Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msn Messenger "foto" Virus


  • Please log in to reply
13 replies to this topic

#1 ineedhelp888

ineedhelp888

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 13 March 2008 - 07:07 PM

Hi,

This is my last resort, for the past week, a million people have told me to do a million different things and I have no idea where I am at right now. A few days ago, I was chatting with a friend on MSN Messenger when I got a message along with a link to some pictures. I opened it and nothing happened, then my friend said to not open it because it was a virus. Well now if I log on to MSN, it freezes and the same message is sent to everyone on my list, and I have to relogin. I have not logged in the last few days because I don't want to keep sending it to my list.

I have Symantec antivirus, already ran a full scan and it comes up negative. Adaware shows 2 MRU's, but I would delete them and they keep coming back up. I have posted on another site, and told me to do SDFix, did that, uninstalled and reinstalled MSN, nothing has worked.

Please can someone help me? I'm at a loss, I'm very patient, but I'm getting a bit frustrated.

Thanks!

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:17 AM

Posted 13 March 2008 - 08:45 PM

Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 ineedhelp888

ineedhelp888
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 14 March 2008 - 12:08 AM

Hi Billy3,

I did the scan, and here are the scan results:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2946 (20080313)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=b5834200084a1d4f856a86861743d25e
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-14 04:38:09
# local_time=2008-03-14 12:38:09 (-0400, SA Western Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=423513
# found=3
# scan_time=6910
C:\Documents and Settings\mae\Local Settings\Temporary Internet Files\Content.IE5\JB9ARSGK\ingen8[1].exe Win32/IRCBot.AAH trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\mae\Local Settings\Temporary Internet Files\Content.IE5\VE81B5UU\ingen12[1].exe Win32/IRCBot.AAH trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\svcthread.exe Win32/IRCBot.AAH trojan (unable to clean - deleted) 00000000000000000000000000000000



Thanks.

#4 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:04:17 AM

Posted 14 March 2008 - 05:25 AM

I'll jump in the middle and say try this MSN virus removal tool =) hope it works

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:17 AM

Posted 14 March 2008 - 06:52 AM

Yes, the ESET scan removed a trojan, but its not the one we are trying to fix.

Please try the file Dark Messenger linked to.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 ineedhelp888

ineedhelp888
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 14 March 2008 - 11:13 AM

Hey Billy3 and Dark Messenger,

Ok, well I DL the MSN cleaner and ran it. It did find one infected file, is this the one we are looking for?!!? I wasn't sure if I was supposed to be in safe mode or not, so I just ran it in safe mode. After the scan finished, I located the MSNCleaner file and inside it has two text documents, so I am posting them here. There is also another folder that says "BackUpMSNCleaner" and it's got a VIR file inside. Can I delete this? Also, do you think it's OK for me to log on to MSN, I'm scared to go in but I'm assuming that's the only way I can tell if I got rid of it right? Anyways, please let me know your thoughts : )

- Logfile MSNCleaner 1.5.9 by www.forospyware.com
- Created Logfile: 3/13/2008 on 8:24:49 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 1
Deleted file: 0
Undeleted Files: 0

C:\WINDOWS\system32\tmp.txt


- Logfile MSNCleaner 1.5.9 by www.forospyware.com
- Created Logfile: 3/13/2008 on 8:25:17 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 1
Deleted file: 1
Undeleted Files: 0

C:\WINDOWS\system32\tmp.txt <--- Deleted

Host file Restored

Also...one question, Perflib_Perfdata_1788.dat and Perflib_Perfdata_e78.dat ...these are under the temp files for my local settings for my documents....someone told me they were viruses, are they??

Edited by ineedhelp888, 14 March 2008 - 12:08 PM.


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:17 AM

Posted 14 March 2008 - 12:31 PM

No, if they were, the eset scan would have taken care of it.

Are you still having problems?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 ineedhelp888

ineedhelp888
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:17 PM

Posted 14 March 2008 - 02:58 PM

Hi Billy3,

Well I logged onto MSN, and have been logged on for about 2 hours with no problems yet.....I think you guys fixed it!!!!!!!

If it happens again, I'll post again, but until then..........THANK YOUUUU!!!! (and to Dark Messenger too!!!!)

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:17 AM

Posted 14 March 2008 - 03:20 PM

No problem, we are here to help.

Have a nice day,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 nickkinix

nickkinix

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 25 March 2009 - 04:07 PM

hi, i have also had this problem. i ran the first thing you suggested which took little under 2 hours - here are the results copied and pasted from notepad. Please help!!!!!

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3962 (20090325)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=4c92105cf3d5724ea9b243dbfdeabbfd
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-25 08:58:33
# local_time=2009-03-25 08:58:33 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=168843
# found=14
# scan_time=6253
C:\thp.exe Win32/Injector.KZ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp085.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp111.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp216.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp268.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp292.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp871.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp894.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\tmp991.exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Nicola Cleary\Nicola Cleary.exe Win32/Wigon trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\Documents and Settings\Nicola Cleary\Local Settings\Temp\TMP00000001760DBFEA207AAC89 Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Nicola Cleary\Local Settings\Temporary Internet Files\Content.IE5\IS00UEBC\l1[1].exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Nicola Cleary\Local Settings\Temporary Internet Files\Content.IE5\JK928QC2\l1[1].exe Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\winulty.exe Win32/Injector.KZ trojan (unable to clean - deleted (after the next restart)) ED1FF3DBD629520BEBF8F5B6E422A165

#11 AnitaS

AnitaS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 18 August 2009 - 05:06 PM

Hello,

I don't use MSN messenger, but my hotmail account has been sending out "fotos" emails to my entire address book, with infected .jpgs. I used McAfee Security center, which deleted one "problem", but the hotmail account is still acting up. I have run Onlinescan according to the instructions in this thread:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=d773804905eaab4ca9156c37c922fea3
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-18 08:25:50
# local_time=2009-08-18 01:25:50 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6000 NT
# compatibility_mode=5121 25 100 88 494519403916914
# compatibility_mode=5889 61 66 100 629040075166914
# scanned=123014
# found=0
# cleaned=0
# scan_time=6514

Please let me know if you can help.

Thank you,
Anita S.

#12 Secr3t

Secr3t

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:17 PM

Posted 18 June 2010 - 05:21 AM

Having got this myself and read the responces here, none of which worked. I thought i would paste what worked for me.


If you receive an email called “fotos 05/06” DO NOT OPEN IT! It is a virus!
If you have already opened it you are infected.

What does the virus do?

It opens a new Internet Explorer process which is hidden; this makes use of your credentials in your webmail (hotmail or gmail) and forwards all your contacts the virus, several times.

How do you clean it?

I haven’t found an antivirus to clean it, (Panda, Trend, Norton, or the options suggested here) so you have to delete it manually.

The steps are:

1. Delete all private information from Internet Explorer, pressing Ctrl + Shift + Del
2. Kill the processes of virus from the Task Manager: Ctrl + Alt + Del / Start Task Manager / Processes / Show processes from all users / Sort by Name (Click on the column "Image Name") and search:
- Xlr.exe
- Xlr2.exe
(Right click / End process tree)
3. Delete the registry keys, so that when you restart the computer does not reopen the virus: WindowsKey + R / regedit.exe / Edit / Find and write xlr. When found, delete everything that starts with xlr. Will be 2 or 4 keys, depending on how many times you tried to open the email.
4. Delete the registry keys, so that when you restart the computer does not reopen the virus: WindowsKey + R / regedit.exe / Edit / Find and write xlr2. When found, delete everything that starts with xlr2. Will be 2 or 4 keys, depending on how many times you tried to open the email.
5.Delete the registry keys, so that when you restart the computer does not reopen the virus: WindowsKey + R / regedit.exe / Edit / Find and write xlb.cpl When found, delete everything that starts with xlb. Will be 2 or 4 keys, depending on how many times you tried to open the email.
6.Delete the registry keys, so that when you restart the computer does not reopen the virus: WindowsKey + R / regedit.exe / Edit / Find and write xln.cpl When found, delete everything that starts with xln. Will be 2 or 4 keys, depending on how many times you tried to open the email.
7. Delete the folder where the files are copied virus (C: \ CMOS): Open the file browser. The folder is hidden, so you must have configured the file browser to allow view hidden files. If you see a folder named CMOS in C: \, do the following: Press Alt / Tools / Folder Options / Show / Hidden Files and Folders / Show Files, folders and hidden units. Now you should see the folder and be able to delete it. If it says you cannot delete it because the files are inuse rename the folder C:\Cmosxxx and restart the computer. Once the computer has restarted without the processes running you can delete the folder you have just renamed.
8. Restart the computer.

If all went well, when you restart the virus will not appear as the xlr.exe or xlr2.exe process in the process list, nor will there be a folder C:\CMOS, and most importantly, your friends will not receive the virus.

Secr3t
:thumbsup:

#13 HIPP

HIPP

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 18 June 2010 - 07:05 PM

I also have had the same problem when I received a fotos 05/06 email from my wife but it wasn't my wife. I have been searching to find out what harm and how to fix my computer. The thing I found was to use Malwarebytes' Anti Malware which I have already and its free. First time I tried it it only found one thing but then I updated it and found ten infection and most of them matched up with the files Secr3t said to erase manually. Then I was on Windows Defender uder tools in software explore and found xlxb.cpl under start up progams. When I tried to delete it the computer responded couldn't find it and now its gone. I hope this helps other people.

Now I need help with one more problem regarding my wifes hotmail account which is the one that infected me. Her account is sending out this email to everybody to I think people on her address list although I havn't received any today only yesterday. But she just called me and told me Hotmail wont let her send any more email today because she sent to many emails today. Now I just got done scaning her home computer and it came up clean. Does this mean the problem is on her work computer or is it connceted to her hotmail account. I also like to add this virus had no affect on my email account which I use AOL. Is this virus only effective on certain email types or was I lucky.


Thanks and good luck

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:17 AM

Posted 18 June 2010 - 11:05 PM

Has she changed her password and then reset the router if using one.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users