Gore Posted April 14, 2005 CID Share Posted April 14, 2005 Hi, Couple of hours ago I received an instant message from a friend saying this: "It's You! h*tp://hydr0.net/pictures.php?email=g0reobsessed*hotmail.com" (if this is made a link please DO NOT CLICK) Since it was a trusted contact i clicked on it. and a file popped up really fast...then i see all my MSN contacts popping up and being sent that same message and link with their respectively email addresses and the same message... as soon as that happened i knew it was a virus and i logged out from msn and started scanning with norton 2005. Unfortunately Norton did not find anything and ever since that happened i have no contacts on MSN all of them are gone. my connection keeps dropping and my computer is slow as hell. If anyone can help before i reinstall XP please do ASAP.....and for all those that see this message please be advise and DONT CLICK ON IT. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
Semantic Posted April 14, 2005 CID Share Posted April 14, 2005 That looks more like a Exploit or Keylogger /password stealer very common in Instant messengers but br u do anything crazy try spybot scans try http://housecall.trendmicro.com/ and scan for security threat as well! Quote Link to comment Share on other sites More sharing options...
Gore Posted April 14, 2005 Author CID Share Posted April 14, 2005 thanks. will do Quote Link to comment Share on other sites More sharing options...
paladin Posted April 16, 2005 CID Share Posted April 16, 2005 Gore: That little deal that happened to you is the very reason I don't do the IM thing. Hope you get fixed up soon. Quote Link to comment Share on other sites More sharing options...
knightshade43 Posted April 16, 2005 CID Share Posted April 16, 2005 trendmicro.coms Housecall has helped me a couple time I use norton also and yup it misses things all the time, and trend micro saves the day another good program for finding spyware and spybots is Ad-aware6 from lavasoft which can be found at www.lavasoft.com spybot also works well but use it with care because I have seen a couple people remove the wrong things and that can open another can of worms but spybot does kickass. Quote Link to comment Share on other sites More sharing options...
knightshade43 Posted April 16, 2005 CID Share Posted April 16, 2005 If you must use Quote Link to comment Share on other sites More sharing options...
php Posted April 16, 2005 CID Share Posted April 16, 2005 If you must use IM software try Trillian I have used it for about a year now with no problems and it will log on to msn, yahoo,aim, icq,and even irc chat rooms all in all it is a small compact peice of software with out the head aches you can check it out for your self at http://www.ceruleanstudios.com/ I also use Trillian, i have had no problems with it... Quote Link to comment Share on other sites More sharing options...
Gore Posted April 16, 2005 Author CID Share Posted April 16, 2005 Thanks guys, i tried trillian and its nice, i also tried all those programs and none removed anything..its really getting me frustrated Quote Link to comment Share on other sites More sharing options...
peepnklown Posted April 16, 2005 CID Share Posted April 16, 2005 Did you happen to run them in safe mode? I used to like trillion until all the problems with file transfers and AIM. Quote Link to comment Share on other sites More sharing options...
knightshade43 Posted April 16, 2005 CID Share Posted April 16, 2005 another thought you said you are using XP do you have system restore turned on? I have seen more than one virus hide in the system restore and when you reboot it just inserts it self right back again you could turn it off you will lose your restore points but thats better than a reload and yup I would also try running in safemode like peepnklown said Quote Link to comment Share on other sites More sharing options...
Gore Posted April 16, 2005 Author CID Share Posted April 16, 2005 i tried in safe mode also, but nothing. Quote Link to comment Share on other sites More sharing options...
knightshade43 Posted April 16, 2005 CID Share Posted April 16, 2005 you never did say if your system restore was on if it is just a thought Quote Link to comment Share on other sites More sharing options...
Azag Posted April 16, 2005 CID Share Posted April 16, 2005 1st off if u know what the name of the file is that was downloaded to ur computer please post any info u have. As u may not next download a trial version of Kaspersky Anti-Virus Personal Pro from http://www.kaspersky.com or my site for free if u want it has been multi-AV scanned and is clean I personally guarantee it but if u want to use a Mult-Antivirus scan for FREE online I suggest http://virusscan.jotti.org/ or http://www.virustotal.com/flash/index_en.html both are very good but the 1st one I spoke of is more reliable . Now the down side of these sites is they only scan 1 file at a time which u have to upload but it's very convenient if do know the file that was downloaded from IM link sent to u as u are alreadsy infected and it is obviously not a massively destrcuctive virus (deleting files recursively as u wouldnt be posting any more until reformat if it were ), I might than suggest that u try downloading the trojandownloader or trojan or keylogger again and watch the status bar as it downloads for file name but this is NOT really suggested but will probably do nothing if file was already insatlled b4 obviously do to the fact that many have a mutex check for a key word hidden within the trojan/worm, this (sounds like a worm mass mailer as u described it) checks the system to see if already infected if a well written worm/trojan then it won't reinfect since it will check if it is already there in ur system. Also by the way WARN ur friends ASAP that they should DELETE all attchements from u mailed to them or from other sources for a while to avoid spreading this pest to others and pisasing them off thinking u did it on purpose. You can download Kaspersky Anti-Virus Personal Pro v4.5.0.94 FULL from my site at url snipped by swimmer url snipped by swimmer I don't suggest u use the newer version v5 as it isn't as good and some ppl have had issues and problems When ur ready to clean if u know/find the virus/worm/trojan name or after u installed AV than turn off system restore if u have it --> reboot into safe mode as (mentioned in previous post) --> Scan entire system or at the very least all WinDir (ex: C:WINDOWS) --> fix or clean all infected files and use quarentine if they are Windows system critcal files 1st b4 fixing/disinfecting. After cleaning system and rescanning to be sure then reboot and rescan then if clean and safe then u may turn system restore back on. Free Online scans and free cleaners that u can use to scan free (but probably not in safe mode?) http://housecall.trendmicro.com/ (trendmicro av online full system scan if u want slow but worht the time) http://www.kaspersky.com/scanforvirus (kaspersky free online scan 1 file at a time ) http://www.avast.com/eng/avast_cleaner.html (avast av free cleaner download) http://vxchaos.no-ip.org/WaRez-Appz-n-Anti-Viruses/ (No direct link downloads) F-Prot Antivirus for DOS v3.16a.zip http://skaner.mks.com.pl/ (mks_vir free online av scanner) http://www.nod32.com/download/trial.htm (NOD32 trials free eval donloads) http://www.norman.com/Virus/Virus_removal_tools/en-us (Norman Anti-Virus free av tools - individual virus cleaners) If ur knowledgeable and industriopus kill rougue or unknown fishy looking processes in taste manager first and u mihgt want to use Spybot Search and Destroy and Microsoft AntiSpyware v1.0beta and maybe Ad-Aware SE and HijackThis and post ur output from HijackThis log to this forum or their's 1st if u are scared to proceed or unsure of what to do ect.. Ok hope u have sucess cleaning ur system without Windows reinstall and if u have more info or question post back. I cleaned many unknown or new 0-day or NOSend viruses/worms/trojans from the wild and elsewher, and am very knowledgable at halting and cleaning them sucessfully as I do collect and test alot of shady software. If u need help off forum feel free to email me too. Good luck and good hunting too you. vxchaos-at-gmail.com (NOSPAM Please Peace, Azag Quote Link to comment Share on other sites More sharing options...
Gore Posted April 16, 2005 Author CID Share Posted April 16, 2005 Thanks for your help, i will try all the methods mentioned....... i did warned all my contacts, but fortunately it didnt mail it to anyone, i just IMed everyone that was on with the same link. unfortunately 2 of them clicked on it since i was a trusted contact of them..and now they have the same problem...hopefully i can fix it and help them too. thanks for your time and help, i will try all the methods. Quote Link to comment Share on other sites More sharing options...
billybob12345 Posted April 16, 2005 CID Share Posted April 16, 2005 sorry about your pc probs. Quote Link to comment Share on other sites More sharing options...
Gore Posted April 16, 2005 Author CID Share Posted April 16, 2005 Thanks, hopefully i can get rid of it, i dont want to reinstall my OS all over, too much stuff that i dont want to reinstall and delete. Quote Link to comment Share on other sites More sharing options...
Azag Posted April 21, 2005 CID Share Posted April 21, 2005 Ok dunno if u ever cleaned it successly or not but just so u know what it is your MSN worm was a newer nasty one and many variants are coming out of it as well. It appears to be based off SDBot variant (W32.SpyBot.Worm - name reference see Sophos) as far as I can tell which has been through many changes and add-ons with added exploits and spreading features for years and has gone through many versions as well as ripped off offshoots from ppl taking the source code and altering it to suite their needs or to be lame and act like they are 1337 like they made something new LOL some are just script kiddiots ROFLMAO Anyway should be detected by ESET NOD32 Anti-Virus as well as Trend Micro AV, Symantec Norton AV and I've heard Zone Alarm Security Suite (if u use it's AV ..which is generally pretty weak and not really a reliable enough Anti-Virus solution in my opinion ergo it's crap ) . Most AV w/ all most current updates should take care of this but I am posting this so everyone is aware that some newer variants will likely be missed in AV detections if they are custom encrypted or obfuscated in some variety of ways so be on the look out especially MSN Instant Messanger users or and IM user (probably) here are some helpful links about it: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KELVIR.N http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FKELVIR%2EN&VSect=Sn Scroll to middle of forum page here same thing happened to this guy :oand his friends: http://www.wilderssecurity.com/showthread.php?t=75510 You all can easily check for many W32.Kelvir Worm variants with a free tool from Symantec (as much as I hate Norton Symantec does make many useful FREEWARE removal tools provided u have any idea what ur infected with ) Anyway here is the link to W32.Kelvir Removal Tool (FREE): http://www.sarc.com/avcenter/venc/data/w32.kelvir.removal.tool.html Also ppl with MSN IM do this as stated in Wilders Security Forum so eloquently by Gauthreau, "In MSN 7.0 go to Tools -> Options -> File Transfer. Check the box that says "Scan files for viruses using:" Then click the browse button. You want to go to: "C:Program FilesESETnod32.exe" Conversely, if you have Nod32 installed to the same above directory, you can just copy and past the above directory to the MSN window (quotes included) then OK your way out." The same goes for whatever AV you may have installed in ur system use same steps and put the scanner executable in the text box from Tools-->Options-->Messages (TAB)-->File Transfer-->CHECK THE BOX-->Browse (for AntiVrus Scanner Module) or cut and paste it in (example for KAV v4.5.095 user: C:Program FilesKaspersky LabKaspersky Anti-Virus Personal ProAvp32.exe) -->Click OK (at bottom of Options)--> YOUR DONE! I hope that Gore is no longer infected and didn't have to reinstall OS as that would suck big time . But as I said this is more to alert ppl in general before they get caught with their pants down so to speak like some of the other unfortunate victims. Hope someone benefits from some info here. And happy speed testing all. L8rz Peace, Azag Don't forget to check out url snipped by swimmer My site has Free Anti-Viruses, Anti-Spyware and other tools currently serving 5185 files and all for free ! Quote Link to comment Share on other sites More sharing options...
Gore Posted April 21, 2005 Author CID Share Posted April 21, 2005 Thanks for taking your time to reply and try to help me with my problem. I tried the Symantec tool and it does find it, unfortunately....the damn worm keeps on being present after i have scanned and succesfully deleted it. All my contacts are still gone on MSN, and my computer is still slow, and finally it really takes a while to connect to all my IM's....i dont think its my internet as i have a decent connection :::.. Download Stats ..::: Connection is:: 6697 Kbps about 6.7 Mbps (tested with 12160 kB) Download Speed is:: 817 kB/s Tested From:: https://testmy.net/ (main) Test Time:: Thu Apr 21 12:47:02 PDT 2005 Bottom Line:: 120X faster than 56K 1MB download in 1.25 sec Diagnosis: Awesome! 20% + : 98.84 % faster than the average for host (Comcast.net) Validation Link:: https://testmy.net/stats/id-LCEXWNP7B Again, thanks to you all for taking the time and replying to my thread...i will keep on trying all the methods you have given me...i really dont want to reinstall my OS. Quote Link to comment Share on other sites More sharing options...
cak46 Posted April 21, 2005 CID Share Posted April 21, 2005 If you want, download and run hijackthis then copy and paste the results in a post. This program shows what programs start and run when you boot up and when Internet explorer starts. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.