I downloaded a MSN virus stupidly since the message came from my gf and i thaught it was some joke of her.
Anyway i got this message: (DO NOT OPEN THE LINK)

"Hey, is this really you?"
Link removed. No links to possible malware on the forums. - Ron
and it downloaded something to my computer that i again stupidly ran and now i got some virus. it is messing with my msn also freezes my computer and other stuff.
can someone please help me in indentifying the virus and removing it? nod doesent recognize it

nod dont recognize it ??

do you try to re-start in safe mode and scan with nod ?

or try a av web scan from Eset, Kaspersky or other AV web site

nod should have reconized it?
it happen to me but nod found , but was not able to remove msn still sends them out
i think i had somthign to do with a processes delete msn.com from teh porcesses list i think it is al good for now till you restart computer


NOD log ( i think )
4/5/2008 5:58:43 PM Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\removalfile.bat Win32/Adware.Virtumonde application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\windows\temp\net.exe.

very dangerous file
i have seen first time this kind of virus a jpg image
send to eset lab

Gramzon, kuraijay welcome to Wilders. Please try these two tools (http://forum.hijackthis.de/showpost.php?p=148011&postcount=14).

thanatos

thanks

Hi all,

Please help, this is urgent!!

I downloaded MSNFix and MSNCleaner and ran them both under safe mode (one after another).

I rebooted my computer and it restarted fine. I accidently deleted the log files and so ran MSNFix and MSNCleaner again under safe mode to obtain the log files again. At this point i only have the log files and report files from the second try, i had deleted all the ones from the first try.

This is where it became nasty. When i rebooted, my Vista security center will not load. Manually telling it to load will not work. Currently, my windows firewall and security center are currently offline. However, i have AVG antivirus and Spybot S&D still active and running. Also, my desktop background has also been changed to a plain blue background.

Is this a sign of a trojan/virus/worm etc?

Was it the MSN trojan or some other that was dormant all along?

Here is the log from MSNCleaner:

- Logfile MSNCleaner 1.6.2 by www.forospyware.com
- Created Logfile: 6/4/2008 on 3:19:15 PM
- Operative System: Windows Vista
- Boot mode: Safe mode
_________________________________________

Detected files: 0
Deleted file: 0
Undeleted Files: 0

<<<<<<< No file found >>>>>>>

Here is the log from MSNFix:

MSNFix 1.699

C:\Users\Valued Customer\Desktop\New Folder\MSNFix
Scan done at Sun 06/04/2008 - 15:30:07.49 By Valued Customer
Safe mode

************************ Checking Files

No files found

************************ Checking Folders

... \TEMP\




************************ Deleting malware Files



************************ Deleting malware Folders

/!\ ... \TEMP\


************************ Registry Cleaning



************************ Suspect Files

/!\ The detected files must be reviewed by a forum Helper before changes can be made

[C:\Windows\system32\WindowsAnytimeUpgrade.exe] 50CE59D0083CD8B5BA7C9AA5FF34EC1D
[C:\Windows\system32\wininit.exe] D4385B03E8CCCEE6F0EE249F827C1F3E
[C:\Windows\system32\winload.exe] 85D2C8A361D5D24DC5B06FE2119C4954
[C:\Windows\system32\winresume.exe] E141AF10CEC752D7077EC2EF5289D86D
[C:\Windows\system32\winrs.exe] 1EE0C0B3ACBAE632DB1511965E1DFA6A
[C:\Windows\system32\winrshost.exe] A483324560F751A7F46A149C003609F0
[C:\Windows\system32\WinSAT.exe] BF53DA2EF93A02C1853DDA7CEF34EB8B

==> Please upload the file C:\Users\VALUED~1\Desktop\Upload_Me.zip to http://upload.changelog.fr



The File and Registry deletions have been saved in Sun 06042008_153741.85.zip

************************ HKLM\...\Winlogon\Userinit

Userinit = C:\Windows\system32\userinit.exe,


------------------------------------------------------------------------
Author : !aur3n7 Contact: http://changelog.fr
------------------------------------------------------------------------

--------------------------------------------- END ---------------------------------------------

Please help ASAP as i think my computer is vulnerable now. Thanks lots

Wilders don't provide malware cleaning services:
http://www.wilderssecurity.com/showthread.php?t=42148

Post in a forum that provides such services , experts there will help you . One of my favourite is AumHa forums (http://forum.aumha.org) . You can choose others if you want to .

{QUOTE-> Wilders don't provide malware cleaning services:
http://www.wilderssecurity.com/showthread.php?t=42148

Post in a forum that provides such services , experts there will help you . One of my favourite is AumHa forums (http://forum.aumha.org) . You can choose others if you want to . <-QUOTE}

Sorry if i posted it here wrongly, but i was simply following the advice provided by thanatos_theos as i am having the same problem as Gramzon.

Any help would be greatly appreciated. Though i know this was not supposed to happen (right???) could you give some insight into where i should begin or what actually might have gone wrong?

I have visited Aumha as you asked, but have yet to begin any anti-parasite measures or get into HijackThis stuff.

Thanks

worrapsworraps, check if the Windows Security Center service has been set to disabled or manual. Here (http://support.microsoft.com/kb/919291) are instructions to set the service back to automatic. It's for XP but it might be quite similar to Vista's. Have you tried doing a System Restore (before having the infection)? If after doing those you're still having probelms, please follow what HiTech_boy suggested. Read this (http://forum.aumha.org/viewtopic.php?f=30&t=4075&sid=110560db3135f834c5088cf4c1e250ec) before creating a thread at Aumha (http://forum.aumha.org/viewforum.php?f=30).

There's a possibilty that after running the tools for the second time a problem occured :-\. Did those tools detect something and did you remove those? If yes, you can try restoring those files. I believe the backups are in their respective folders (eg: MSNFix=Sun 06042008_153741.85.zip).

By the way, please upload C:\Users\VALUED~1\Desktop\Upload_Me.zip here (http://upload.changelog.fr/). Thank you.

thanatos

I have given up i will format and reinstall widows. The virus eventually made it impossible for me to do anything it downloaded other viruses i also think it disabled my nod32 in some way because it wont find anything anymore it hooks to my explorers tries to connect to paypal keeps making random dlls in system32 that i can not delete and it doesent even show up in hijackthis. I have been defeated

{QUOTE-> I have given up i will format and reinstall widows. The virus eventually made it impossible for me to do anything it downloaded other viruses i also think it disabled my nod32 in some way because it wont find anything anymore it hooks to my explorers tries to connect to paypal keeps making random dlls in system32 that i can not delete and it doesent even show up in hijackthis. I have been defeated <-QUOTE}


before format, have a look to UBCD project

http://www.ubcd4win.com/

good luck

{QUOTE-> worrapsworraps, check if the Windows Security Center service has been set to disabled or manual. Here (http://support.microsoft.com/kb/919291) are instructions to set the service back to automatic. It's for XP but it might be quite similar to Vista's. Have you tried doing a System Restore (before having the infection)? If after doing those you're still having probelms, please follow what HiTech_boy suggested. Read this (http://forum.aumha.org/viewtopic.php?f=30&t=4075&sid=110560db3135f834c5088cf4c1e250ec) before creating a thread at Aumha (http://forum.aumha.org/viewforum.php?f=30).

There's a possibilty that after running the tools for the second time a problem occured :-\. Did those tools detect something and did you remove those? If yes, you can try restoring those files. I believe the backups are in their respective folders (eg: MSNFix=Sun 06042008_153741.85.zip).

By the way, please upload C:\Users\VALUED~1\Desktop\Upload_Me.zip here (http://upload.changelog.fr/). Thank you.

thanatos <-QUOTE}

Hi all,

First let me clarify that i wasn't 100 percent sure if i was infected in the first place. I ran MSNFix and MSNCleaner to find out. Look what a mess it did!!!

I downloaded the malicious file but never ran it. Is it safe to assume that i am not infected?

Also, my MSN messenger has not shown any of the signs of infection like flickering contact windows, the inability to send instant messages and other problems.

My problems only started after i ran MSNFix and MSNCleaner the second time.

OK, i updated AVG today and scanned the trojan file with it. Now AVG is capable of detecting the trojan for what it is. When i scanned it yesterday, apparently the definitions were not capable of seeing the trojan file as a trojan.

Windows Security Center was disabled under services. Enabling it only managed to get windows security center back on, windows firewall still cannot be turned on. A check in services revealed that Windows Firewall service was in fact running. What is happening?

Also, i did not have System Restore turned on so that's not an option.

I also tried restoring the registry keys removed by MSNFix but 3 of them could not be merged as they were currently in use. They are:-

hckrCLID.reg and Winlogon.reg from Sun 06042008_153741.85.zip
hklmserv.reg from service.zip (\\MSNFix\incl\service.zip)

I have not uploaded the Upload_Me.zip. May i know what that is for? How will this help and who will have access to the file?
{QUOTE-> I have given up i will format and reinstall widows. The virus eventually made it impossible for me to do anything it downloaded other viruses i also think it disabled my nod32 in some way because it wont find anything anymore it hooks to my explorers tries to connect to paypal keeps making random dlls in system32 that i can not delete and it doesent even show up in hijackthis. I have been defeated <-QUOTE}
Gramzon, can you desribe the damage that the trojan does in more detail? I am currently experiencing nothing out of the ordinary other than the fact that my Windows Security Center is offline. So far no other viruses have been detected, my AVG seems to be working fine and no connections to paypal.

Thanks all for the help.

P.S. Will be bringing this to Aumha once i complete a full system scan with AVG, Spybot and Windows Defender.

{QUOTE-> Windows Security Center was disabled under services. Enabling it only managed to get windows security center back on, windows firewall still cannot be turned on. A check in services revealed that Windows Firewall service was in fact running. What is happening?

Also, i did not have System Restore turned on so that's not an option. <-QUOTE}
It's possible that a malware has turned-off Windows Firewall but I am not sure. Do you have the paid-for AVG that includes a firewall? AVG might have turned-off the Windows Firewall. You should only be running one firewall.

Please try these,

1. Right-click, save as, merge

http://www.kellys-korner-xp.com/regs_edits/firewallon.reg

2. See this forum thread (http://forums.techguy.org/windows-nt-2000-xp/466234-windows-xp-firewall-disabled.html). The OP has the same problem.

If the firewall still cannot be turned-on please post at Aumha.

Why is System Restore turned-off? You should turn it on. When you're sure the PC is clean, reset it.

{QUOTE-> I also tried restoring the registry keys removed by MSNFix but 3 of them could not be merged as they were currently in use. They are:-

hckrCLID.reg and Winlogon.reg from Sun 06042008_153741.85.zip
hklmserv.reg from service.zip (\\MSNFix\incl\service.zip) <-QUOTE}
Try merging the registry entries in safe mode.

{QUOTE-> I have not uploaded the Upload_Me.zip. May i know what that is for? How will this help and who will have access to the file? <-QUOTE}
It's up to you whether to upload Upload_Me.zip or not. It will be uploaded to the author of MSNFix for analysis. I believe Upload_Me.zip contains the following files marked as suspicious,

[C:\Windows\system32\WindowsAnytimeUpgrade.exe] 50CE59D0083CD8B5BA7C9AA5FF34EC1D
[C:\Windows\system32\wininit.exe] D4385B03E8CCCEE6F0EE249F827C1F3E
[C:\Windows\system32\winload.exe] 85D2C8A361D5D24DC5B06FE2119C4954
[C:\Windows\system32\winresume.exe] E141AF10CEC752D7077EC2EF5289D86D
[C:\Windows\system32\winrs.exe] 1EE0C0B3ACBAE632DB1511965E1DFA6A
[C:\Windows\system32\winrshost.exe] A483324560F751A7F46A149C003609F0
[C:\Windows\system32\WinSAT.exe] BF53DA2EF93A02C1853DDA7CEF34EB8B

The upload form is in French, you can use a translator if you want like Google Language Tools.

thanatos

{QUOTE-> It's possible that a malware has turned-off Windows Firewall but I am not sure. Do you have the paid-for AVG that includes a firewall? AVG might have turned-off the Windows Firewall. You should only be running one firewall.

Please try these,

1. Right-click, save as, merge

http://www.kellys-korner-xp.com/regs_edits/firewallon.reg

2. See this forum thread (http://forums.techguy.org/windows-nt-2000-xp/466234-windows-xp-firewall-disabled.html). The OP has the same problem.

If the firewall still cannot be turned-on please post at Aumha.

Why is System Restore turned-off? You should turn it on. When you're sure the PC is clean, reset it.


Try merging the registry entries in safe mode.


It's up to you whether to upload Upload_Me.zip or not. It will be uploaded to the author of MSNFix for analysis. I believe Upload_Me.zip contains the following files marked as suspicious,

[C:\Windows\system32\WindowsAnytimeUpgrade.exe] 50CE59D0083CD8B5BA7C9AA5FF34EC1D
[C:\Windows\system32\wininit.exe] D4385B03E8CCCEE6F0EE249F827C1F3E
[C:\Windows\system32\winload.exe] 85D2C8A361D5D24DC5B06FE2119C4954
[C:\Windows\system32\winresume.exe] E141AF10CEC752D7077EC2EF5289D86D
[C:\Windows\system32\winrs.exe] 1EE0C0B3ACBAE632DB1511965E1DFA6A
[C:\Windows\system32\winrshost.exe] A483324560F751A7F46A149C003609F0
[C:\Windows\system32\WinSAT.exe] BF53DA2EF93A02C1853DDA7CEF34EB8B

The upload form is in French, you can use a translator if you want like Google Language Tools.

thanatos <-QUOTE}

Nope, i do not have paid AVG with firewall, just Windows Firewall.

firewallon.reg did not work.

That thread at forums.techguy.org actually made my problem worse. Previously the Windows Firewall service was listed as automatic and started. Now, while it is still listed as automatic, i can no longer start the service. zzzzz

Merging the registry entries under safe mode still returns the "registry in use" error.

The Upload_Me.zip file contains those 7 files you listed and more. They are:
msnfix.txt
spoolsv.exe
WinFXDocObj.exe
winlogon.exe
Winspool.exe
winver.exe

At this point, I'm bringing this to AumHa. Thanks so much for the help so far.

My apologies and you're welcome. Yes, please proceed to Aumha. You're in good hands there. Goodluck!

thanatos

{QUOTE-> Hi all,

First let me clarify that i wasn't 100 percent sure if i was infected in the first place. I ran MSNFix and MSNCleaner to find out. Look what a mess it did!!!

I downloaded the malicious file but never ran it. Is it safe to assume that i am not infected?

Also, my MSN messenger has not shown any of the signs of infection like flickering contact windows, the inability to send instant messages and other problems.

My problems only started after i ran MSNFix and MSNCleaner the second time.

OK, i updated AVG today and scanned the trojan file with it. Now AVG is capable of detecting the trojan for what it is. When i scanned it yesterday, apparently the definitions were not capable of seeing the trojan file as a trojan.

Windows Security Center was disabled under services. Enabling it only managed to get windows security center back on, windows firewall still cannot be turned on. A check in services revealed that Windows Firewall service was in fact running. What is happening?

Also, i did not have System Restore turned on so that's not an option. <-QUOTE}

If you have installed Eaz-Fix or RollBack, you can undo this mess very easily.
Consider them for your next Windows install.:P

{QUOTE-> If you have installed Eaz-Fix or RollBack, you can undo this mess very easily.
Consider them for your next Windows install.:P <-QUOTE}
I certainly will. Thanks!

Here is my post at AumHa if anyone is interested:
http://forum.aumha.org/viewtopic.php?f=30&t=32836&sid=4edbcd44b9bb38d729849a9fb48d08b9

Thanks again!

Hi !

I checked your logs at AumHa . Good luck and stay better protected next time! :thumb:

Hi again all,

It appears that i was not infected at all in the first place. I have managed to reactivate my firewall with a little registry change and scans indicate no signs of infection. As always, there are no obvious signs of infection.

I might go as bold as to say that evidence points towards MSNFix or MSNCleaner doing this when i ran them for the second time. I do not know how to contact the authors of these programs but i figure you guys can help me out on that.

I suggest that they be contacted with the information in my posts here and those at AumHa. Hopefully i am right and they do detect a problem and fix it so that no one ever has to go through all that again. I was at the brink of formatting and were it not for a lucky Google search, i would have.

Please take my suggestion seriously and may it benefit us all.

Thanks again for your time.