MSN Virus

[piklemeup]

I was being stupid on msn, I got a virus that said "are these your pics" then gave me a link. I opened it up and it was a virus of some kind, and it sends out links to other people. I ran all the programs that the stickied topic says, and now I'm here.
To be completely honest, I haven't finished everything yet. AVG didn't bring up any problems, and i doubt that the other ones will either, not to be pessimistic or anything.

I had to go into safe-mode to do my hijackthis scan, because it automatically closes it when ever I tried to open it.

My logs are attached, I have avg anti-virus so I accidentally missed the avg antispyware step, so I don't have that log yet, but it'll come if you still need it after this.

I'll also get the panda scan up right away, after my next reboot. But for now, it's late, and I have to get some sleep.

Thanks for your help, I hope you can find the problem.

 

[momok]

Hi,

I've removed your attachments as they were infected with the virus. I request that you post your logs as notepad .txt files for us to see. Also, I suspect your HijackThis.exe executable file is not renamed accordingly that is why it does not work in normal mode. Please rename it appropriately and post a fresh scan log.

Regards,
momok

 

[piklemeup]

Sorry about that. I'm hoping this hjt log is clean.

Also, I renamed the HJT to crusty.exe, and it still shut it down. I also used an old version of hijackthis, and it still shut down that one too.
After doing all the scans, I've noticed a significant increase in speed of my computer since I got my initial virus/whatever it is.

 

[piklemeup]

I did the AVG Anti-Spyware Scan, and I tried to delete all of them, but only one (out of 114 could be removed).

The report is attached.

 

[zestro]

I also have this same problem, I have found that I can not edit my registry, change start up configuration, change anything in the services option, nor start up any firewall or download any windows update. It also blocks certain symantec websites and the old msn pages w/ known bugs section which I can access fine on the laptop I am using now. Nor can I use anything dealing with the 'run' option in the start menu. Regedit and msconfig automatically close when i open them either directly from the system32 folder or if i used 'run'.

I was about to try a dos registry recovery tonight and tell you all how it goes, otherwise I believe this virus/worm has me beat. I've found different forums from a few years back with fixes for this, but all of those fixes no longer work since it seems this is a new strand of the myspace worm awhile back. Everything I send to my friends (.mp3's, jpg's, etc) is infected with the worm, I fixed it momentarily using spybot SD, it found a fake MSNv8 beta.exe file that it deleted, but that came right back a few minutes later when I rebooted. Safemode also seems to have no effect as whatever I shut off in safemode gets turned right back on when I start up in normal mode.

I'll post logs when I get my HD back from my brother... he took it to get it tested and may hopefully have some answers too.

 

[Blind Dragon]

This thread is for the use of piklemeup only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Please read This before deciding what to do.

If you decide to attempt to clean your system, please follow This exactly

 

[piklemeup]

zestro posted all the symptoms that I missed or forgot to say (it was late), but I have a couple to add. Some search terms (such as 'hijackthis') that I put into google, result in the virus closing firefox, and if I go into any folder named 'hijackthis,' it also closes that.

I want to clean my system, because I only have school work and music on here.

I did all the steps yesterday, and repeated a couple of them today. I'm in safe mode with networking right now, and the virus isn't enabled, so I'll post some more fresh logs.

My avg antivirus scan is in the previous post, I haven't done anything since then, so I assume you can still use that, because it is still relevant.

*edit*
Panda anti-rootkit didn't find anything, I would post the results but they weren't copy paste-able.

*edit again*
Turns out that I can open up and scan with hijackthis again. I'm going to try out a few more symptoms, but I think the virus is gone. If somebody could still look over my logs and let me know if there is anything out of place, I'd really appreciate that.

 

[momok]

Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

1. Have HijackThis fix the following entries:
   
   F3 - REG:win.ini: load=C:\WINDOWS\Resources\Themes\qnpktby\winlogon.exe
   F3 - REG:win.ini: run=C:\WINDOWS\Resources\Themes\qnpktby\winlogon.exe
   ALL O1 entries
   O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
   O4 - Startup: winlogon.lnk = ?
   
   
2. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\Resources\Themes\qnpktby\winlogon.exe
   C:\WINDOWS\system32\Uharc.exe
   C:\WINDOWS\system32\reico.exe
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
   Folder::
   C:\Documents and Settings\Adam Lay****\Application Data\gnupg
   C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
   C:\WINDOWS\Resources\Themes\qnpktby

3. Save this as CFScript on the desktop.
4. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
5. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of piklemeup only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

 

[piklemeup]

I'll do this as soon as I get home.

I have a flash drive that I plugged into my computer, and copied some files from my computer to the flash drive. If I plug this back into my computer, is there a chance that there is a virus hidden in some files on there that could bring back my virus after this is done? I know you said some text files I posted earlier had some viruses hidden in them, and I was wodering if the same thing could happen with files on a flash drive.

 

[piklemeup]

New logs posted.
Also, I have that question about my flash drive posted above, help with that would be nice too.

Thanks.

 

[momok]

Hi,

It is highly possible that your flash drive was infected in the process from the moment you plugged it in the infected system. I would suggest a full scan (including the flash drive when it's plugged in) with AVG and set the default recommended actions to quarantine.

Your other logs look clean now. Post the resultant AVG log for me to take a look. Thanks.

Regards,
momok =)

 

[piklemeup]

Sorry it took so long to get back to you, I got busy with Christmas. I haven't had any problems since I finished everything, so I'm going to assume my system is more or less clean.