Getting MSN virus messages from a known sender

D.K. · 25 January 2008 at 10:27PM

shazamaca wrote: »

This has just happened to me also. Got a message from a friend saying to have a look at there pic so I clicked on it. Tried to open it and it didnt work. I then received another two of them and clicked on them again!!

Signed out of MSN and then logged back in and another friend messaged me to tell me that they could not open the file I sent them, I didnt send anything so no it looks like I am sending this on.

I am currently running a virus scan but so far nothing has came up. Whats next? Does doing what DK say get rid of this thing?

No, I don't know how to get rid of it but Alfonso is giving me instructions. Unfortunately I've been slow to reply however I've scanned like he said and hopefully he'll understand what to do...just waiting.
I've heard that it's hard to get rid off and very common. I hope the clever ****** that created it is pleased with himself!

D

ITFCNUT · 25 January 2008 at 10:53PM

shazamaca wrote: »

This has just happened to me also. Got a message from a friend saying to have a look at there pic so I clicked on it. Tried to open it and it didnt work. I then received another two of them and clicked on them again!!

Signed out of MSN and then logged back in and another friend messaged me to tell me that they could not open the file I sent them, I didnt send anything so no it looks like I am sending this on.

I am currently running a virus scan but so far nothing has came up. Whats next? Does doing what DK say get rid of this thing?

I am no expert but this is the advice I would give and have used with sucess for friends and family with the same problem.

1.Don't sign back into msn at all until the problems have been sorted.

2.Download both spybot search and destroy & also adaware .these can both be found on download .com also they are both free

3.Turn off your windows atomatic updates for the period of time it takes to sort the problem as some of the spyware you may have attaches itself to windows updates thus everytime you reboot thinking you have cured the problem by running the above programes it reinstalls the ones attached to the update programe (If im wrong here in my tech description then please if anyone with more knowledge im happy for you to point out any errors as I said im a novice but I know this workded for me )

4 On reboot start in safe mode by tapping F8 until the screen comes up giving you the choice to start in safe mode...choose this option and run bot sybot search and destroy and also adaware Full scans.It wouldn't do any harm to run any antivirus programes you have to if you have the patience/time to wait.Remove any spyware / virus found by above programmes

5.reboot your pc as normal and hey presto ( fingers crossed ) your problems should be solved.

6.Switch back on your windows updates

7 sign back into msn warn all your contacts of the ordeal you have just been through and remember before accepting any file transfers just simply ask your contact " Did you just send me that file to open ?" if the answer is no then they will have no idea what you are talking about as they wont be able to see the file that you thought they had sent in the first place..

I hope this is of some use to you ..

Like I said if anyone wants to correct me on the termonoligy used or anything else I have advised please feel free to do so but remember I was only trying to help a fellow mse in trouble !

Alfonso_Skinarelli · 25 January 2008 at 11:18PM

DK,

There's nothing unusual in your log you'll be glad to know.

It may just be that one of your contacts has been infected and has yet to realise/remove the worm. You'll continue to get those messages until they've cleaned their own act up.
There's a tool you can run which should give you a little more peace of mind. The developer keeps it updated on a weekly basis with all new known variants seen in the anti-spyware forums.

Download, run and post the log file.

Download MsnCleaner_eng.zip and unzip it to your desktop.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
(Copy/Paste the URL into the address bar or use "Save Target As")

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once the scan has finished.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please post the contents of C:\MsnCleaner.txt in your next reply.

techexpert · 25 January 2008 at 11:22PM

Images are normally sent in .jpg .gif etc but not .zip
.zip files can be dangerous, don't accept then unless you are expecting it.

shazamaca · 25 January 2008 at 11:32PM

Alfonso, this is my log, can you check it for me please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:33 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\bt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - !!02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - !!3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: ZKBho Class - !!56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [bt] C:\WINDOWS\system32\bt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - !!4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: !!1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: !!30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: !!67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O23 - Service: Print Spooler Service (b2zi5oyk49iamp) - Unknown owner - C:\WINDOWS\system32\u.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 6093 bytes

marleyboy · 25 January 2008 at 11:49PM

My OH been getting likewise from one of her friends on MSE. She isnt foolish enough to click the link sent, but its worrying that our Son could so easily click on it.

D.K. · 26 January 2008 at 12:32PM

marleyboy wrote: »

My OH been getting likewise from one of her friends on MSE. She isnt foolish enough to click the link sent, but its worrying that our Son could so easily click on it.

I only have one contact who is on holiday and was sending pictures....it was hardly being "foolish" to click on the attachment

D.K. · 26 January 2008 at 1:01PM

Alfonso_Skinarelli wrote: »

DK,

There's nothing unusual in your log you'll be glad to know.

It may just be that one of your contacts has been infected and has yet to realise/remove the worm. You'll continue to get those messages until they've cleaned their own act up.
There's a tool you can run which should give you a little more peace of mind. The developer keeps it updated on a weekly basis with all new known variants seen in the anti-spyware forums.

Download, run and post the log file.

Download MsnCleaner_eng.zip and unzip it to your desktop.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
(Copy/Paste the URL into the address bar or use "Save Target As")
Now reboot into Safe Mode

Double-click MsnCleaner_eng.exe to run it.

Click the Analyze button.

A report will be created once the scan has finished.

If it finds an infection, click the Deleted button.

Now, please reboot back to normal mode.

Please post the contents of C:\MsnCleaner.txt in your next reply.

That is a relief.The sender has been watching this and run some anti-virus programmes and tells me that she has found a number of trojans (it's not her own computer and she is going to use another in the future).
This is the report;
- Logfile MSNCleaner 1.5.5 by https://www.forospyware.com
- Created Logfile: 26/01/2008 on 11:50:46
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 1
Deleted file: 1
Undeleted Files: 0

C:\WINDOWS\nsreg.dat <--- Deleted

Host file Restored
I take it everything is OK.

Many thanks for your kind help.

D.

Alfonso_Skinarelli · 26 January 2008 at 5:02PM

I would say so DK. Keep an eye on it for a few days with regular scans and get back to me if you run into any difficulties.

shazamaca

You've been nobbled. Please repost the log in your own thread and I'll assist later this evening when I get home.

D.K. · 26 January 2008 at 6:42PM

Many thanks again Alfonso and good luck shamaca!!
D.

Getting MSN virus messages from a known sender

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free