messenger imageshack.com malware- plz help

Discussion in 'Malware Help (A Specialist Will Reply)' started by murrlishka, Nov 7, 2009.

  1. murrlishka

    murrlishka Private E-2

    Hello, I really hope I'm posting this in the right place, if not - sorry ><

    I've recently was foolish enough to click on a imageshack.com/example.jpg link I received on Windows Live messenger from a friend. (I'm running Windows XP)
    Ever since, my messenger has been sending these links itself, without me even knowing it (it replaces messages I write with the link, without showing it in MY conv window) and god knows what else it does.
    I've looked all over the web for a solution, and found none.
    I ran several antivirus/antispyware scans (NOD32, AVG, SpyBot S&D) - none of which found the problem (the antiviruses didn't even find a single infected file, SpyBot found several tracking cookies I deleted)
    I tried completely uninstalling anything to do with Windows Live, deleting any files left and reinstalling it, didn't help either.

    I downloaded HijackThis and I'm attaching my log to this post,
    As I have no idea what to do with it.

    Can anyone please help me interpret which of the above listings I should "fix" in HijackThis?
     

    Attached Files:

    murrlishka, Nov 7, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:
    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Nov 9, 2009
    #2
  3. murrlishka

    murrlishka Private E-2

    I did all the steps in the Read and Run post, but the thing is,
    I don't know WHEN these messages are being sent, as it replaces my messages with the imageshack link, without me seeing it.
    So I have no idea whether it worked or not.
    Attaching all the logs to the post.

    Thanks in advance.
     

    Attached Files:

    murrlishka, Nov 9, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Other than what has already been removed by the cleaning process, your logs are basically clean. If you are still having problems, it may be best if you uninstalled all components of Windows Live and then reboot (do not skip the reboot). Then delete the below folders:

    c:\program files\Windows Live SkyDrive
    c:\program files\Windows Live
    c:\program files\Common Files\Windows Live

    Then reinstall Windows Live and see what happens.

    I do question the below settings. Did you make these changes?
     
    chaslang, Nov 11, 2009
    #4
  5. murrlishka

    murrlishka Private E-2

    Well...All I found inside my add or remove programs was
    Windows Live Upload Tool
    Windows Live sign in Assistant o_O
    Both of which I'm 100% sure I've never installed, since I always only install the messenger itself and no extra stuff.
    I've removed both and rebooted.
    The problem now is, there wasn't and isn't any umbrella file named Windows Live in the Add or Remove Programs, nothing like Windows Live Essentials or anything like that. Basically, the Win Live Messenger is still installed on my computer and I cannot for the life of me find a way to uninstall it properly.

    None of the files you have mentioned exist in my program files, but Windows Messenger one just won't go away rolleyes

    Also about the services settings you've mentioned-
    I did not make these changes
    But this computer IS a handy-me-down from my older brother
    Could you please explain to me what these changes in settings are and what do they affect? (though I do know what remote access and services are, I don't wanna just guess)
     
    murrlishka, Nov 12, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some may just come when you install Windows Live. According to your logs, I saw the below installed:

    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool

    If you cannot find them, perhaps you should reinstall Windows Live and then reboot. After reboot see if you still have problems. If so then uninstall everything.

    Be careful on what you say. Windows Messenger is not the same thing as Windows Live Messenger so what did you mean to say won't go away? If you are really using Windows Messenger an old outdated and insecure program, you should not be using it.

    The are changes to your Windows Firewall to allow remote access and also some change to ICMP settings. Not sure what the value 8 is used for. Either way they are not normal/default settings.
     
    chaslang, Nov 14, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds