Is this a virus? Possibly related to msninst.exe virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by SilverCapo, Dec 8, 2006.

  1. SilverCapo

    SilverCapo Private E-2

    A very strange thing happened recently and it's bugging me no end...

    Firstly, this icon named just "MSN" appears on my Start Menu - icon picture looks legit (though of course not exactly hard to fake...). My Start Menu is so big that I'm not sure if it has been there for a long time, or really did just appear from somewhere.

    I clicked it accidentally when I meant to view its properties - and then I saw a file copying window open, after which the MSN icon disappeared from the Start Menu, and reappeared as a shortcut on the desktop. A wizard opened looking very genuinely like the Windows MSN thing - asking me to enter the country or region. The only weird thing was that the countries list seemed shorter than the windows standard list (although still possibly legit).

    Being suspicious, I closed it, and to my surprise it did close - so I decided to open it again (via the desktop shortcut) and enter a country. After clicking next, it copied more files, and went to the next page to ask me to either sign in using my MSN account, or register for a new one - again looking very genuine.

    At this point, I became too suspicious (of the very unelegant copying and the country list), so again I closed it.

    I checked the desktop shortcut, and it's installed at c:\program files\msn\msninst.exe. However, there were other DLLs and files there, and the file size seemed bigger than what I'd read about the msninst.exe virus.

    So I went to Add/Remove Programs, and saw an MSN item there, and just uninstalled it. The desktop icon was removed, a load of files were removed from c:\program files\msn (although some remain like the folders MSNCoreFiles and MSNIA)

    So the question now is - was it a virus?? I'm very careful about opening any exe's, I have a physical and a software firewall, and monitor my processes regularly, plus have run a number of scanners (since the uninstall) and nothing shows up.

    It seems like either a very elaborate scam where someone put a lot of effort in pretending to be windows MSN, or else somehow it's a very old but genuine microsoft installer that I just somehow activated....?
     
    SilverCapo, Dec 8, 2006
    #1
  2. SilverCapo

    SilverCapo Private E-2

    Oh and also just noticed... in my Network Connections, found a new item under Connection Manager called "MSN"! Definitely not seen this one before
     
    SilverCapo, Dec 8, 2006
    #2
  3. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi

    From your description of the symptoms, it sounds like it may well have been a virus or as you suggested a fake scam to gain email addresses or personal data from you, either way you did the right thing is uninstalling the application,

    Or it could have well been the original MSN Explorer setup installer from XP, which was added like a few other ISP options to XP by default, MSN Explorer is a grapically heavy version of IE.

    But to make very sure you have no malware on your PC, if you want too, ten follwo the below and attach the requested logs and one of our malware gurus will tell you if you have any malware on your PC, if you do they will post some further manual removal instructions.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    DavidGP, Dec 9, 2006
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds