Solved

MSN Messenger Virus Party_jpg.zip removal

Posted on 2007-11-28
16
2,316 Views
Last Modified: 2016-08-29
I have a user who opened a file in windows live messenger, the file is called party_jpg.zip. Our anti virus software eTrust did not identify it as a virus. When the user clicked on it it launched itself and sent it to others that were logged on in their contact list. I have found the file, removed it, ran a scan with our anti virus software and a scan with spybot. I have fixed the issues spybot found. When i logon in safe mode and run spybot it does not find anything. After rebooting, and searching on the party_jpg file it is back in the C:\Windows folder. I am lost here, what should i do next, remove live messenger?
0
Comment
Question by:Beaver_Trucks
  • 6
  • 5
  • 5
16 Comments
 

Author Comment

by:Beaver_Trucks
Comment Utility
Update,
I have removed Live Messenger and rebooted, the file came back and is in the C:\Windows folder again.
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Have you tried MSN Cleaner?

http://www.forospyware.com/Msncleaner/MsnCleaner.zip

Unzip it
Boot to Safe Mode
Double-click MsnCleaner.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
Comment Utility
If problem persists;

Can you run Hijackthis and show us the log please?
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.

You can upload the log to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

You can also paste to logfile to this site: --> http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:


OR, scan your system with Combofix.
Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 

Author Comment

by:Beaver_Trucks
Comment Utility
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
I would recommend you go ahead with rpg's suggestion to run combofix and upload that file.
0
 

Author Comment

by:Beaver_Trucks
Comment Utility
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
New feature of combofix is to disconnect from the internet while running, so no new malware can come in. This does leave the potential if something doesn't go right during the scan for this to happen. Fortunately it's easy to fix. To restore you can either just reboot or ...
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu

I'll take a look through the combo log and see if there is anything that needs attention.
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 300 total points
Comment Utility
1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:


---------------------------------------------------------------------------------------------------------------

File::
C:\d8e9w3l6u1g1.exe
C:\1z48.exe
C:\WINDOWS\party_jpg.zip
C:\WINDOWS\mrofinu1148.exe
C:\WINDOWS\msimn.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\tftp.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msimn.exe"=-

---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

Question, are you using Remote Administrator Service on this PC?
Also, I am very suspect of what is in the following folder if anything:
C:\Program Files\Common Files\Carlson

It was created right at the same time all of this went down....may want to take a look in there and report back on what's found.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Beaver_Trucks
Comment Utility
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
Hmm??? Looks like the CFScript ran OK, but the files either were not deleted and/or came back. Honestly not sure why. I'll review the script again. Hopefully rpg will look in on this later also to see if I'm missing anything. Usually combofix will get whatever you tell it too without issues.

What is the name of that file in the Carlson folder?

The other suggestion I have is to run SDFix to see if we have any bots hiding here. Then go with CF again using the script I gave. I'll check in later.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Beaver_trucks,
Can you tell us what suspicious file you did remove and keeps returning?
SDFix should removed any leftover nasties(if any) and can give us more info on things.


InDiGenus,
You included in the CFScript for Combofix to delete legit system files (below)
any reason?

C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\tftp.exe
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Combofix does disconnect the internet connection, but the connection supposed to be restored once CF gets to the Find3M stage.

Connection can also be restored by just rebooting the pc.
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
rpg:
>""You included in the CFScript for Combofix to delete legit system files (below)
any reason?""<

That is my bad. I had originally thought they were part of the infection here but had realized they were not but forgot to remove from my CFScript text. Looks like Windows protected them. I am still suspect of why they appear here though.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Recently, legit system files have been showing in the CF logs...
I had a CF log recently that listed numerous files from the DLLCache folder, the user most probably replaced or reinstalled the whole folder.


On this case here, maybe they had reinstalled Microsoft FTP Utility or replaced the tftp and ftp.exe that's why combofix picked them up. I don't know.
0
 

Author Comment

by:Beaver_Trucks
Comment Utility
I found the culprit, it was the C:\WINDOWS\msimn.exe file, when you look it up on google it suggests that it is a outlook express file, we are not using outlook express so that make me wonder what it was doing, when i looked at the properties of the file, there was no version information etc, so i removed it, another file called 17PHomes1148.exe that kept reappearing and went into the registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and removed the value to start the msimn.exe file. Tested it on the system by doing several restarts and having the user bring up the applications they normally use, looked for the file again and it was gone.
Deployed it to the other two infected systems and was golden.
Thanks for your help

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
C:\WINDOWS\msimn.exe <-- is a variant of SDBot, SDFix would have removed it. But Combofix was supposed to remove it when the CFScript was run...

Anyway, glad you've resolved it, good job.

Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now