Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msn Messenger Virus


  • Please log in to reply
2 replies to this topic

#1 poppuyo

poppuyo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Korea
  • Local time:03:36 PM

Posted 19 March 2008 - 10:35 AM

Well, I got hit by an MSN virus, sent in the form of a link to a picture.

Apparently, this virus simply propagates itself by mass-messaging everyone on your contacts list.
I'm not too sure what it does, but I can be pretty sure that it's something undesirable.

Background:
Windows XP (Home, SP2, latest updates, etc)
Windows Live Messenger 8.1
AVG Anti-Virus (I'm assuming the virus is relatively new because AVG didn't detect it).

Method of Infection:
I accessed: hxxp://photoshare.atwebpages.com/image.php...dos@hotmail.com**Appears to have been taken down.**
Happened to download it, and run it, while trying to rename it to JPG (had a filename of: IMG00231.JPG-www.imageupload.com) .
**I have the virus saved as a file-extension-renamed file hxxp://homenet.servegame.com/msnvirus/IMG00231.JPG-www.imageupload.txt, as a txt (but originally as a COM). - **PLEASE BE CAREFUL if you decide to take a look at it, or at least more than I was (not).**

Apparent Effects:
New process (msn.com) appeared in task manager/process explorer. <== Name changes (confirmed by a friend).
New startup entry, for the same msn.com (supposedly was in the C:\Windows\ directory, but i couldn't locate it).
New message windows would open, then almost instantaneously close. (Computer slowdown experienced).

Steps Taken:
I noticed that something was wrong and unplugged my LAN cable (but the damage was already done).
Looked in process explorer and saved strings (why, I don't know... but here).
In process explorer, ended msn.com (Screenshot on my webserver).
Closed MSN Messenger.
Ran MSN-Virus-Removal-Tool.exe from here. (Said system was clean.)
Found the startup entry using Startuplist (and removed it).

I think I've disabled it for the time being, though I'm fairly sure I haven't deleted the file itself... Should I try a System Restore, etc?

Thanks in advance,

-JL


Mod Edit: Links disabled, to preclude possible infection.~ TMacK


Edit: Will be back in about 12 hours time, school and such.

Edited by Orange Blossom, 20 March 2008 - 09:46 PM.
Completed link disabling ~ OB

Fighting senioritis ever since second semester. :)

BC AdBot (Login to Remove)

 


#2 brian1977

brian1977

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 19 March 2008 - 01:32 PM

I clicked on the link but i think i was lucky mate and never got the virus as bad

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:36 AM

Posted 22 March 2008 - 03:15 PM

Hello poppuyo and welcome to BC :flowers:

At this point, I would like you to do a scan with SUPERAntiSpyware in Safe Mode. You will, of course, install it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users