"it alright if i upload this picture of us to facebook?"

By intrigue77 ยท 4 replies
Dec 10, 2007
  1. Virus :(

    Help please. A friend from a recent trip to Southeast Asia sent me this MSN message:

    'MSN name': it alright if i upload this picture of us to facebook?
    'MSN name': album1of42 (.zip)

    Like the fool I am, I accepted it, even opened it with Winzip, and extracted it to my received files. Then, when I double-clicked the 71kb executable file, it 'disappeared' from the folder. Subsequent searches don't help me find it.

    Sounds to me like a nightmare. I haven't turned my computer off yet, but I'm nervous to do anything, as it's my office computer and so I'm asking for help>

    Worse, the same friend logged back into MSN and I got the same message with a different named zip file -- this one is "album7q93.zip"

    any help you can provide would be great.


  2. evilfantasy

    evilfantasy Banned Posts: 428

    You will need to do the steps in this post https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

    Also tell your friend they are hijacked and need to do some cleaning.

    This MSN virus is a new virus which spreads via MSN Messenger. Once a computer is infected it will send copies of itself to every online contact on the infected users contact list.

    I wouldn't think you should have to worry about rebooting the computer. The Bot can't do it's job if it is disabled.
  3. intrigue77

    intrigue77 TS Rookie Topic Starter


    Hi -- attached please find the 3 requested logs.

    After booting up, I got a message that msnmsgr.exe failed to properly load. I haven't opened it up, pending what you recommend.

    Thanks for your help in advance,


    Attached Files:

  4. evilfantasy

    evilfantasy Banned Posts: 428

    It is likely that you will have to reinstall MSN Messenger after we are done.

    Delete these files/folders, as follows:

    * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    * Save this as CFScript on the desktop.
    * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


    * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang


    Install ATF Cleaner by Atribune. ATF Cleaner.exe (don't use it yet)


    Enable Viewing Of Hidden System Files & Folders

    1. Right Click Start.
    2. Select Control Panel.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading select Show hidden files and folders.
    6. Uncheck the Hide extensions for known file types option.
    7. Uncheck the Hide protected operating system files (recommended) option.
    8. Click Apply.
    9. Click OK.


    Go to Start > Run and type in Services.msc then click OK
    Click the Extended tab.
    Scroll down until you find the service.

    Print Spooler Service (ciau0y9ebo2i)

    Click once on the service to highlight it.
    Click Stop (to the upper left)

    Right-Click on the service.
    Click on 'Properties'
    Select the 'General' tab
    Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
    From the drop-down menu, click on 'Disabled'
    Click the 'Apply' tab, then click 'OK'
    The service is now stopped and disabled.


    Press the ctrl+alt+delete keys (all at the same time) to bring up Task Manager. Click the Processes tab and find the below entry. Right Click on it and choose End Process.



    Open HijackThis and select Do a system scan only and place a check mark next to:

    O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
    O4 - HKLM\..\Run: [estmmsmejuad] C:\WINDOWS\system32\estmmsmejuad.exe
    O4 - HKLM\..\RunServices: [estmmsmejuad] C:\WINDOWS\system32\estmmsmejuad.exe
    O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
    O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
    O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
    O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
    O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
    O23 - Service: Print Spooler Service (ciau0y9ebo2i) - Unknown owner - C:\WINDOWS\system32\estmmsmejuad.exe


    Double click My Computer on the desktop to locate and delete the following files/folders. (in bold)



    Run ATF Cleaner

    Make sure that all browser windows are closed.
    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.

    If you use Firefox browser
    * Click Firefox at the top and choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    * Click Opera at the top and choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.


    Please download the trial version of SpySweeper (2 week trial) You can uninstall this when we are done.

    * Run the installer. Choosing to only install SpySweeper
    * It will prompt you to update to the latest definitions, choose Yes (recommended) and click Next
    * Once the definitions are installed, click I accept the agreement and then Next
    * Choose Typical Installation then click Next
    * Enter your email address then click Next
    Important Uncheck the box Install the Webroot Ask toolbar Search Assistant, I agree to the terms above before clicking Next
    * Click Install.
    * Choose Yes, restart my computer now (recommended) then click Finish (the computer will restart)

    * Once restarted open SpySweeper.
    * Click the Options tab. (lower left)
    * Under Options > Sweep Tab > Sweep Type choose Full Sweep (Recommended)
    * Click the Always Apply tab and use the dropdown menu to select Always Quarantine
    * Click the Home tab and choose Start Full sweep

    * When it's done scanning, Make sure everything has a check next to it, then click the Quarantine Selected button.
    * It will quarantine all of the items found.
    * Click View Session Log in the upper right corner.
    * Click the Save To File button.
    * Click Desktop for the location.
    * Next to the Save as type: be sure it is set to Text Document (.txt) and then click Save
    * Attach the SpySweeper Session Log in your next reply.

    Also post a new Hijack This log.


    Next post please attach
    combofix.txt log
    SpySweeper Session Log
    New HijackThis log
  5. intrigue77

    intrigue77 TS Rookie Topic Starter

    Merry Xmas etc

    Hi. I've attached the 3 logs you've requested.

    I left the Webshots stuff intact as it's my screensaver and pics from around the world, so it'll show up in the HijackThis log.

    Let me know if I'm otherwise good -- I get the impression I'm all clean now.


Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...