Solved

MSN Virus/Trojan

Posted on 2009-05-11
15
953 Views
Last Modified: 2013-11-22
Okay I have this nasty shit of a virus I picked up yesterday. Appears to be some sort of key logger I think, though it is impossible to find anything on it.

It creates a link to your MSN contacts similar to the following.

http ://somedomain.com/?user=yourname&image=DSC00245.JPG

somedomain is something like imageshotz.com, snapshotz.com, imagecamz.com etc etc
The username is the msn name of ht receiving person, and the image is always DSC00245.JPG

This is seriously a real pain and anyone that has solved it I would be over the moon to hear from you, hence the full 500 points for this sucker if I can get is solved.
0
Comment
Question by:mateinone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +4
15 Comments
 
LVL 7

Expert Comment

by:Christopher Martinez
ID: 24359628
From what ive seen of this, it will go away on its own as long as you dont follow the link. Seems to be a phishing scheme looking for you msn un/pw to 'log in' and view this pic someone sent ya that hit my company pretty hard for a few days then kinda died away.  Usually this is from a contacts PC that compromised his/her security and mass sending to all of their contacts. Do your contacts complain about receiving anything from you? Or is this coming from only one particular contact?
0
 
LVL 1

Author Comment

by:mateinone
ID: 24359719
Nah what is amazing (and I mean truly amazing) is that I clicked the link as it was from my sister and I had just logged on, did not even think.. I mean I have known about and seen these for years, just cannot believe I was dumb enough to click on it..

So.. yeah I am infected, I am not sure how it will just "go away" that is not really handy because if there is a key logger of any sort then I am compromised. I have infected about 5 friends in the last 12 hours, despite mailing them all to let them know not to go near this.
0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359730
What application are you usng for Anti-Virus?
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359737
For the time being ...

Take it off the network,

Reboot in safe mode

Run a scan - include your boot sector.

0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359744
You have the name of the infection???
0
 
LVL 3

Accepted Solution

by:
sherenian earned 250 total points
ID: 24359788
Download the "MalwareBytes" program.  It is a free program which you can obtain from Download.Com.  Just a scan and then delete whatever it finds.  This should rid your PC of any malicious software infections.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 250 total points
ID: 24360393
First change your MSN account login/password to rule out one of those fake MSN viruses that also send links to your contacts.
 
Then if the problem persists, run Combofix as alradu suggested. Run it in normal mode NOT safe mode unless the pc only boots in safe mode.


Here's a shorter instructions if you don't want to install the recovery console.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 
LVL 1

Author Comment

by:mateinone
ID: 24360954
Okay here is the result from combofix


log.txt
0
 
LVL 1

Author Comment

by:mateinone
ID: 24361089
btw I use Norton's Anti Virus for the question where that was asked. I have ran Malwarebytes, it deleted to reg entries, but they were just relational to security updates.
0
 
LVL 2

Expert Comment

by:iamshaked
ID: 24361200
combofix log looks clean. hmm
0
 
LVL 2

Expert Comment

by:ccampbell15
ID: 24365161
If Mbam & combo are both clean I'm not sure you have anything to worry about. Check the following file:

C:\Windows\System32\drivers\etc\hosts


Below is the one from one of my workstations. Look to see if there are any entries below
127.0.0.1       localhost
::1             localhost

If so delete them.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24383252
How's the pc going?
Is your MSN still sending link to your contacts?

Have you also changed your MSN password?

If the problem persists, also scan the system with Kaspersky and show us teh log.
http://www.kaspersky.com/virusscanner
   
0
 
LVL 7

Expert Comment

by:Christopher Martinez
ID: 24386602
If you put your username/pw in then this scheme did what i was supposed to do and got your password. Im pretty sure it does not infect your PC with anything, thats not its main purpose. They just want your credentials. Is your computer acting off or are you just receiving these IM's from your contacts with the domains you listed above?
0
 
LVL 1

Author Closing Comment

by:mateinone
ID: 31580346
Hi guys/girls
Sorry was off for a couple of days, the solutions here really helped and whilst it was a phishing scam, the computer is now far more secure thanks to the suggestions here, great work, thanks a million.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes we have such a need to use two Skype accounts, for example, you may have a personal and a business account that you want to keep separate. By default, Skype can be run only once. Attempting to start it a second time fails. However, we …
Months ago my boss came to me with a simple request, “How can we minimize GoTo meeting accounts and also improve our integration and collaboration initiatives?”  Well the answer, with some research, was easy… Lync.  Lync provided us all the necessar…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question