links4all.biz/MSN virus

Hi and welcome back to Majorgeeks!

If your running Windows Messenger 4.6, I would suggest you disable/remove it using this Disable/Remove Windows Messenger then download the latest version HERE or Live Messenger 8.1b once the PC is given a malware free all clear, BUT do not install Messenger Plus! if it is on the PC use Add/Remove to uninstall it.




Then please follow our standard cleaning procedures which are necessary for us to provide you support, these will help start the clean up process for any malware that will/could be on the PC, Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You have to follow the directions on the download pages for both GetRunKey and ShowNew exactly. You are running the .bat files from inside the ZIP file which will not work. You MUST EXTRACT all the files from the ZIP file and then you must open a Windows Explorer session (right click Start and select Explore) and navigate to the folder where you extracted the files to. And then you must double click on the GetRunKey.bat file and then the ShowNew.bat file to run them and get a proper log. After doing this, attach new logs from both of them.

You should uninstall Messenger Plus! which is the cause for tens of thousands of PCs being infected! We even stated this should be uninstalled in step 0 of the READ & RUN ME. CounterSpy warned you too!!

You also need to go back and run CounterSpy again and allow it to fix the problems it finds. You told it to ignore everything. There is no sense in scanning unless you fix the problems. Attach a new log from it after doing this.

 

By the way, you also need to run the below procedure and attach the requested log:

WareOut Removal

 

Your CounterSpy log had showed it and you had ignored it. That was the reason for my comment. As to whether it is uninstall or not, I cannot tell until I get the proper logs from ShowNew and GetRunKey.

 

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] newdll2.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1995D4B0-D220-4175-8057-66CF935FCFA1}: NameServer = 85.255.113.133,85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\..\{1995D4B0-D220-4175-8057-66CF935FCFA1}: NameServer = 85.255.113.133,85.255.112.143
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.143
O17 - HKLM\System\CS2\Services\Tcpip\..\{1995D4B0-D220-4175-8057-66CF935FCFA1}: NameServer = 85.255.113.133,85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.133 85.255.112.143
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\adiras.exe
C:\WINDOWS\SYSTEM32\KDYTO.EXE
C:\WINDOWS\SYSTEM32\newdll2.exe
C:\WINDOWS\SYSTEM32\poker3.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{30D52D63-0BB0-1033-0919-03082203002c}
C:\Program Files\Common Files\{70D52D63-0BB0-1033-0919-03082203002c}

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You must not block registry access when this fix is being run. So make sure that you allow the change if CounterSpy pops up! Download the fixme.reg patch again. I made a change to it. The try it one more time. If it still does not work, just continue on with all the other steps.

 

Apparently the registry patch worked anyway!

You should not uninstall CounterSpy since it is only a trial version and this should help speed up your startup a little too.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome.

Yes it is gone.

See step 9 of the How to protect thread.

 

Good but actually the other steps should really be run first. You don't really want to start on the How to without having cleaned up all the remnants, or more importantly, before doing the toggle of System Restore.

 

Even better!

 

If it was already disabled then you need to Enable it (that means uncheck it). Then if you recheck it after a reboot it should still be unchecked. If this does not happen, something may have broken the System Restore service and it may need to be fixed.

 

Be careful how you word things! I assume what you mean is that the check box to Turn off System Restore on all drives is unchecked which is good.

• Download but don't install the current version of Antivir here: AntiVir Personal Edition 7 ( I want to make sure you have the current version )
• Disconnect your PC from the internet by unplugging the cable.
• Uninstall AntiVir!
• Reboot and the delete the folder for it in C:\Program Files
• Reconnect your cable to the internet and immediately install AntiVir from the file just downloaded.
• See if it can get the updates!

Let me know what happens.

They may not be inserting the Google Toolbar/Desktop by default anymore. (Note: We now have Sun Java at MGs too. It is in the file folder named Browsers on the main page.) Does the new version appear in Add/Remove programs? Did you uninstall all old versions?

Possibly due to the settings change. You could test that theory by making a temp change back to higher account privies and then change it back just to see what happens.

 

Yes the not should have been now.

Yes you should delete the MessengerPlus!3 folder.

So is everything okay now?

 

You're welcome. Surf safely and enjoy your Christmas and New Year malware free!