Solved

MSN Virus/Trojan

Posted on 2009-05-11
15
920 Views
Last Modified: 2013-11-22
Okay I have this nasty shit of a virus I picked up yesterday. Appears to be some sort of key logger I think, though it is impossible to find anything on it.

It creates a link to your MSN contacts similar to the following.

http ://somedomain.com/?user=yourname&image=DSC00245.JPG

somedomain is something like imageshotz.com, snapshotz.com, imagecamz.com etc etc
The username is the msn name of ht receiving person, and the image is always DSC00245.JPG

This is seriously a real pain and anyone that has solved it I would be over the moon to hear from you, hence the full 500 points for this sucker if I can get is solved.
0
Comment
Question by:mateinone
  • 4
  • 3
  • 2
  • +4
15 Comments
 
LVL 7

Expert Comment

by:Christopher Martinez
ID: 24359628
From what ive seen of this, it will go away on its own as long as you dont follow the link. Seems to be a phishing scheme looking for you msn un/pw to 'log in' and view this pic someone sent ya that hit my company pretty hard for a few days then kinda died away.  Usually this is from a contacts PC that compromised his/her security and mass sending to all of their contacts. Do your contacts complain about receiving anything from you? Or is this coming from only one particular contact?
0
 
LVL 1

Author Comment

by:mateinone
ID: 24359719
Nah what is amazing (and I mean truly amazing) is that I clicked the link as it was from my sister and I had just logged on, did not even think.. I mean I have known about and seen these for years, just cannot believe I was dumb enough to click on it..

So.. yeah I am infected, I am not sure how it will just "go away" that is not really handy because if there is a key logger of any sort then I am compromised. I have infected about 5 friends in the last 12 hours, despite mailing them all to let them know not to go near this.
0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359730
What application are you usng for Anti-Virus?
0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359737
For the time being ...

Take it off the network,

Reboot in safe mode

Run a scan - include your boot sector.

0
 
LVL 4

Expert Comment

by:TG_Tech
ID: 24359744
You have the name of the infection???
0
 
LVL 3

Accepted Solution

by:
sherenian earned 250 total points
ID: 24359788
Download the "MalwareBytes" program.  It is a free program which you can obtain from Download.Com.  Just a scan and then delete whatever it finds.  This should rid your PC of any malicious software infections.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 250 total points
ID: 24360393
First change your MSN account login/password to rule out one of those fake MSN viruses that also send links to your contacts.
 
Then if the problem persists, run Combofix as alradu suggested. Run it in normal mode NOT safe mode unless the pc only boots in safe mode.


Here's a shorter instructions if you don't want to install the recovery console.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

(If it doesn't run re-download but rename before saving to your desktop)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:mateinone
ID: 24360954
Okay here is the result from combofix


log.txt
0
 
LVL 1

Author Comment

by:mateinone
ID: 24361089
btw I use Norton's Anti Virus for the question where that was asked. I have ran Malwarebytes, it deleted to reg entries, but they were just relational to security updates.
0
 
LVL 2

Expert Comment

by:iamshaked
ID: 24361200
combofix log looks clean. hmm
0
 
LVL 2

Expert Comment

by:ccampbell15
ID: 24365161
If Mbam & combo are both clean I'm not sure you have anything to worry about. Check the following file:

C:\Windows\System32\drivers\etc\hosts


Below is the one from one of my workstations. Look to see if there are any entries below
127.0.0.1       localhost
::1             localhost

If so delete them.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24383252
How's the pc going?
Is your MSN still sending link to your contacts?

Have you also changed your MSN password?

If the problem persists, also scan the system with Kaspersky and show us teh log.
http://www.kaspersky.com/virusscanner
   
0
 
LVL 7

Expert Comment

by:Christopher Martinez
ID: 24386602
If you put your username/pw in then this scheme did what i was supposed to do and got your password. Im pretty sure it does not infect your PC with anything, thats not its main purpose. They just want your credentials. Is your computer acting off or are you just receiving these IM's from your contacts with the domains you listed above?
0
 
LVL 1

Author Closing Comment

by:mateinone
ID: 31580346
Hi guys/girls
Sorry was off for a couple of days, the solutions here really helped and whilst it was a phishing scam, the computer is now far more secure thanks to the suggestions here, great work, thanks a million.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now