Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msnmsgr.exe Or Msnmsgr.exe


  • Please log in to reply
5 replies to this topic

#1 bluesjunior

bluesjunior

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:21 AM

Posted 01 April 2007 - 02:45 PM

I installed Autoruns on my PC recently and today I was checking out some of the entries against the Startup List header posted here. On the Autoruns readout I could see that I had a few straightforward ones which I unticked.

I share this PC with my daughter who also has a Moderater account as an MGI Photosuite program she uses a lot will not install to a limited account. I found out recently that when I emptied temporary internet files etc to clean up my PC it did not empty them in my daughters account so now I know to do both accounts when I do it. At this time I also found it wise to check that our Firewall and AntiVirus settings were the same.

So when I had finished using Autoruns I decided to sign out of mine and check it against the entries on my daughters account. All the boxes I had unticked on my account were also unticked on hers except one which read msnmsgr.exe. I remembered while reading the Startup List entry on this file that the correct file should read MsnMsgr.exe which it had on my side. I went back to my account just double check and sure enough mine was written using two Capital M's. Apart from the capitals all the rest of the information was exactly the same;
Both Files say the following.Messenger------- Microsoft Corporation--------C:\ program files\ msn messenger\ msnmsgr.exe------size = 5.541k------------time = 19.01.2007--------Version 8.01.0178.0000 Apart from the missing Capitals on my daughters account they are exactly the same.

Their function in both cases was to allow our MSN Live Messenger service to sign in automatic on startup and as i find this unnecessary I have unticked them both. I would however like to find out if the one in my daughters account was indeed a Worm that I should be worried about or is it just some sort of glitch. Again thanks in advance for any help offered.
Bluesjunior.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

BC AdBot (Login to Remove)

 


#2 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:03:21 AM

Posted 01 April 2007 - 02:59 PM

W32/Rbot-JZ is a network worm and backdoor for the Windows platform.

The worm spreads by copying itself to network shares with weak passwords and exploiting the Lsass vulnerability (MS04-011).

The backdoor component connects to a predefined IRC server and waits for instructions from a remote attacker.

When run the worm copies itself to msnmsgr.exe in the Windows system folder and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Messengers = "msnmsgr.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Msn Messengers = "msnmsgr.exe"

HKLM\System\CurrentControlSet\Control\Lsa\
Msn Messengers = "msnmsgr.exe"

HKLM\Software\Microsoft\Ole\
Msn Messengers = "msnmsgr.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Messengers = "msnmsgr.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Msn Messengers = "msnmsgr.exe"

HKCU\System\CurrentControlSet\Control\Lsa\
Msn Messengers = "msnmsgr.exe"

HKCU\Software\Microsoft\Ole\
Msn Messengers = "msnmsgr.exe"

The worm attemps to disable several other worms and some security related processes.

The backdoor component allows a remote attacker to :

transfer files to and from the infected computer
log user keystrokes
sniff network packets
capture video
launch distributed denial of service attacks
steal game related CD keys

#3 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:21 AM

Posted 01 April 2007 - 03:57 PM

Thanks for the reply Master5270. I am not very technical and don't really understand what you are telling me. Do I have it and what should I do if I have?
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#4 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:09:21 AM

Posted 01 April 2007 - 06:29 PM

please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

#5 buddy215

buddy215

  • BC Advisor
  • 12,989 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:21 AM

Posted 01 April 2007 - 08:46 PM

Unless you have some other signs of infection, you most likely are not infected. Since the question has been raised though as to whether that file is infected, migrate to the file and right click on it and let your antivirus and antispyware scan it.
You can also go to Jotti. org and let them scan the file with several antivirus programs.
http://virusscan.jotti.org/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:21 AM

Posted 02 April 2007 - 09:44 AM

Thanks for the replies Fozzie and Buddy. As I was bothered by this I also posted it at the Aumha Forum and I already sent a Hijack This log there and the problem is now solved. It wasn't a Worm at all but the genuine file. Thanks again for your help,much appreciated.
Bluesjunior.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users