Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

MSN Virus/Trojan

Posted on 2009-05-11
15
Medium Priority
?
962 Views
Last Modified: 2013-11-22
Okay I have this nasty shit of a virus I picked up yesterday. Appears to be some sort of key logger I think, though it is impossible to find anything on it.

It creates a link to your MSN contacts similar to the following.

http ://somedomain.com/?user=yourname&image=DSC00245.JPG

somedomain is something like imageshotz.com, snapshotz.com, imagecamz.com etc etc
The username is the msn name of ht receiving person, and the image is always DSC00245.JPG

This is seriously a real pain and anyone that has solved it I would be over the moon to hear from you, hence the full 500 points for this sucker if I can get is solved.
0
Comment
Question by:mateinone
  • 4
  • 3
  • 2
  • +4
15 Comments
 
LVL 7

Expert Comment

by:Christopher Martinez
ID: 24359628
From what ive seen of this, it will go away on its own as long as you dont follow the link. Seems to be a phishing scheme looking for you msn un/pw to 'log in' and view this pic someone sent ya that hit my company pretty hard for a few days then kinda died away.  Usually this is from a contacts PC that compromised his/her security and mass sending to all of their contacts. Do your contacts complain about receiving anything from you? Or is this coming from only one particular contact?
0
 
LVL 1

Author Comment

by:mateinone
ID: 24359719
Nah what is amazing (and I mean truly amazing) is that I clicked the link as it was from my sister and I had just logged on, did not even think.. I mean I have known about and seen these for years, just cannot believe I was dumb enough to click on it..

So.. yeah I am infected, I am not sure how it will just "go away" that is not really handy because if there is a key logger of any sort then I am compromised. I have infected about 5 friends in the last 12 hours, despite mailing them all to let them know not to go near this.
0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359730
What application are you usng for Anti-Virus?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359737
For the time being ...

Take it off the network,

Reboot in safe mode

Run a scan - include your boot sector.

0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359744
You have the name of the infection???
0
 
LVL 3

Accepted Solution

by:
sherenian earned 1000 total points
ID: 24359788
Download the "MalwareBytes" program.  It is a free program which you can obtain from Download.Com.  Just a scan and then delete whatever it finds.  This should rid your PC of any malicious software infections.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1000 total points
ID: 24360393
First change your MSN account login/password to rule out one of those fake MSN viruses that also send links to your contacts.
 
Then if the problem persists, run Combofix as alradu suggested. Run it in normal mode NOT safe mode unless the pc only boots in safe mode.


Here's a shorter instructions if you don't want to install the recovery console.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 
LVL 1

Author Comment

by:mateinone
ID: 24360954
Okay here is the result from combofix


log.txt
0
 
LVL 1

Author Comment

by:mateinone
ID: 24361089
btw I use Norton's Anti Virus for the question where that was asked. I have ran Malwarebytes, it deleted to reg entries, but they were just relational to security updates.
0
 
LVL 2

Expert Comment

by:iamshaked
ID: 24361200
combofix log looks clean. hmm
0
 
LVL 2

Expert Comment

by:ccampbell15
ID: 24365161
If Mbam & combo are both clean I'm not sure you have anything to worry about. Check the following file:

C:\Windows\System32\drivers\etc\hosts


Below is the one from one of my workstations. Look to see if there are any entries below
127.0.0.1       localhost
::1             localhost

If so delete them.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24383252
How's the pc going?
Is your MSN still sending link to your contacts?

Have you also changed your MSN password?

If the problem persists, also scan the system with Kaspersky and show us teh log.
http://www.kaspersky.com/virusscanner
   
0
 
LVL 7

Expert Comment

by:Christopher Martinez
ID: 24386602
If you put your username/pw in then this scheme did what i was supposed to do and got your password. Im pretty sure it does not infect your PC with anything, thats not its main purpose. They just want your credentials. Is your computer acting off or are you just receiving these IM's from your contacts with the domains you listed above?
0
 
LVL 1

Author Closing Comment

by:mateinone
ID: 31580346
Hi guys/girls
Sorry was off for a couple of days, the solutions here really helped and whilst it was a phishing scam, the computer is now far more secure thanks to the suggestions here, great work, thanks a million.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let Bitmoji into your life. Now is the time to learn a new language of smartphone messaging with this brief introduction.
Popular third-party chat platforms like Slack, Discord, and Telegram are just a few of the many new productivity applications that are being hijacked by cybercriminals to create command-and-control (C&C) communications infrastructures for their malw…
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question