Sign in to follow this  
panic36

IE Crashes, after bad executable spam from MSN Messenger

Recommended Posts

Yeah, I got messaged by a friend with this link, and it turns out they didn't even know they did because it infected them, and and spammed all their msn buddies with it, spreading over the MSN network... Right now I've done scans with Windows Defender, Avast, AVG, Lavasoft, but I'm still having issues... Here is my hijackthis log, hopefully someone will be able to help me get back up and running, Thanks a lot :D

 

Logfile of HijackThis v1.99.1

Scan saved at 10:57:04 PM, on 10/15/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5700.0006)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

D:\WINDOWS\system32\wdfmgr.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

D:\WINDOWS\System32\alg.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\ATI Technologies\ATI.ACE\cli.exe

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

D:\Program Files\MSI\Live Update 3\LMonitor.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

D:\WINDOWS\system32\rundll32.exe

D:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe

D:\Program Files\Common Files\{44E20841-09F0-1033-0913-040212160001}\Update.exe

D:\Program Files\MSN Messenger\MsnMsgr.Exe

D:\WINDOWS\system32\ctfmon.exe

D:\WINDOWS\?ystem32\javaw.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\ATI Technologies\ATI.ACE\cli.exe

D:\Program Files\ATI Technologies\ATI.ACE\cli.exe

D:\Program Files\mIRC\mirc.exe

D:\Program Files\Windows Defender\MsMpEng.exe

D:\Program Files\Windows Defender\MSASCui.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - D:\Program Files\VSToolbar\VSToolBar.dll

O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [LiveMonitor] D:\Program Files\MSI\Live Update 3\LMonitor.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [ghmpdic.dll] D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\system32\ghmpdic.dll,dzousr

O4 - HKLM\..\Run: [ipWins] D:\Program Files\ipwins\ipwins.exe

O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Esot] "D:\PROGRA~1\COMMON~1\YSTEM~1\wuauclt.exe" -vt yazb

O4 - HKCU\..\Run: [Cpkgqzx] D:\WINDOWS\?ystem32\javaw.exe

O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?0db09c9488994d3bad264ed6ca4b11ae

O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?0db09c9488994d3bad264ed6ca4b11ae

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160663359326

O17 - HKLM\System\CCS\Services\Tcpip\..\{F6A193BA-E24D-419D-A31D-4419B40CEA59}: NameServer = 24.205.1.14,66.215.64.14

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Share this post


Link to post
Share on other sites

Still having problems, I've got IE to function better now, after long tasks of trying to remove, I've followed other steps provided by some others, and i have made progress, however my Connection stats still ahve my upload higher than my download, and IE still gets hijacked at certain times... during load, however IE at least loads now, and doesn't crash while starting up, so i think that's an imporvement... Here's another log if this helps

 

 

VundoFix V6.2.4

 

Checking Java version...

 

Java version is 1.5.0.3

 

Scan started at 2:29:47 AM 10/17/2006

 

Listing files found while scanning....

 

D:\WINDOWS\system32\ghmpdic.dll

D:\WINDOWS\system32\ljjgday.dll

D:\WINDOWS\system32\taxmlrd.dll

D:\WINDOWS\system32\wincqt32.dll

D:\WINDOWS\system32\xmcggcqn.dll

D:\WINDOWS\system32\wlurekxa.exe

 

Beginning removal...

 

Attempting to delete D:\WINDOWS\system32\ghmpdic.dll

D:\WINDOWS\system32\ghmpdic.dll Has been deleted!

 

Attempting to delete D:\WINDOWS\system32\ljjgday.dll

D:\WINDOWS\system32\ljjgday.dll Has been deleted!

 

Attempting to delete D:\WINDOWS\system32\taxmlrd.dll

D:\WINDOWS\system32\taxmlrd.dll Has been deleted!

 

Attempting to delete D:\WINDOWS\system32\wincqt32.dll

D:\WINDOWS\system32\wincqt32.dll Has been deleted!

 

Attempting to delete D:\WINDOWS\system32\xmcggcqn.dll

D:\WINDOWS\system32\xmcggcqn.dll Has been deleted!

 

Attempting to delete D:\WINDOWS\system32\wlurekxa.exe

D:\WINDOWS\system32\wlurekxa.exe Has been deleted!

 

Performing Repairs to the registry.

Done!

Share this post


Link to post
Share on other sites
Sign in to follow this