] [file version] [company name]
D:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\kernel32.dll 5.1.2600.3119 Microsoft Corporation
D:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\RPCRT4.dll 5.1.2600.3173 Microsoft Corporation
D:\WINDOWS\system32\GDI32.dll 5.1.2600.3159 Microsoft Corporation
D:\WINDOWS\system32\USER32.dll 5.1.2600.3099 Microsoft Corporation
D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll 8.0.-14809.1433 Microsoft Corporation
D:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WSOCK32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\SHELL32.dll 6.0.2900.3241 Microsoft Corporation
D:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.3020 Microsoft Corporation
D:\WINDOWS\system32\ole32.dll 5.1.2600.2726 Microsoft Corporation
D:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.3266 Microsoft Corporation
D:\WINDOWS\system32\MSIMG32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\MSNCore.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\urlmon.dll 7.0.6000.16608 Microsoft Corporation
D:\WINDOWS\system32\iertutil.dll 7.0.6000.16608 Microsoft Corporation
D:\WINDOWS\system32\WININET.dll 7.0.6000.16608 Microsoft Corporation
D:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 Microsoft Corporation
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll 6.0.2900.2982 Microsoft Corporation
D:\WINDOWS\system32\OLEACC.dll 4.2.5406.0 Microsoft Corporation
D:\WINDOWS\system32\MSVCP60.dll 6.2.3104.0 Microsoft Corporation
D:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
D:\WINDOWS\system32\IMM32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 Microsoft Corporation
D:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\msidcrl40.dll 4.100.313.1 Microsoft Corporation
D:\WINDOWS\system32\SensApi.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\ContactsUX.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\CRYPTNET.dll 5.131.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WINHTTP.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
D:\WINDOWS\system32\inetcomm.dll 6.0.2900.3198 Microsoft Corporation
D:\WINDOWS\system32\MSOERT2.dll 6.0.2900.2180 Microsoft Corporation
D:\WINDOWS\system32\inetres.dll 6.0.2900.2180 Microsoft Corporation
D:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 Microsoft Corporation
D:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
D:\WINDOWS\system32\mlang.dll 6.0.2900.2180 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\msgslang.8.5.1302.1018.dll 8.5.1302.1018 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\msgsres.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\wtsapi32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 Microsoft Corporation
D:\WINDOWS\system32\es.dll 2001.12.4414.308 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\lcapi.dll 1.7.256.0 Microsoft Corporation
D:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2938 Microsoft Corporation
D:\WINDOWS\system32\DSOUND.dll 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\rasman.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\msdmo.dll 6.5.2600.2180
D:\Program Files\Windows Live\Messenger\lcres.dll 1.7.180.0 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\RTMPLTFM.dll 3.0.5774.0 Microsoft Corporation
D:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\msacm32.drv 5.1.2600.0 Microsoft Corporation
D:\WINDOWS\system32\midimap.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\quartz.dll 6.5.2600.3243
D:\WINDOWS\system32\DDRAW.dll 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\DCIMAN32.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\D3DIM700.DLL 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\dpnhupnp.dll 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\mswsock.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\schannel.dll 5.1.2600.3126 Microsoft Corporation
D:\WINDOWS\system32\msxml3.dll 8.90.1101.0 Microsoft Corporation
D:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\MSGSWCAM.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\sirenacm.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\ksuser.dll 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\RichEd20.dll 5.30.23.1228 Microsoft Corporation
D:\WINDOWS\System32\msimtf.dll 5.1.2600.2180 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\lmcdata.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2938 Microsoft Corporation
D:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\System32\winrnr.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\MPRAPI.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\adsldpc.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
D:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\dssenh.dll 5.1.2600.2133 Microsoft Corporation
D:\WINDOWS\system32\ieframe.dll 7.0.6000.16608 Microsoft Corporation
D:\WINDOWS\system32\USP10.dll 1.420.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\msls31.dll 3.10.349.0 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\dfsr.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCP80.dll 8.0.-14809.1433 Microsoft Corporation
D:\WINDOWS\system32\ESENT.dll 5.1.2600.2780 Microsoft Corporation
D:\WINDOWS\system32\wmvcore.dll 11.0.5721.5145 Microsoft Corporation
D:\WINDOWS\system32\WMASF.DLL 11.0.5721.5238 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\custsat.dll 9.0.3790.2428 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\abssm.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\wmadmod.dll 11.0.5721.5145 Microsoft Corporation
D:\WINDOWS\system32\mfplat.dll 11.0.5721.5145 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\usnsvcps.dll 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\jscript.dll 5.7.0.5730 Microsoft Corporation
D:\WINDOWS\system32\netshell.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\credui.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2751 Microsoft Corporation
D:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\msi.dll 3.1.4000.4039 Microsoft Corporation
D:\WINDOWS\system32\mshtml.dll 7.0.6000.16608 Microsoft Corporation
D:\Program Files\Yahoo!\Messenger\idle.dll 1.0.0.2 Yahoo! Inc.
D:\Program Files\Yahoo!\Messenger\MSVCR71.dll 7.10.3052.4 Microsoft Corporation
D:\WINDOWS\System32\ddrawex.dll 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\ImgUtil.dll 7.0.5730.11 Microsoft Corporation
D:\WINDOWS\system32\devenum.dll 6.5.2600.2180
D:\WINDOWS\system32\ksproxy.ax 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\kswdmcap.ax 5.3.2600.2180 Microsoft Corporation
D:\WINDOWS\system32\MFC42.DLL 6.2.4131.0 Microsoft Corporation
D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGSC8~1.DLL 8.5.1302.1018 Microsoft Corporation
D:\WINDOWS\system32\vbscript.dll 5.7.0.5730 Microsoft Corporation
D:\Program Files\Windows Live\Messenger\contact.dll 8.5.1302.1018 Microsoft Corporation

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 14 March 2008 - 11:00 AM

THe MSNcleaner should take care of the infected computer. Thank you for your patience.
  • Download MsnCleaner.zip and save onto your desktop.
  • Boot your computer into Safe Mode.
  • Open the zip file and run MsnCleaner_eng.exe.Select Analyze.
  • Select delete for any files it finds.
  • Reboot into normal and post the lost back in your next post.
The log will be located in c:.

Edited by PropagandaPanda, 14 March 2008 - 01:19 PM.


#13 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 14 March 2008 - 01:01 PM

Here is the list
- Logfile MSNCleaner 1.5.9 by www.forospyware.com
- Created Logfile: 3/14/2008 on 1:13:36 AM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 1
Deleted file: 1
Undeleted Files: 0

D:\WINDOWS\system32\tmp.txt <--- Deleted

Host file Restored

I ran an online virus scan (sysclean) on the computer after this and it came up clean

Edited by ragjaws, 14 March 2008 - 01:02 PM.


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 14 March 2008 - 01:21 PM

tmp.txt is a text file. It is unlikely that it was the cause of the infection, though, a tmp file in system32 is suspicious.

I'll look through the process log right now.
The processes and dlls under MSN look clean.

If the infection is no longer present, please set your system restore point to past the disinfection date and delete previous restore points.

If the problem still occurs, we will run more scans.

Edited by PropagandaPanda, 14 March 2008 - 01:33 PM.


#15 ragjaws

ragjaws
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ontario
  • Local time:08:37 AM

Posted 14 March 2008 - 03:17 PM

Thanks for all your help...will continue to monitor it




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users