Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pic006.jpg-live-messenger.com Virus


  • Please log in to reply
9 replies to this topic

#1 mattgoltz

mattgoltz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 12 March 2008 - 02:20 PM

I downloaded this virus thinking that it really was a picture being that it came from someone I know. Can someone please walk me through the removal process? I appreciate all your help.

Edited by mattgoltz, 12 March 2008 - 02:21 PM.


BC AdBot (Login to Remove)

 


m

#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 12 March 2008 - 03:16 PM

Welcome to Bleeping Computer. We will be glad to help you.

However, we first need some more info. Please refer to this page for what info is needed.

Thank you.

#3 mattgoltz

mattgoltz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 12 March 2008 - 03:28 PM

I apologize for not "following the rules." I am running Windows Vista and I had MSN Messenger open. I received a message from someone on my list and being that is said picture, I clicked on it assuming it was safe, but it was a file that froze MSN. Apparently it was sent to everyone else on my list as soon as I tried opening it. I ran Kapersky anti-virus and Ad-aware and neither found the problem. What's more, I cannot delete the file which is saved on my desktop. I also ran a Hijack log but am unsure as to what to do next. I am afraid to open MSN again because I know it will keep sending the virus. Fortunately no other application has been affected, or so it seems thus far (knock on wood). How do I make my computer virus-free again? Thank you.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 12 March 2008 - 04:25 PM

No problem. Rest assured you are not the first :thumbsup: .

I'm not sure if the msncleaner tool is compatible with Vista, so we can't use that just yet.

We can however, use SuperAntiSpyware:
  • Download SuperAntiSpyware.
  • Run the installer and save a shortcut onto your desktop.
  • Run the program. You will be prompted to update the database. Click Yes.
  • Select Scanning Control.
  • Check under Scanner Options: "Close browsers before scanning" "Scan for tracking cookies" "Terminate memory threats before quarantining".
  • Ok out and reboot into Safe Mode using the F8 method.
  • After restarting, open up the program again. Select Scan Your Computer.
  • After the scan, there will be a checklist of of things. Check all of them.
After a reboot into normal mode, open up SAS again. Select Preferences. Select Logs, and Scan Logs.
Post the contents of the log back in your next post.

#5 mattgoltz

mattgoltz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 12 March 2008 - 05:07 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/12/2008 at 11:00 PM

Application Version : 4.0.1154

Core Rules Database Version : 3417
Trace Rules Database Version: 1409

Scan type : Complete Scan
Total Scan Time : 00:20:35

Memory items scanned : 212
Memory threats detected : 0
Registry items scanned : 7434
Registry threats detected : 0
File items scanned : 19907
File threats detected : 14

Adware.Tracking Cookie
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\matt_goltz@ar.atwola[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\matt_goltz@cdn.atwola[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\matt_goltz@atwola[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\matt_goltz@evolnetmedia[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@richmedia.yahoo[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@imrworldwide[2].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@ad.yieldmanager[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@bs.serving-sys[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@atdmt[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@videoegg.adbureau[2].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@serving-sys[2].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@media.adrevolver[3].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@ads.ak.facebook[1].txt
C:\Users\Matt Goltz\AppData\Roaming\Microsoft\Windows\Cookies\Low\matt_goltz@atwola[1].txt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:06 AM

Posted 12 March 2008 - 08:18 PM

Download MsnCleaner_eng.zip
Unzip it to your desktop, but don't use it yet. {if needed instructions are HERE}
  • Now reboot into Safe Mode {How to start Windows in Safe Mode}
  • Double-click MsnCleaner_eng.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan and it will be saved to C:\MsnCleaner.txt.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post.

Edited by boopme, 12 March 2008 - 08:19 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mattgoltz

mattgoltz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 13 March 2008 - 09:39 AM

- Logfile MSNCleaner 1.5.9 by www.forospyware.com
- Created Logfile: 3/13/2008 on 3:32:11 PM
- Operative System: Windows Vista
- Boot mode: Safe mode
_________________________________________

Detected files: 0
Deleted file: 0
Undeleted Files: 0

<<<<<<< No file found >>>>>>>

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:06 AM

Posted 13 March 2008 - 12:33 PM

What's more, I cannot delete the file which is saved on my desktop.

Download FileASSASSIN.zip and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).
  • Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
  • Open the folder and double-click on FileASSASSIN.exe.
  • Select the bad file to delete by dragging it onto the text area or select it using the (...) browse button.
  • Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
  • Click delete and the removal process will begin.
  • If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Woebin

Woebin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 14 March 2008 - 12:31 PM

Hello. I just registered to post in this thread, since I think I might be of help.

I got this same virus the other day (running Windows XP Pro SP2), but luckily I use Trillian rather than MSN Messenger which seems to have kept me safe from spreading the disease. It's pretty rare for virii to only spread without doing any other damage, though, a rule from which this virus doesn't seem to be an exception judging from the pop-ups I got shortly after being infected.

Anyway, here's what I did about the virus, and it seems to have worked (not guaranteeing that this will remove it completely, though, just saying it seems to have worked for me). First off, I checked my running processes using Process Explorer, found the process live.messenger.com, and traced it to C:\WINDOWS\live.messenger.com.
So, knowing where it was working from, I promptly killed the process tree, and went looking in my Windows folder. After enabling visibility of both hidden files and system files, I found it, and verified that the "last modified" date coincided with when I got the virus. Changing its properties so it was no longer read-only, I deleted it the old fashioned way (I'd imagine using FileAssassin or any such utility would be safer, though). I've also done full scans with both Ad-Aware and F-secure, but they didn't find anything even before I located and deleted it myself.

So, that's my story. I hope it helps.

A note, though; you might worry that deleting something marked as a protected operating system file could be dangerous, and rightly so. It's pretty rare for *.com files to be part of Windows, though, and matching filenames are a bit too much of a coincidence for me to trust it. Choose whether or not to follow my advice at your own discretion.

Edited: Because I can't stand my own typos, ever-so-small as they may be.

Edited by Woebin, 14 March 2008 - 12:34 PM.


#10 Woebin

Woebin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 14 March 2008 - 01:10 PM

A bit of an update: I obviously didn't manage to completely kill the virus, since it gives pop-ups directed towards (DO NOT VISIT THIS URL) Skyddsverktyg.com, which is one of many URLs affiliated with (DO NOT VISIT THIS URL)avsystemcare.com / lifelongpc.com. This happens to me in IE, but not in Firefox which is my default web browser.

Source: McAfee's site advisor at http://www.siteadvisor.com/

Edited by Woebin, 14 March 2008 - 01:11 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users