MSN Attack - URGENT
infection occurs through MSN messenger. user receives a message from a friend in their list. the message has a link. partial url is http://www.imfriendz.net (not the complete url). user clicks on it and it downloads a file that causes the infection. it spreads itself through MSN
link to saved hijackthis log
http://www.hijackthis.de/logfiles/90feb393f2d29872b64f87f86290caa0.html
items listed as "potentially nasty" are not nasty. it is our domain.
spybot partially detects it, and calls it FakeMSN8Beta, but is unable to completely remove it. spybot does fix the hosts file, which the infection fills with various security websites and points them all to 127.0.0.1. infection also disables ability to view hidden files.
ewido finds nothing.
ran scan with Symantec Corporate AV 10.0 with updated definition. it detected nothing. called Symantec and they have not heard of it. sent them data and info for them to research
spybot id's the following
system32\netstat
system32\taskkill
and a registry entry in local_machine\software\mic
i have checked a non-infected computer and system32\csrss is a valid file, as are netstat and taskkill. the registry entry is not valid.
ideas?
link to saved hijackthis log
http://www.hijackthis.de/logfiles/90feb393f2d29872b64f87f86290caa0.html
items listed as "potentially nasty" are not nasty. it is our domain.
spybot partially detects it, and calls it FakeMSN8Beta, but is unable to completely remove it. spybot does fix the hosts file, which the infection fills with various security websites and points them all to 127.0.0.1. infection also disables ability to view hidden files.
ewido finds nothing.
ran scan with Symantec Corporate AV 10.0 with updated definition. it detected nothing. called Symantec and they have not heard of it. sent them data and info for them to research
spybot id's the following
system32\netstat
system32\taskkill
and a registry entry in local_machine\software\mic
i have checked a non-infected computer and system32\csrss is a valid file, as are netstat and taskkill. the registry entry is not valid.
ideas?
ASKER
i have run hijackthis. i have posted a link to the analyzed log. i have run ewido. see my original post above for all that info. there is nothing in startup that is bad.
i am not connecting these computers to the internet to do windows updates, but they should be up to date because i have auto-updates enabled.
i am not connecting these computers to the internet to do windows updates, but they should be up to date because i have auto-updates enabled.
ASKER
fyi
i have removed the registry entry that spybot identifies. spybot is still partially detecting an infection. it now just lists:
system32\netstat.com
system32\killtask.com
there must be some part of the infection left.
also, one of my users states that spybot is not even fixing his hosts file.
i would hate to put one of these computers on msn to test and see if it's fixed... is there some other way?
i have removed the registry entry that spybot identifies. spybot is still partially detecting an infection. it now just lists:
system32\netstat.com
system32\killtask.com
there must be some part of the infection left.
also, one of my users states that spybot is not even fixing his hosts file.
i would hate to put one of these computers on msn to test and see if it's fixed... is there some other way?
"see my original post above for all that info."
Ha! I just saw the title and Copied and Pasted my solution.
:-)
OK..
Did you uninstall MSN messenger?
Also, check this if NOTdone already
"Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them. Restart your machine"
Ha! I just saw the title and Copied and Pasted my solution.
:-)
OK..
Did you uninstall MSN messenger?
Also, check this if NOTdone already
"Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them. Restart your machine"
ASKER
the attack is not limited to the MSN Messenger program. one of the infected computers runs Trillian, which has the ability to chat with MSN friends. uninstalling MSN Messenger will not remove the infection. it's just the method the infection spreads through, i believe.
i have checked msconfig startup items. all entries are valid.
i think the infection is partially cleaned. i just don't know if it's fully clean because spybot is still complaining.
when the infection first hit, i had everyone log out of msn messenger. the infected computers acted normal, other than a browser hijack. but there were more subtle issues with the infected computers, too. for one, you could not view hidden files in the folder options. i would select it, hit accept and ok, and then go back into the folder view options and the setting was back to "do not show" hidden files and folders. i also suspect this infection disabled system restore because the 2 computers i checked have it disabled.
i have checked msconfig startup items. all entries are valid.
i think the infection is partially cleaned. i just don't know if it's fully clean because spybot is still complaining.
when the infection first hit, i had everyone log out of msn messenger. the infected computers acted normal, other than a browser hijack. but there were more subtle issues with the infected computers, too. for one, you could not view hidden files in the folder options. i would select it, hit accept and ok, and then go back into the folder view options and the setting was back to "do not show" hidden files and folders. i also suspect this infection disabled system restore because the 2 computers i checked have it disabled.
"system32\netstat.com
system32\killtask.com"
Can you confirm that Spybot really says ".com" ?
If so, see if you can locate these two files in the system32 folder.
If you can't see the files with Windows Explorer (even with hidden files option enabled), then suspect a rootkit.
In that case get and run RootkitRevealer from:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
If RKR reports anything interesting be sure to save the log to a text file first, you will need it later, and let us know a summary.
system32\killtask.com"
Can you confirm that Spybot really says ".com" ?
If so, see if you can locate these two files in the system32 folder.
If you can't see the files with Windows Explorer (even with hidden files option enabled), then suspect a rootkit.
In that case get and run RootkitRevealer from:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
If RKR reports anything interesting be sure to save the log to a text file first, you will need it later, and let us know a summary.
Ok.zeph...
take the drive out and put it into another computer as a slave (make sure the system is CLEAN & UPdated with latest virus & malware definitions).
Scan that drive...
what happens?
take the drive out and put it into another computer as a slave (make sure the system is CLEAN & UPdated with latest virus & malware definitions).
Scan that drive...
what happens?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It sounds very much like an Alcan worm, though they normally show up in the HJT log but yours didn't.
If none of the above works then this has to be an alcan worm: (basing on the "system32\netstat.com, and system32\killtask.com")
1. Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. then, Download Alcra PLUS Remover.
http://metallica.geekstogo.com/alcanshorty.bfu
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
3 . Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon" and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows.
If none of the above works then this has to be an alcan worm: (basing on the "system32\netstat.com, and system32\killtask.com")
1. Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. then, Download Alcra PLUS Remover.
http://metallica.geekstogo.com/alcanshorty.bfu
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
3 . Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon" and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows.
ASKER
irwinpks - yes, spybot said .com on those files, and i looked for them in system32 and did not find them. i also searched windows folder and did not find those files with a .com ending.
i will try the other suggestions as soon as i can. all infected computers have been removed from the network/internet, so at least this thing is contained.
earlier this evening, i finally got spybot to show clean results (by removing the registry entry i mentioned above while in safe mode, then reboot and rerun spybot in regular mode).
but... i am not convinved spybot removed the infection completely. so i will try the suggestions above. hopefully those suggestions will give some kind of feedback/results which confirm the infection has been completely removed.
thanks for the input.
i will try the other suggestions as soon as i can. all infected computers have been removed from the network/internet, so at least this thing is contained.
earlier this evening, i finally got spybot to show clean results (by removing the registry entry i mentioned above while in safe mode, then reboot and rerun spybot in regular mode).
but... i am not convinved spybot removed the infection completely. so i will try the suggestions above. hopefully those suggestions will give some kind of feedback/results which confirm the infection has been completely removed.
thanks for the input.
ASKER
the msnvirrem.exe took care of the stuff spybot was missing.
infected files:
c:\windows\system32\byyope
c:\windows\system32\byyope
c:\windows\system32\byyope
c:\documents and settings\username\start menu\programs\startup\csrs
the files in system32 were not visible, even with setting folder options to allow viewing of hidden files. i was able to copy the files to a usb from the command line. will be submitting them to symantec.
thanks. i am more confident that the baddie is gone. i was pretty sure that spybot wasn't getting it all, and this seems to be true.
infected files:
c:\windows\system32\byyope
c:\windows\system32\byyope
c:\windows\system32\byyope
c:\documents and settings\username\start menu\programs\startup\csrs
the files in system32 were not visible, even with setting folder options to allow viewing of hidden files. i was able to copy the files to a usb from the command line. will be submitting them to symantec.
thanks. i am more confident that the baddie is gone. i was pretty sure that spybot wasn't getting it all, and this seems to be true.
So it was a W32.Chod.D worm!
This is the second time that that worm was able to hide from hijackthis scan, I thought it might have been the Alcan worm.
Virus/worm writers are really getting very clever and now ahead of Hijackthis.exe!
This is the second time that that worm was able to hide from hijackthis scan, I thought it might have been the Alcan worm.
Virus/worm writers are really getting very clever and now ahead of Hijackthis.exe!
--------------------
Download and install this
http://www.majorgeeks.com/HijackThis_d3155.html
Then copy the log and paste it in the analyzer
http://www.hijackthis.de/
Analyze the file and POST THE LINK here so that we can take a look at it..
In the mean time, there are several things to apply:
Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them. Restart your machine
---------------
Download Ewido, http://www.ewido.net/en/download/, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
---------------
chkdsk /r
--------------
Windowsupdate everything except .NET items