Whirlpool

hey all, i've been using live messenger recently when my friend sends me some wierd file. i open it and now my account starts spamming all of my contacts. is there some way i can remove this damn thing? it's causing me a lot of trouble at the moment. thanks in advance.

Try housecall.trendmicro.com, its a free online virus scanner, usually picks up stuff pretty well.

You might also want to download a permanent Anti Virus program such as NOD32 (www.eset.com) or Avast! Failing that, check out www.download.com, they have free software you can use (whether it freeware or a trial basis). Good luck.

scanned with AVG free ad-aware and spybot:search and destroy bout 3 times each but no dice

why did u download it in the first place?? and i would sudgets maybe ad-aware 2007 or spybot search and destroy..

If a friend sends you a file, ask them what it is. If it's malicious, they won't even be aware they've sent it.

Usually such a file will be followed by comments like 'hey check this out! A friend sent me this, it's awesome!' or some other such rubbish.

But ask them about it.

And even more importantly, scan EVERYTHING you download before you open it - even if your friend is sending a legitimate file, you don't know that it isn't infected.

which program would be better 2 use then for scanning?

You need an antivirus program - those two programs are only antispyware.

Try Avast!

check your task manager and if its a program called v.exe that looks like its a been complied in Visual Basic, it shows up in the process list using a seemily random number each time it starts, ive seen 4, 16, 42 and others, it just monitors you msn till you open a convo and eventually spams everyone in your contact list, i removed it by removing uknown listings and suspscious startup programs in the msconfig list, use your common sense, i then also scanned with NOD32 v3 ESS.

Run these free online scans and see if they come up with anything:

a-squared Web Malware Scanner
malwarescan.emsisoft.com

ESET Online Scanner (uses the same signatures as ESET NOD32 Antivirus)
www.eset.com/onlinescan/index.php

Do any malware removal in safe mode and disable System Restore during the cleaning process. Re-enable System Restore once the system has been cleaned.

Problematic© writes...

Problematic©...

check your task manager and if its a program called v.exe that looks like its a been complied in Visual Basic, it shows up in the process list using a seemily random number each time it starts, ive seen 4, 16, 42 and others, it just monitors you msn till you open a convo and eventually spams everyone in your contact list

you think you could guide me through this in a more simpler way?

haha funny i came across this thread, one of my contacts obviously has a virus. his account keeps trying to send me image22.zip through messenger.

same thing happened to me today.. luckily for me just as the file was sending i had DC :D

if it's a new exploit i doubt any av will detect it.

Karmacode writes...

haha funny i came across this thread, one of my contacts obviously has a virus. his account keeps trying to send me image22.zip through messenger.

A friend of mine had that last night... I did a quick google and then replied to his send file request with this link.

www.cisrt.org/enblog/read.php?170

He managed to remove it and I haven't got anything bad from him since.
Winnah.

Karmacode writes...

haha funny i came across this thread, one of my contacts obviously has a virus. his account keeps trying to send me image22.zip through messenger.

Yeah i was getting last night at home when i was on my ibook, its nice to be immune to somthing which is pretty much a .exe file..

There are two Variants of MSN Worm

First variant

File name: imageXX.zip(imageXX.JPG-www.photob­ ucket.com)
Size:10,752 bytes
MD5:8fdb1cc56c2d9a801c843946e08404­ 82
Detection: Backdoor.Win32.IRCBot.ane (Kaspersky)

Details:

(1) Drops the following files.
%system%\nvbsvc.exe
%temp%\imageXX.zip (XX is random digitals, e.g. "image14.zip")

(2) Adds the following registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Micros­ oft\Windows\CurrentVersion\Run
"Volume Shadow Organizer" = "nvbsvc.exe"

How to remove?

STEP 1
Delete registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Micros­ oft\Windows\CurrentVersion\Run
"Volume Shadow Organizer" = "nvbsvc.exe"

STEP 2
Restart WINDOWS

STEP 3
Delete virus files:
%system%\nvbsvc.exe
%temp%\imageXX.zip (XX is random digitals, e.g. "image14.zip")

Second variation

File name: imageXX.zip(imageXX.JPG-www.photob­ ucket.com)
Size:10,752 bytes
MD5: fc086c2123ce97006ddf8513ecb171d4
Detection: N/A

Details:

(1) Drops the following files.
%system%\abgsvc.exe
%temp%\imageXX.zip (XX is random digitals, e.g. "image22.zip")

(2) Adds the following registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Micros­ oft\Windows\CurrentVersion\Run
"Application Layer Browser"="abgsvc.exe"

How to remove?

STEP 1
Delete registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Micros­ oft\Windows\CurrentVersion\Run
"Application Layer Browser"="abgsvc.exe"

STEP 2
Restart WINDOWS

STEP 3
Delete virus files:
%system%\abgsvc.exe
%temp%\imageXX.zip (XX is random digitals, e.g. "image22.zip")

The above information was gathered from the

Chinese Internet Security Response Team Web Site

Just got a message from a mate that said.
"hey man accept my pics. :( i just edited it to look maad funny.."

The file name was.
"image22.zip"

So strait away i canceled it.
A few of my other contacts have this virus sending out crap, I have just blocked them.
BTW I use Pidgin IM not that Windows Live junk.

where do you find those files Thunder Bird? i also downloaded avast last night and ran a scan but i don't think anything came up, even though there must be a virus somewhere on my computer

no offense but who ever downloads + runs it is a noob. lulz

check out the top msn worm *wink wink*

The worm, W32/Impard-A, is a highly sophisticated program with multi-lingual support that can effectively spread itself, delete and send other, rival malware present on the computer back to its creator, and utilise BitTorrent in achieving its goal.

Like most such malware, W32/Impard-A is controlled over IRC. Richard Cohen, a security expert with Sophos, said:

It’s controlled by a remote user over IRC, and is capable of sending itself via AIM and MSN, storing itself as a file called IMG009.jpg-www.imagehosting.com inside a zip file called C:RECYCLERmyphoto.zip, and then sending this zip with a message that promises pictures, written in the same language as the infected computer. This sort of social engineering tries to maximize the chance that recipients will believe it to be legitimate and open the attachment, though this is shot in the foot somewhat by the fact that many of the the phrases have been cut off abruptly.

I have personally seen the messages generated by this worm, when a Yahoo! Messenger-using friend of mine asked me to visit some obscure URL to look at her photos. She uploads all her photographs to Facebook, so I became suspicious right away. It turns out, this worm is so versatile, it can hijack just about every popular IM client and use the signed in account to spread to its contacts. What’s very interesting, though, is how the worm utilises BitTorrent.

Once running on the host computer, the worm searches for the BitTorrent mainline client executable (bittorrent.exe). If it finds the file, it opens up a torrent and, after downloading a copy of itself to a specific location on your hard disk, starts seeding it.

This is the first reported instance of malware making use of BitTorrent to achieve its creators’ ends. If you think about it, it makes perfect sense. Why should the malware author waste bandwidth downloading his worm to thousands of Windows computers around the globe, when he can make his army of zombified ones redistribute it for him, free of cost?

so anyone got ideas to combat this damn thing?

looked on www.cisrt.org/enblog/read.php?178

but don't get the
HKEY_LOCAL_MACHINE\SOFTWARE\Micros­ oft\Windows\CurrentVersion\Run
"Remote Terminal Service" = "rpmsvc.exe " .how do i get to this?

www.microsoft.com/protec.../viruses/im.mspx

flaggen writes...

so anyone got ideas to combat this damn thing?

looked on www.cisrt.org/enblog/read.php?178

but don't get the
HKEY_LOCAL_MACHINE\SOFTWARE\Micros­ oft\Windows\CurrentVersion\Run
"Remote Terminal Service" = "rpmsvc.exe " .how do i get to this?

its not rocket science...

go to start > run > msconfig > startup

look for unknown exe's and disable them from startup then reboot find location and delete.

lulz writes...

look for unknown exe's and disable them

what kind of exes should i be looking for?

flaggen writes...

but don't get the
HKEY_LOCAL_MACHINE\SOFTWARE\Micros­ oft\Windows\CurrentVersion\Run
"Remote Terminal Service" = "rpmsvc.exe " .how do i get to this?

start>run>regedit

flaggen writes...

unknown exes? how do you know which ones?

i guess the ones that don't look familiar to you or the filename of the virus eg: the filename you posted with the registry key location.

Here are some to start looking for

abgsvc.exe

mdn.exe

nvbsvc.exe

rpmsvc.exe

ok got something called "snpstd" is this something?

have you tried – http://virusscan.jotti.org/
also a small program called autoruns
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Otherwise its fry and reload.

Thunder Bird writes...

abgsvc.exe

mdn.exe

nvbsvc.exe

rpmsvc.exe

so these are the ones that should be blocked?

wat about "NVCpl

I received a virus via msn messenger 2 weeks ago and I was unable to send emails for days because I was being spam blocked. The virus seemed to come from my niece asking me to look at some photos. I know...stupid me just wasn't thinking at the time and opened it. The grief it caused from then on was immeasurable and extremely costly.

I tried two days doing every scan known to man. I have CA Security Suite which I have now removed because obviously it's hopeless. The computer then went to an IT company, and still the virus was not removed (even though they told me it was).

Anyway, to make a long story longer, I eventually rang CA and they told me to go to my Windows/System32 File and look for a file called "doomi.exe"; cut and paste it into a folder on my desktop called "virus", then zip it and email it to them. However, I was not then able to delete the "virus" folder from my desktop or move it to the recycle bin. So, I restarted my computer and then was able to move the folder into the recycle bin and delete it. However, doomi.exe reinstalled itself into the System32 folder. Arrgghh!

So...to make a long story even longer...I installed Hijack This and ran a scan, and deleted it from there. However, I had to do this about 3 times! It seems to have worked as I am no longer having my emails spammed.

I'm just curious why there aren't more solutions to this problem on the web.

I'd welcome your replies to this post.

Cheers
Caroline

Have a look at this site http://www.msnvirusremoval.com/ and see if it helps you.

Cheers :)

Yes...tried that, but it didn't work. But thank you. The only thing that worked was removing the doomi.exe

Honestly...it was a nightmare!

Caroline