Solved

MSN Virus/Trojan

Posted on 2009-05-11
15
912 Views
Last Modified: 2013-11-22
Okay I have this nasty shit of a virus I picked up yesterday. Appears to be some sort of key logger I think, though it is impossible to find anything on it.

It creates a link to your MSN contacts similar to the following.

http ://somedomain.com/?user=yourname&image=DSC00245.JPG

somedomain is something like imageshotz.com, snapshotz.com, imagecamz.com etc etc
The username is the msn name of ht receiving person, and the image is always DSC00245.JPG

This is seriously a real pain and anyone that has solved it I would be over the moon to hear from you, hence the full 500 points for this sucker if I can get is solved.
0
Comment
Question by:mateinone
  • 4
  • 3
  • 2
  • +4
15 Comments
 
LVL 7

Expert Comment

by:Christopher Martinez
Comment Utility
From what ive seen of this, it will go away on its own as long as you dont follow the link. Seems to be a phishing scheme looking for you msn un/pw to 'log in' and view this pic someone sent ya that hit my company pretty hard for a few days then kinda died away.  Usually this is from a contacts PC that compromised his/her security and mass sending to all of their contacts. Do your contacts complain about receiving anything from you? Or is this coming from only one particular contact?
0
 
LVL 1

Author Comment

by:mateinone
Comment Utility
Nah what is amazing (and I mean truly amazing) is that I clicked the link as it was from my sister and I had just logged on, did not even think.. I mean I have known about and seen these for years, just cannot believe I was dumb enough to click on it..

So.. yeah I am infected, I am not sure how it will just "go away" that is not really handy because if there is a key logger of any sort then I am compromised. I have infected about 5 friends in the last 12 hours, despite mailing them all to let them know not to go near this.
0
 
LVL 4

Expert Comment

by:TG_Tech
Comment Utility
What application are you usng for Anti-Virus?
0
 
LVL 4

Expert Comment

by:TG_Tech
Comment Utility
For the time being ...

Take it off the network,

Reboot in safe mode

Run a scan - include your boot sector.

0
 
LVL 4

Expert Comment

by:TG_Tech
Comment Utility
You have the name of the infection???
0
 
LVL 3

Accepted Solution

by:
sherenian earned 250 total points
Comment Utility
Download the "MalwareBytes" program.  It is a free program which you can obtain from Download.Com.  Just a scan and then delete whatever it finds.  This should rid your PC of any malicious software infections.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 250 total points
Comment Utility
First change your MSN account login/password to rule out one of those fake MSN viruses that also send links to your contacts.
 
Then if the problem persists, run Combofix as alradu suggested. Run it in normal mode NOT safe mode unless the pc only boots in safe mode.


Here's a shorter instructions if you don't want to install the recovery console.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:mateinone
Comment Utility
Okay here is the result from combofix


log.txt
0
 
LVL 1

Author Comment

by:mateinone
Comment Utility
btw I use Norton's Anti Virus for the question where that was asked. I have ran Malwarebytes, it deleted to reg entries, but they were just relational to security updates.
0
 
LVL 2

Expert Comment

by:iamshaked
Comment Utility
combofix log looks clean. hmm
0
 
LVL 2

Expert Comment

by:ccampbell15
Comment Utility
If Mbam & combo are both clean I'm not sure you have anything to worry about. Check the following file:

C:\Windows\System32\drivers\etc\hosts


Below is the one from one of my workstations. Look to see if there are any entries below
127.0.0.1       localhost
::1             localhost

If so delete them.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
How's the pc going?
Is your MSN still sending link to your contacts?

Have you also changed your MSN password?

If the problem persists, also scan the system with Kaspersky and show us teh log.
http://www.kaspersky.com/virusscanner
   
0
 
LVL 7

Expert Comment

by:Christopher Martinez
Comment Utility
If you put your username/pw in then this scheme did what i was supposed to do and got your password. Im pretty sure it does not infect your PC with anything, thats not its main purpose. They just want your credentials. Is your computer acting off or are you just receiving these IM's from your contacts with the domains you listed above?
0
 
LVL 1

Author Closing Comment

by:mateinone
Comment Utility
Hi guys/girls
Sorry was off for a couple of days, the solutions here really helped and whilst it was a phishing scam, the computer is now far more secure thanks to the suggestions here, great work, thanks a million.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Let Bitmoji into your life. Now is the time to learn a new language of smartphone messaging with this brief introduction.
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now