Virus

Help please. A friend from a recent trip to Southeast Asia sent me this MSN message:

'MSN name': it alright if i upload this picture of us to facebook?
'MSN name': album1of42 (.zip)

Like the fool I am, I accepted it, even opened it with Winzip, and extracted it to my received files. Then, when I double-clicked the 71kb executable file, it 'disappeared' from the folder. Subsequent searches don't help me find it.

Sounds to me like a nightmare. I haven't turned my computer off yet, but I'm nervous to do anything, as it's my office computer and so I'm asking for help>

Worse, the same friend logged back into MSN and I got the same message with a different named zip file -- this one is "album7q93.zip"

any help you can provide would be great.

Thanks,


J

You will need to do the steps in this post [url]http://www.techspot.com/vb/topic58138.html[/url]

Also tell your friend they are hijacked and need to do some cleaning.

This MSN virus is a new virus which spreads via MSN Messenger. Once a computer is infected it will send copies of itself to every online contact on the infected users contact list.

I wouldn't think you should have to worry about rebooting the computer. The Bot can't do it's job if it is disabled.

Hi -- attached please find the 3 requested logs.

After booting up, I got a message that msnmsgr.exe failed to properly load. I haven't opened it up, pending what you recommend.

Thanks for your help in advance,

J

Attached Files

	Report-Scan-20071211-113006.txt (506 Bytes, 5 views)
	hijackthis.log (8.6 KB, 6 views)
	ComboFix.txt (9.0 KB, 7 views)

It is likely that you will have to reinstall MSN Messenger after we are done.

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

* Save this as [b]CFScript[/b] on the desktop.
* Then drag the [b]CFScript[/b] (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. [b]Important:[/b] Perform this instruction carefully!



* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: [color=red][b]Do not mouseclick combofix's window while it is running. That may cause your system to hang[/b][/color]

----------

Install ATF Cleaner by Atribune. [url=http://www.atribune.org/ccount/click.php?id=1] [b]ATF Cleaner.exe[/b][/url] (don't use it yet)

----------

[b]Enable Viewing Of Hidden System Files & Folders[/b]

1. Right Click [b]Start.[/b]
2. Select [b]Control Panel.[/b]
3. Select the [b]Tools[/b] menu and click [b]Folder Options.[/b]
4. Select the [b]View Tab.[/b]
5. Under the Hidden files and folders heading select [b]Show hidden files and folders.[/b]
6. [b]Uncheck[/b] the Hide extensions for known file types option.
7. [b]Uncheck[/b] the Hide protected operating system files (recommended) option.
8. Click [b]Apply.[/b]
9. Click [b]OK.[/b]

----------

Go to [B]Start > Run[/B] and type in [B]Services.msc[/B] then click [B]OK[/B]
Click the [B]Extended[/B] tab.
Scroll down until you find the service.

[b][color=blue]Print Spooler Service (ciau0y9ebo2i)[/color][/b]

Click once on the service to highlight it.
Click [B]Stop[/B] (to the upper left)

Right-Click on the service.
Click on[B] 'Properties'[/B]
Select the [B]'General'[/B] tab
Click the Arrow-down tab on the right-hand side on the [B]'Start-up Type'[/B] box
From the drop-down menu, click on [B]'Disabled'[/B]
Click the [B]'Apply'[/B] tab, then click [B]'OK'[/B]
The service is now stopped and disabled.

----------

Press the [b]ctrl+alt+delete[/b] keys (all at the same time) to bring up Task Manager. Click the Processes tab and find the below entry. Right Click on it and choose End Process.

[b]estmmsmejuad.exe[/b]

----------

Open HijackThis and select [b]Do a system scan only[/b] and place a check mark next to:

[b]O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [estmmsmejuad] C:\WINDOWS\system32\estmmsmejuad.exe
O4 - HKLM\..\RunServices: [estmmsmejuad] C:\WINDOWS\system32\estmmsmejuad.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O23 - Service: Print Spooler Service (ciau0y9ebo2i) - Unknown owner - C:\WINDOWS\system32\estmmsmejuad.exe[/b]

----------

Double click My Computer on the desktop to locate and delete the following files/folders. (in bold)

C:\WINDOWS\system32\[b]estmmsmejuad.exe[/b]

----------

Run ATF Cleaner

Make sure that [color=maroon][b]all[/b][/color] browser windows are closed.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: [b]Select All[/b] and [b][color=maroon]UNCHECK[/color][/b] Cookies.
* Click the [b]Empty Selected[/b] button.

[u]If you use [b]Firefox[/b] browser[/u]
* Click Firefox at the top and choose: [b]Select All[/b] and [b][color=maroon]UNCHECK[/color][/b] Cookies.
* Click the [b]Empty[/b] Selected button.
[b]NOTE:[/b] If you would like to keep your saved passwords, please click [b]No[/b] at the prompt.

[u]If you use [b]Opera[/b] browser[/u]
* Click [b]Opera[/b] at the top and choose: [b]Select All[/b] and [b][color=maroon]UNCHECK[/color][/b] Cookies.
* Click the [b]Empty Selected[/b] button.
[b]NOTE:[/b] If you would like to keep your saved passwords, please click [b]No[/b] at the prompt.

Click [b]Exit[/b] on the Main ATF Cleaner menu to close the program.

----------


Please download the trial version of [url=http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg] [b] SpySweeper[/b][/url] (2 week trial) You can uninstall this when we are done.

* Run the installer. Choosing to only install SpySweeper
* It will prompt you to update to the latest definitions, choose [b]Yes (recommended)[/b] and click [b]Next[/b]
* Once the definitions are installed, click [b]I accept the agreement[/b] and then [b]Next[/b]
* Choose [b]Typical Installation[/b] then click [b]Next[/b]
* Enter your email address then click [b]Next[/b]
[color=red][b]Important[/b][/color] [color=navy][b]Uncheck[/b][/color] the box [b]Install the Webroot Ask toolbar Search Assistant, I agree to the terms above[/b] before clicking [b]Next[/b]
* Click [b]Install[/b].
* Choose [b]Yes, restart my computer now (recommended)[/b] then click [b]Finish[/b] (the computer will restart)

* Once restarted open SpySweeper.
* Click the [b]Options[/b] tab. (lower left)
* Under [b]Options[/b] > [b]Sweep Tab[/b] > [b]Sweep Type[/b] choose [b]Full Sweep (Recommended)[/b]
* Click the [b]Always Apply[/b] tab and use the dropdown menu to select [b]Always Quarantine[/b]
* Click the [b]Home[/b] tab and choose [b]Start Full sweep[/b]

* When it's done scanning, Make sure [i]everything[/i] has a check next to it, then click the [b]Quarantine Selected[/b] button.
* It will quarantine all of the items found.
* Click [b]View Session Log[/b] in the upper right corner.
* Click the [b]Save To File[/b] button.
* Click [b]Desktop[/b] for the location.
* Next to the [b]Save as type:[/b] be sure it is set to [b]Text Document (.txt)[/b] and then click [b]Save[/b]
* [b]Attach[/b] the SpySweeper Session Log in your next reply.

Also post a new Hijack This log.

----------

[b]Next post please attach[/b]
[b][COLOR="Indigo"]combofix.txt log
SpySweeper Session Log
New HijackThis log[/COLOR][/b]

Hi. I've attached the 3 logs you've requested.

I left the Webshots stuff intact as it's my screensaver and pics from around the world, so it'll show up in the HijackThis log.

Let me know if I'm otherwise good -- I get the impression I'm all clean now.

THanks.


J

Attached Files

	CombofixDec27.txt (8.2 KB, 0 views)
	Spy Sweeper Session Log.txt (7.5 KB, 0 views)
	hijackthisdec26.txt (10.0 KB, 1 views)