Windows Live messenger sending its own messages!!

Hi all, since yesterday I have had a problem with windows live where suddenly IM windows will begin to pop up from everyone on my contact list and my pc will send a message saying...... wooow fantastic

I have run spybot, combofix and AVG, although AVG didnt save a report for some reason though it did remove alot!

I will attach the logs and hope that someone will know if this is a virus, many thanks!

 

Just to add, I did do all the malware removal advice from this site and still having the same problem, I now have all my contacts blocked lol, this way no messages can be sent to them.
I did a search on google for anyone else having this problem, only 1 turned up and that was from a portugese site, I had it translated but hence I couldnt really make much of what the replies were.

If it cant be fixed I can format the pc but would like to try and get rid of it 1st.

Thx guys, hope someone out there has a fix !!!!

 

Welcome to MajorGeeks.com!

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Next, we need to remove a bad service…

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Microsoft windows FTPd
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Microsoft windows FTPd into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Step 3:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 4:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 5: Begin here after rebooting from Step 4!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 6:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 7:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

wow Bj, ty sooooo much for your help......I did everything you said and will attach the files. After I had posted my browsers were failing badly but now they are running all good again and so far no random messsages being sent on windows live lol

The only problem I have since doing your steps is that Java wont work. I have uninstalled it and re-installed, both Sun Java and the VM but the site that I play games on is saying that my java either isnt installed or isnt working. Well I know its installed and its checked on Internet Options but no games will load.

Any ideas are welcome lol, but again ty so much for fixing me up, you're a star

 

First, have HJT fix the below entries...

Next, we need to run Avenger again, just like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

I done all that, but when I ran HJT the following wasnt on the list that you asked me to check

O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKCU\..\Policies\Explorer\Run: [autocheck.exe] 12/01/2007, 10:50 AM

I did all the others but those options weren't there

 

Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

sorry the MGlog is also attached

 

First, let's scan a file online that I can't find anything on.

Go to this site: http://virusscan.jotti.org

Upload the below file and have it scanned, once complete post the results back.

Also, please run the online scan below.

Panda ActiveScan

When it finishes the scan click on See Report . Then in the next window click Save Report. The default report name is Activescan.txt. Just save it where you can find it so you can attach to your next post.

Once you complete the scans above, run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

ok the panda active scan didnt work, it scanned but then kept linking me to buy it to get a report

The jotti virus scan went fine

MD5: 54e1829d903f680620123b44bd4a460a
Packers detected: -
Bit9 reports: File not found

Scan taken on 02 Dec 2007 03:04:03 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

Please download the below version of GetRunKey, once downloaded, extract the contents into the C:\MGtools directory. Attach a log once complete.

GetRunKey.zip