Help me i have a msn virus

Discussion in 'NOD32 version 2 Forum' started by Gramzon, Apr 5, 2008.

Thread Status:
Not open for further replies.
  1. Gramzon

    Gramzon Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    2
    I downloaded a MSN virus stupidly since the message came from my gf and i thaught it was some joke of her.
    Anyway i got this message: (DO NOT OPEN THE LINK)

    "Hey, is this really you?"
    Link removed. No links to possible malware on the forums. - Ron
    and it downloaded something to my computer that i again stupidly ran and now i got some virus. it is messing with my msn also freezes my computer and other stuff.
    can someone please help me in indentifying the virus and removing it? nod doesent recognize it
     
    Last edited by a moderator: Apr 5, 2008
  2. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    nod dont recognize it ??

    do you try to re-start in safe mode and scan with nod ?

    or try a av web scan from Eset, Kaspersky or other AV web site
     
  3. kuraijay

    kuraijay Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    2
    nod should have reconized it?
    it happen to me but nod found , but was not able to remove msn still sends them out
    i think i had somthign to do with a processes delete msn.com from teh porcesses list i think it is al good for now till you restart computer


    NOD log ( i think )
    4/5/2008 5:58:43 PM Real-time file system protection file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\removalfile.bat Win32/Adware.Virtumonde application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\windows\temp\net.exe.
     
    Last edited: Apr 5, 2008
  4. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    very dangerous file
    i have seen first time this kind of virus a jpg image
    send to eset lab
     
    Last edited: Apr 5, 2008
  5. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Gramzon, kuraijay welcome to Wilders. Please try these two tools.

    thanatos
     
  6. kuraijay

    kuraijay Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    2
    thanks
     
  7. worrapsworraps

    worrapsworraps Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    6
    Hi all,

    Please help, this is urgent!!

    I downloaded MSNFix and MSNCleaner and ran them both under safe mode (one after another).

    I rebooted my computer and it restarted fine. I accidently deleted the log files and so ran MSNFix and MSNCleaner again under safe mode to obtain the log files again. At this point i only have the log files and report files from the second try, i had deleted all the ones from the first try.

    This is where it became nasty. When i rebooted, my Vista security center will not load. Manually telling it to load will not work. Currently, my windows firewall and security center are currently offline. However, i have AVG antivirus and Spybot S&D still active and running. Also, my desktop background has also been changed to a plain blue background.

    Is this a sign of a trojan/virus/worm etc?

    Was it the MSN trojan or some other that was dormant all along?

    Here is the log from MSNCleaner:

    - Logfile MSNCleaner 1.6.2 by www.forospyware.com
    - Created Logfile: 6/4/2008 on 3:19:15 PM
    - Operative System: Windows Vista
    - Boot mode: Safe mode
    _________________________________________

    Detected files: 0
    Deleted file: 0
    Undeleted Files: 0

    <<<<<<< No file found >>>>>>>

    Here is the log from MSNFix:

    MSNFix 1.699

    C:\Users\Valued Customer\Desktop\New Folder\MSNFix
    Scan done at Sun 06/04/2008 - 15:30:07.49 By Valued Customer
    Safe mode

    ************************ Checking Files

    No files found

    ************************ Checking Folders

    ... \TEMP\




    ************************ Deleting malware Files



    ************************ Deleting malware Folders

    /!\ ... \TEMP\


    ************************ Registry Cleaning



    ************************ Suspect Files

    /!\ The detected files must be reviewed by a forum Helper before changes can be made

    [C:\Windows\system32\WindowsAnytimeUpgrade.exe] 50CE59D0083CD8B5BA7C9AA5FF34EC1D
    [C:\Windows\system32\wininit.exe] D4385B03E8CCCEE6F0EE249F827C1F3E
    [C:\Windows\system32\winload.exe] 85D2C8A361D5D24DC5B06FE2119C4954
    [C:\Windows\system32\winresume.exe] E141AF10CEC752D7077EC2EF5289D86D
    [C:\Windows\system32\winrs.exe] 1EE0C0B3ACBAE632DB1511965E1DFA6A
    [C:\Windows\system32\winrshost.exe] A483324560F751A7F46A149C003609F0
    [C:\Windows\system32\WinSAT.exe] BF53DA2EF93A02C1853DDA7CEF34EB8B

    ==> Please upload the file C:\Users\VALUED~1\Desktop\Upload_Me.zip to http://upload.changelog.fr



    The File and Registry deletions have been saved in Sun 06042008_153741.85.zip

    ************************ HKLM\...\Winlogon\Userinit

    Userinit = C:\Windows\system32\userinit.exe,


    ------------------------------------------------------------------------
    Author : !aur3n7 Contact: http://changelog.fr
    ------------------------------------------------------------------------

    --------------------------------------------- END ---------------------------------------------

    Please help ASAP as i think my computer is vulnerable now. Thanks lots
     
  8. ASpace

    ASpace Guest

  9. worrapsworraps

    worrapsworraps Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    6
    Sorry if i posted it here wrongly, but i was simply following the advice provided by thanatos_theos as i am having the same problem as Gramzon.

    Any help would be greatly appreciated. Though i know this was not supposed to happen (righto_O) could you give some insight into where i should begin or what actually might have gone wrong?

    I have visited Aumha as you asked, but have yet to begin any anti-parasite measures or get into HijackThis stuff.

    Thanks
     
  10. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    worrapsworraps, check if the Windows Security Center service has been set to disabled or manual. Here are instructions to set the service back to automatic. It's for XP but it might be quite similar to Vista's. Have you tried doing a System Restore (before having the infection)? If after doing those you're still having probelms, please follow what HiTech_boy suggested. Read this before creating a thread at Aumha.

    There's a possibilty that after running the tools for the second time a problem occured :doubt:. Did those tools detect something and did you remove those? If yes, you can try restoring those files. I believe the backups are in their respective folders (eg: MSNFix=Sun 06042008_153741.85.zip).

    By the way, please upload C:\Users\VALUED~1\Desktop\Upload_Me.zip here. Thank you.

    thanatos
     
    Last edited: Apr 6, 2008
  11. Gramzon

    Gramzon Registered Member

    Joined:
    Apr 5, 2008
    Posts:
    2
    I have given up i will format and reinstall widows. The virus eventually made it impossible for me to do anything it downloaded other viruses i also think it disabled my nod32 in some way because it wont find anything anymore it hooks to my explorers tries to connect to paypal keeps making random dlls in system32 that i can not delete and it doesent even show up in hijackthis. I have been defeated
     
  12. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada

    before format, have a look to UBCD project

    http://www.ubcd4win.com/

    good luck
     
  13. worrapsworraps

    worrapsworraps Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    6
    Hi all,

    First let me clarify that i wasn't 100 percent sure if i was infected in the first place. I ran MSNFix and MSNCleaner to find out. Look what a mess it did!!!

    I downloaded the malicious file but never ran it. Is it safe to assume that i am not infected?

    Also, my MSN messenger has not shown any of the signs of infection like flickering contact windows, the inability to send instant messages and other problems.

    My problems only started after i ran MSNFix and MSNCleaner the second time.

    OK, i updated AVG today and scanned the trojan file with it. Now AVG is capable of detecting the trojan for what it is. When i scanned it yesterday, apparently the definitions were not capable of seeing the trojan file as a trojan.

    Windows Security Center was disabled under services. Enabling it only managed to get windows security center back on, windows firewall still cannot be turned on. A check in services revealed that Windows Firewall service was in fact running. What is happening?

    Also, i did not have System Restore turned on so that's not an option.

    I also tried restoring the registry keys removed by MSNFix but 3 of them could not be merged as they were currently in use. They are:-

    hckrCLID.reg and Winlogon.reg from Sun 06042008_153741.85.zip
    hklmserv.reg from service.zip (\\MSNFix\incl\service.zip)

    I have not uploaded the Upload_Me.zip. May i know what that is for? How will this help and who will have access to the file?
    Gramzon, can you desribe the damage that the trojan does in more detail? I am currently experiencing nothing out of the ordinary other than the fact that my Windows Security Center is offline. So far no other viruses have been detected, my AVG seems to be working fine and no connections to paypal.

    Thanks all for the help.

    P.S. Will be bringing this to Aumha once i complete a full system scan with AVG, Spybot and Windows Defender.
     
  14. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    It's possible that a malware has turned-off Windows Firewall but I am not sure. Do you have the paid-for AVG that includes a firewall? AVG might have turned-off the Windows Firewall. You should only be running one firewall.

    Please try these,

    1. Right-click, save as, merge

    http://www.kellys-korner-xp.com/regs_edits/firewallon.reg

    2. See this forum thread. The OP has the same problem.

    If the firewall still cannot be turned-on please post at Aumha.

    Why is System Restore turned-off? You should turn it on. When you're sure the PC is clean, reset it.

    Try merging the registry entries in safe mode.

    It's up to you whether to upload Upload_Me.zip or not. It will be uploaded to the author of MSNFix for analysis. I believe Upload_Me.zip contains the following files marked as suspicious,

    [C:\Windows\system32\WindowsAnytimeUpgrade.exe] 50CE59D0083CD8B5BA7C9AA5FF34EC1D
    [C:\Windows\system32\wininit.exe] D4385B03E8CCCEE6F0EE249F827C1F3E
    [C:\Windows\system32\winload.exe] 85D2C8A361D5D24DC5B06FE2119C4954
    [C:\Windows\system32\winresume.exe] E141AF10CEC752D7077EC2EF5289D86D
    [C:\Windows\system32\winrs.exe] 1EE0C0B3ACBAE632DB1511965E1DFA6A
    [C:\Windows\system32\winrshost.exe] A483324560F751A7F46A149C003609F0
    [C:\Windows\system32\WinSAT.exe] BF53DA2EF93A02C1853DDA7CEF34EB8B

    The upload form is in French, you can use a translator if you want like Google Language Tools.

    thanatos
     
    Last edited: Apr 7, 2008
  15. worrapsworraps

    worrapsworraps Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    6
    Nope, i do not have paid AVG with firewall, just Windows Firewall.

    firewallon.reg did not work.

    That thread at forums.techguy.org actually made my problem worse. Previously the Windows Firewall service was listed as automatic and started. Now, while it is still listed as automatic, i can no longer start the service. zzzzz

    Merging the registry entries under safe mode still returns the "registry in use" error.

    The Upload_Me.zip file contains those 7 files you listed and more. They are:
    msnfix.txt
    spoolsv.exe
    WinFXDocObj.exe
    winlogon.exe
    Winspool.exe
    winver.exe

    At this point, I'm bringing this to AumHa. Thanks so much for the help so far.
     
  16. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    My apologies and you're welcome. Yes, please proceed to Aumha. You're in good hands there. Goodluck!

    thanatos
     
  17. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    If you have installed Eaz-Fix or RollBack, you can undo this mess very easily.
    Consider them for your next Windows install.:p
     
  18. worrapsworraps

    worrapsworraps Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    6
  19. ASpace

    ASpace Guest

    Hi !

    I checked your logs at AumHa . Good luck and stay better protected next time! :thumb:
     
  20. worrapsworraps

    worrapsworraps Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    6
    Hi again all,

    It appears that i was not infected at all in the first place. I have managed to reactivate my firewall with a little registry change and scans indicate no signs of infection. As always, there are no obvious signs of infection.

    I might go as bold as to say that evidence points towards MSNFix or MSNCleaner doing this when i ran them for the second time. I do not know how to contact the authors of these programs but i figure you guys can help me out on that.

    I suggest that they be contacted with the information in my posts here and those at AumHa. Hopefully i am right and they do detect a problem and fix it so that no one ever has to go through all that again. I was at the brink of formatting and were it not for a lucky Google search, i would have.

    Please take my suggestion seriously and may it benefit us all.

    Thanks again for your time.
     
Thread Status:
Not open for further replies.