UGLY MSN messenger virus, need info on removing

[Archman]

Hi there,

I did something stupid, I turned off my AV program, and got a msn messenger window popup from someone on my contact list stating:

"Wow, is this you? .......@(your hotmail address).com"... I clicked it, and downloaded... damn *.exe file screwed up my computer... it blocked webpages to all the major AV webpages, but I got to use my AV program in Safe Mode, and deleted a file.

Once I could get back into Windows normally, I still could not access the major AV company websites, so I did some snooping on forums... found a file in:

C\windows\system32\directory\etc\host and deleted it, then I could access the major AV webpages.

Now I ran Panda Spftware's activescan, but it won't remove a hacking tool, and Trend Micro caught 2 worms that it deleted.

Now, I still have the nasty virus file on my computer, and want to send this file into one of the AV companies to see if it is a new variant or something older.

I ran spybot s&d and it reomved a few things, adaware got nothing, CWShredder got an old trojan, and I got hijackthis to make a log.... still paranoid something is in there... any ideas on where I can post a log and get some feedback?

thanks

 

[Archman]

sorry, I made a mistake the path to the file is:

C:\windows\system32\drivers\etc\hosts <---- hosts is the file I deleted to be able to access teh AV webpages

 

[spherrod]

Follow this thread

http://forums.anandtech.com/messageview.aspx?catid=33&threadid=1658987

 

[tuteja1986]

You need DR SPYWARE and it will get rid of the freaken virus,spam

 

[mechBgon]

Archman, try this:

1) follow the instructions in this text file (right-click the link and save the text file). Make sure you do the scan in Safe Mode with System Restore turned off.

2) if your virus file was detected and deleted, that means it's already "on the radar." It might find more than you think, btw If your virus file wasn't detected, then go ahead and submit it (post if you need help w/ how to submit it).


If you run your IM program under Limited-class credentials, that would've helped here. The worm used your account's powers to do what it did. Admin-class account = unlimited power for the worm. Limited-class account = bad news for this kind of worm.

 

[Archman]

mechBgon, the virus is gone, but what remains when I do an online scan at Pandasoftware.com/activescan shows a Hacking Tool, and it is called 'EvID'... btw, the link to the text file is not complete. Please post it again, and thank you

 

[Archman]

tuteja 1986, so far I have been having great results with Ad Aware, Spybot S&D, MS Antispyware beta, CrapCleaner, and Spyware Blaster, HijackThis, and CWShredder.... is it me, or does it seem like using the net on a PC is becoming too much of a hassle now?.... I think we're all frustrated with the amount of garbage floating around now a days.

 

[mechBgon]

Originally posted by: Archman
mechBgon, the virus is gone, but what remains when I do an online scan at Pandasoftware.com/activescan shows a Hacking Tool, and it is called 'EvID'... btw, the link to the text file is not complete. Please post it again, and thank you

Ooops, I messed up my link http://www.omnicast.net/~tmcfadden/scan.txt Try that

is it me, or does it seem like using the net on a PC is becoming too much of a hassle now?

Use a Limited account (and make the other users of the computer use one too) and you can pretty much wave 'bye to that junk getting in via your web browsers. If you let it in the door by installing shady stuff, then there's nothing to stop it, of course.