Posted on 2006-05-26
Last Modified: 2009-12-16
infection occurs through MSN messenger.  user receives a message from a friend in their list.  the message has a link.  partial url is (not the complete url).  user clicks on it and it downloads a file that causes the infection.  it spreads itself through MSN

link to saved hijackthis log

items listed as "potentially nasty" are not nasty.  it is our domain.

spybot partially detects it, and calls it FakeMSN8Beta, but is unable to completely remove it.  spybot does fix the hosts file, which the infection fills with various security websites and points them all to  infection also disables ability to view hidden files.

ewido finds nothing.

ran scan with Symantec Corporate AV 10.0 with updated definition.  it detected nothing.  called Symantec and they have not heard of it.  sent them data and info for them to research

spybot id's the following
and a registry entry in local_machine\software\microsoft\windows\currentversion\run\csrss

i have checked a non-infected computer and system32\csrss is a valid file, as are netstat and taskkill.  the registry entry is not valid.

Question by:zephyr_hex
    LVL 30

    Expert Comment

    run MY recipe:
    Download and install this

    Then copy the log and paste it in the analyzer

    Analyze the file and POST THE LINK here so that we can take a look at it..

    In the mean time, there are several things to apply:

    Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them.  Restart your machine
    Download Ewido,, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
    chkdsk /r
    Windowsupdate everything except .NET items
    LVL 42

    Author Comment

    i have run hijackthis.  i have posted a link to the analyzed log.  i have run ewido.  see my original post above for all that info.  there is nothing in startup that is bad.

    i am not connecting these computers to the internet to do windows updates, but they should be up to date because i have auto-updates enabled.
    LVL 42

    Author Comment

    i have removed the registry entry that spybot identifies.  spybot is still partially detecting an infection.  it now just lists:

    there must be some part of the infection left.

    also, one of my users states that spybot is not even fixing his hosts file.

    i would hate to put one of these computers on msn to test and see if it's fixed...  is there some other way?
    LVL 30

    Expert Comment

    "see my original post above for all that info."
    Ha!  I just saw the title and Copied and Pasted my solution.



    Did you uninstall MSN messenger?
    Also, check this if NOTdone already
    "Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them.  Restart your machine"
    LVL 42

    Author Comment

    the attack is not limited to the MSN Messenger program.  one of the infected computers runs Trillian, which has the ability to chat with MSN friends.  uninstalling MSN Messenger will not remove the infection.  it's just the method the infection spreads through, i believe.

    i have checked msconfig startup items.  all entries are valid.

    i think the infection is partially cleaned.  i just don't know if it's fully clean because spybot is still complaining.

    when the infection first hit, i had everyone log out of msn messenger.  the infected computers acted normal, other than a browser hijack.  but there were more subtle issues with the infected computers, too.  for one, you could not view hidden files in the folder options.  i would select it, hit accept and ok, and then go back into the folder view options and the setting was back to "do not show" hidden files and folders.  i also suspect this infection disabled system restore because the 2 computers i checked have it disabled.
    LVL 32

    Expert Comment


    Can you confirm that Spybot really says ".com" ?

    If so, see if you can locate these two files in the system32 folder.

    If you can't see the files with Windows Explorer (even with hidden files option enabled), then  suspect a rootkit.
    In that case get and run RootkitRevealer from:

    If RKR reports anything interesting be sure to save the log to a text file first, you will need it later, and let us know a summary.
    LVL 30

    Expert Comment


    take the drive out and put it into another computer as a slave (make sure the system is CLEAN & UPdated with latest virus & malware definitions).
    Scan that drive...
    what happens?
    LVL 47

    Accepted Solution


    Try these:( If neither helps, there's another one I can think of)

    1. Please Download MsnVirRem.exe to your desktop from one of the following mirrors:;dl=item9

    * First close any other programs you have running as this will require a reboot
    * Double click MsnVirRem.exe to run it
    * Once open, click the button labelled "Search and Destroy"
          <<Your computer will now be scanned for Infected Files>>
    * When scanning is finished you will be prompted to reboot only if infected, Click OK
    * Now click the "REBOOT" Button.
    * After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
    * A Message should popup from MsnVirRem if not, double click the program again and it will finish

    LVL 47

    Expert Comment

    It sounds very much like an Alcan worm, though they normally show up in the HJT log but yours didn't.

    If none of the above works then this has to be an alcan worm: (basing on the "system32\, and system32\")

    1. Please download Brute Force Uninstaller to your desktop.
    Right click the BFU folder on your desktop, and choose Extract All
    Click "Next"
    In the box to choose where to extract the files to,
    Click "Browse"
    Click on the + sign next to "My Computer"
    Click on "Local Disk (C:) or whatever your primary drive is
    Click "Make New Folder"
    Type in BFU
    Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

    2. then, Download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with these yet!

    Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

    3 . Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    Start the Brute Force Uninstaller by doubleclicking BFU.exe
    Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
    Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
    Wait for the complete script execution box to pop up and press OK.
    Press exit to terminate the BFU program.
    Reboot into normal windows.
    LVL 42

    Author Comment

    irwinpks - yes, spybot said .com on those files, and i looked for them in system32 and did not find them.  i also searched windows folder and did not find those files with a .com ending.

    i will try the other suggestions as soon as i can.  all infected computers have been removed from the network/internet, so at least this thing is contained.

    earlier this evening, i finally got spybot to show clean results (by removing the registry entry i mentioned above while in safe mode, then reboot and rerun spybot in regular mode).

    but... i am not convinved spybot removed the infection completely.  so i will try the suggestions above.  hopefully those suggestions will give some kind of feedback/results which confirm the infection has been completely removed.

    thanks for the input.
    LVL 42

    Author Comment

    the msnvirrem.exe took care of the stuff spybot was missing.
    infected files:
    c:\documents and settings\username\start menu\programs\startup\csrss

    the files in system32 were not visible, even with setting folder options to allow viewing of hidden files.  i was able to copy the files to a usb from the command line.  will be submitting them to symantec.

    thanks.  i am more confident that the baddie is gone.  i was pretty sure that spybot wasn't getting it all, and this seems to be true.
    LVL 47

    Expert Comment

    So it was a W32.Chod.D worm!
    This is the second time that that worm was able to hide from hijackthis scan, I thought it might have been the Alcan worm.

    Virus/worm writers are really getting very clever and now ahead of Hijackthis.exe!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
    PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now