MSN Messenger Virus, Please Read

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by BuBisBack, Mar 20, 2008.

  1. BuBisBack

    BuBisBack Private E-2

    I have recently contracted an annoying, yet seemingly harmless virus via MSN Messenger. It would appear to be self-replicating. While the startup program msn.com is running in my task manager, and MSN Messenger is opened, this virus hijacks my control of MSN Messenger, sending a link to the same virus to every member of my contact list. I have discovered that using Windows Task Manager to end the process msn.com temporarily solves the problem. Now I would like to completely remove this virus from my system, as well as any other viruses that you here at MajorGeeks may detect on my startup programs log.

    First off, I have run CCleaner, Wise Registry Cleaner, Sypot - Search & Destroy, SUPERAntiSpyware Free Edition, ATF-Cleaner.exe, cf.exe, and IObit SmartDefrag as recommended in the tutorial. They were all very helpful. My system appears to have hastened since running these programs as directed.

    Now, I have also run HijackThis after renaming it to analys.exe. I have a log file for y'all to read. As you read, please keep in mind what I said about the msn.com startup program.

    Thank you for the wonderfully helpful website! I hope you are able to let me know what to do! I would like only the bare minimum startup programs activated.

    PS - I also have a program on my Add/Remove List called "Weather Services". I have read here that it may be connected to a virus. I am unable to uninstall it. I click to remove, and nothing occurs. Any help with this issue would be appreciated!
     

    Attached Files:

    BuBisBack, Mar 20, 2008
    #1
  2. Lev

    Lev MajorGeek

    You will need to work through this link step-by-step exactly has the instructions tell you and then post up the requested logs as indicated. Then an Authorized Malware Fighter will be able to assist you.



    Read & RUN ME FIRST Before Asking for Support
     
    Lev, Mar 20, 2008
    #2
  3. BuBisBack

    BuBisBack Private E-2

    Ok, sorry about posting the wrong log! I think these are the correct ones. :D
     

    Attached Files:

    BuBisBack, Mar 21, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please see step 1 of the READ ME and put your system into Normal Startup mode with MSconfig and remain in normal startup mode. You have malware trapped in there and we cannot properly clean your PC. Please make sure you follow all instructions from now on. MSconfig must not be used to control startups like you are doing. See the links in the READ ME.


    Uninstall the below as requested in step 1 of the REA ME:
    Viewpoint Media Player

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
    O2 - BHO: (no name) - {66793ED2-8668-A7C7-1F47-DC2FF3E7AC96} - (no file)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\DOBE~1\smss.exe" -vt ndrv
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O20 - Winlogon Notify: st3 - C:\WINDOWS\

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 21, 2008
    #4
  5. BuBisBack

    BuBisBack Private E-2

    I really appreciate the patience and assistance you have offered. Here are the two log files requested.

    MSN Messenger appears to be in good shape now. It hasn't spammed anyone that virus link! The program msn.com is also now gone from the Windows Task Manager process list. Everything seems to be working great!

    I have one other thing to ask you if that is all right. You may not be the correct person to ask, but I am not sure. I have two programs on my add/remove program list that I cannot remove. One is called Weather Services, which I noticed is on the list for removal at this website. I click to remove it, but nothing happens at all, the computer just sits there. When I try to remove the other, it is called Heroes of Might and Magic III, it says, Unable to locate the installation log file 'C:\Program Files\3DO\Heroes3\Uninst.isu'. Uninstallation will not continue.
     

    Attached Files:

    BuBisBack, Mar 24, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using this: Your Uninstaller! 2008

    Answer a question: Do you use MusicMatch Jukebox? It is not malware, I'm just wondering and it is a waste of resources to have it always loading at startup.

    Your logs still show some of the items we were trying to fix. This may be due to the fact I mentioned in my last instructions about MSconfig being used, but also sometimes your protection software (like Symantec) can get in the way of removal of malware. Uninstall SUPERAntispyware now and then shutdown as much of Symantec as you can and then do the below.

    Does this file exist? C:\WINDOWS\system32\XDva042.sys



    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [Windows live Messenger] msn.com
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Jgzmofun] C:\WINDOWS\system32\w?nspool.exe

    After clicking Fix, exit HJT.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:

    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 25, 2008
    #6
  7. BuBisBack

    BuBisBack Private E-2

    Your Uninstaller! 2008 succeeded in removing both programs from my computer. Thanks again!

    To answer your question, I do not use MusicMatch Jukebox. Should I use msconfig to disable it at startup, or is there another way to do that?

    I did not locate that file. C:\WINDOWS\system32\XDva042.sys

    I uninstalled SUPERAntispyware. I also disabled both Norton Internet Security and Norton AntiVirus Auto-Protect before running the programs you asked of me.

    I have attached the two log files requested. :)
     

    Attached Files:

    BuBisBack, Mar 25, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean now! How are things working?

    Always see if there is an entry in Add/Remove programs to uninstall first. I see it there so uninstall Musicmatch® Jukebox
     
    chaslang, Mar 26, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds