New MSN Messenger Virus/Trojan – March 2009

March 18th, 2009 at 03:51am philipz

For the last couple of days a friend has been bringing their laptop over to my place for me to try and clean this darn msn virus/trojan, which seems to be one tough SOB because everything i have tried hasnt worked. The laptop (Windows XP SP3) has AVIRA AntiVir for antivirus and i have installed and scanned the pc with every single anti-spyware/anti-malware software out there, which includes Ad-Aware, Spyware Terminator, Super Antispyware, Malwarebytes’ Anti-Malware, Rootkit Revealer, and Spybot – Search & Destroy which i chose from Download.com’s top 20 list and from Filehippo’s Anti-Spyware category . Unfortunately none of these great removal software was able to find or remove it.

Well this new MSN virus/trojan posts messages to your contacts like the ones found below.

YOU ARE ON THE FRONTPAGE OF THIS WEBSITE!! http://www.gallery-pictures.com
NO FUCKING WAY!! LOL WHAT HAVE YOU BEEN UP TO?! http://solox99.photodropperz.com
how is this possible?! i just found u through my profile (?!?!?) http://sarfar.gallery-pix.com/

PICS FOR MSN FRIENDS v2_0cWhat the virus/trojan does is send links to what seem to be an MSN login page asking you for your email and password for the purpose of “spread the word about this new 100% real and upcoming Messenger Community Site” which is stated in there terms of use at the bottom of the page. The links sometime have the infected user’s msn username in the subdomain (ex. http://username.gallery-pix.com) and will always look like the image to the right with the heading “PICS FOR MSN FRIENDS v2.0c” or “Pics & Photos 4Frenz v.2.5″.

Alternatively, the messages will link to a sex dating signup webpage with the title “Meet Real Sex Partners TONIGHT – JOIN FOR FREE! — Swingers, Free Adult Chat & Adult Personals Site” which are found at the http://www.fastxxxnow.com/new4/ and http://www.fastxxxnow.com/new5/.

Google Help
After some checking on google, it picked up some of the post messages from what seems to be a group board at this chinese website http://www.365groups.com/

After doing some more digging in google i found a discussion on a dog bulletin board about it.
http://www.labradorforums.co.uk/ftopic-57428-days0-orderasc-0.html
The infected person stated that they formatted the pc and it still didnt solve the problem as the virus/spyware seems to have attached itself to MSN.

Removal Attempts
So after all the scanning with anti-virus/spyware/malware, i decided to remove MSN messenger and all its dependances and installed them again. Didnt help. I tried the various MSN removing softwares like MSN Virus Removal, MSN Virus Cleaner, and IMP Fix suggested in the dog bulletin board with not luck.

Infected Domains
Below is a list of domains which have the same MSN login page.
http://www.areyou-onthisphoto.com/
http://www.dontstayin-pics.com/
http://www.flicker-photoz.com/
http://www.flicker-pics.com/
http://www.galleri-support.com/
http://www.galleryshotz.com/
http://www.greaterpics.com/

Infection Behaviour
My friend told me that when she was infected that MSN Messenger would continously disconnect and reconnect and it seems within the time it was disconnection and reconnecting that the virus/trojan would send these messages to her contacts. That is what she told me but i have no way to verify it, but one thing to keep in mind is whether the virus/trojan is sending the messages to your contacts when you are online or not, and you can know this by the date and time stamp MSN Messenger attaches to each chat post.

Update – Finally Removed
Well what i noticed when i signed into my own MSN Messenger (Windows Live Messenger) account from my friend’s infected pc, that it wasnt sending out the same type of messages to my contacts, which lead me to believe that the account itself is infected and not the pc. So i did some more digging around and was able to finally remove the darn thing by doing the following (not sure what part of this did the trick though). I ran Rootkit Revealer and noticed it brought up MSN Messenger results in the

C:\Documents and Settings\user account\Local Settings\Application Data\Microsoft\Messenger\email@host.com folder

(of course “user account” and “email@host.com” will differ for you on your pc), which you wont be able to reach to in window explorer unless you have hidden files and folders showing [instructions how to do this]. So in that folder i simply deleted all the files and folder. Then i noticed that MSN Virus Removal suggested the changing of my password, so i did that. It must be one of these two that did it but i believe the changing of the password would have done it, but i wont know for certain unless she gets infected again. :) Hope this helps someone out there and if so, drop me a comment below.

2nd Update
Would like to thank everyone who commented and was happy to hear from all those who were helped by this post as i never dreamt that it would be so popular. Well most people said the changing of the password worked, so do try that first before the removal of the files from the computer. I came across a good blog on how to remove some other windows live messenger viruses, so i case you werent able to find a solution with what i have given here, do check out this post.

http://www.mydigitallife.info/2009/06/10/clean-and-remove-windows-live-msn-messenger-virus-removal-tools-or-msn-fix/.

Sphere: Related Content

Entry Filed under: General

Tags: , ,
  • soufa
    salut sava
  • tom
    did format...installed origin system from origin cd....it didnt help a bit!! changed passwqord...changed name...no chance!!
  • allan
    Hi mate,

    I think you will find its not the machine that is infected. What will probably have happened is when the user put their username and password into one of these fake sites that they get stored in at the server and the software sending these messages in on a server somewhere.

    I have seen these things before. It can often be sorted by going to your live account and simply change your password. That way the trojan server no longer has your password and so cant log in as you.

    Hope that helps.

    Cheers
    A
  • natasha
    if someone is sending me the link with my email address in it does it mean their trying to send me a virus or if i have the virus on my computer????
  • Dan
    Hello, I got the same message for some days ago. I did not enter my emailaddress or anything. Is it still dangerous?
  • Steve
    Thanks,

    You can add super-galleri.com to the list. Same login page same behaviour. The link starts with the contacts messenger login name eg fredo@hotmail.com would get a link to http://fredo.super-galleri.com
  • Tori
    Hi Ibrahimo,

    you have no idea the relief i have felt while reading this page. I am going to try what you suggest now. I will let you know how I go.

    This kind of resource that you have put so much effort into is invaluable to someone like me who really would not know where to start with this kind of things.

    Bye for now,

    Tori
  • Lynn Leslie
    Had the same problem with this virus, tried the password change and so far seems to have worked thanks a lot for all the info
  • Niceeee
    I hope this works. Half the people on my list seem to be infected with this thing. I just started blocking people, maybe now I can help them out.
  • Floris
    LOL, well if your friend supplied his email and password, a script anywhere on the world can access the msn account and send random messages to anybody in the list. Ofcourse when you try to sign in, the signed in script account automatically is logged off, then it logs on again which leads to a messenger logoff on your computer.
    Just change the msn password and the other script cannot logon anymore. These phishing websites have been around for a long time, but some people still give their email password without any hesitation to a website asking for it. It might be a good idea to think twice before entering your password on any website, especially if recommended by friends! :>
  • marin bradley
    I have tried what you suggested but I am unable to remove the conacts log as it says it is being used by another person or program. Even shutting down all programs it will still not let me delete it. Any answers
  • Sarah
    Hiya,
    I was recieving these trojan messages from friends of mine but never opened any of them... I know none of them are into an Acai Berry weight loss diet. Yet I now have an window live messenger trojan that is sending out messages to my friends while I am "appearing offline". My computer runs on Vista but I eventually found that Appdata folder and deleted most of the contents of that... all but the ObjectStore folder as that appears to be all the backgrounds etc for messenger. I have changed my password and am just about the run the MSN virus remover as well... just in case. Do you think I should uninstall and reinstall messenger again? Is there any way of know for sure that I have removed this damn thing?
    Thanks
    Sarah
  • Sarah
    Having followed you're advice, I have also run a full virus scan. It picked up lots and lots of tracking cookies such:

    C:\Users\Sarah\AppData\Roaming\Microsoft\Windows\Cookies\sarah@atdmt[2].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt

    Could this be the problem?
    Thanks
    Sarah
  • sr
    thanks - this was really useful information. I've had the same problem and was stuck for a solution. This has saved me a lot of time.
  • Rico
    Thankyou for your explination on this matter. It has been bugging me for ages. Ive never clicked it always suspecting a virus of sorts.
    Than you again
  • Jack kesselman
    Thanks for this.

    I wonder if it was the changing of your password that resolved the problem.

    I have done both things you've suggested and I'll let you know if the problem is still happening on my system.
  • Rui Rodrigues
    Hi there. Great post.

    I have a client whith the exact same problem. I'll try to identify wich of those steps will solve the problem and post them back here.

    Best regards
  • MoreFunThanMary
    I hate this virus! I ran all the usual software with no results and a lot of abuse from my online friends.
    This was the only reference I could find to the photodropperz trogan online.
    I didn't have the folder refered to, so I changed my password and that seems to have done the trick. I no longer get the message 'you have signed in to messenger on another computer' which I used to get. And no complaints from friends for a while.
    Thanks for the suggestion!
  • whoevauwant
    i now know of two people who have this infection/virus. i have been abusing them about sending me links that go nowhere. i now know what is going on thanks to your blog. so your friends virus was real and like i have to do to my friends you will have to apologise.
  • Daevid Hughes
    i now know of two people who have this infection/virus. i have been abusing them about sending me links that go nowhere. i now know what is going on thanks to your blog. so your friends virus was real and like i have to do to my friends you will have to apologise. i have now been reasreching the virus for a firend. i have spent an hour or two reading about various viruses and your site is the only one so far that talks about the virus my friends have. I dont know how to explain it to my friend and will reaserch more and get back to you. even though my last comment is still awaiting moderation(whatever that means) after 2 days.
  • Cat
    Apparently my account has been sending out the same weird message too, and I had no idea! I'm not actually using MSN. I'm using Digsby... Herm. I'll try this!
  • Cat
    Hum.. i'm looking for it, but I'm on Vista. Rawr!
  • Victor
    My roommate also has a msn virus similar to the one you described and it would only send a weblink while he was offline (usually to a pornsite). Like you i've used every scanner and found little to no results. He is using the windows vista program and we suspect that one of the processes was causing a problem. It's name was xp update wheather turning off that process off fixed the problem was the answer I'm going to find out in the next day or so. thank you for writing the article it was helpful if we havn't fixed the problem at least I have a few more things to try (before I shoot his computer) (especially because I love working with vista). Once again thank you very much.
  • KRP
    Thanks for this post. Cannot find anything about this on the internet. I have same problem. Couldn't find hosts file but did change MSN password.
  • wolfe
    well i am changeing my password and see if that helps every one is mad at me on my msn i sure hope it fixes it if not i will delete the sharing folder i think thats what i need to do not sure what else to do
  • Dupain
    ehm..i don't got that virus but i believe my cousin got it. pretty similar symptoms on his vista machine. he sends me random messages and at log outs and log ins. i'm not sure how he got infected but i'll try this blog and see if it helps. thanks!
  • hey man
    thanks
    my friends got this too
    and yeah i will tell them the solution for the removal of the virus
  • Victor
    Its been a couple of days now and I believe that by changing the password on your MSN account has fixed this particular problem. I havn't recieved any links from my roomates MSN.
  • Kragom
    :D

    Too bad I did not see this earlier. I could have told you guys straight away all you need to do is to change the password. These scams are relatively common, fooling people to log on to a website with their msn/hotmail details which are then used by the individual/company to spam friends

    Sometimes they even say in their terms of business that they will do it!
  • jasmine
    This is very helpful - somebody in my contact list was spamming me with these same adverts.
    Thanks very much!!
  • nora
    Thanks so much for ur info!!! Great job seriously, you have really good solid info!
    I was one of the naive idiots that opened such file and got the bug. Thanks to my mates who told me something is wrong because they knew I was at work and couldn't possibly send them anything, I could deal with it asap.
    EVERYONE! TELL UR FRIENDS IF YOU ARE RECEIVING SILLY LINKS FROM THEM, FEEDBACK IS ESSENTIAL!
    I did the same as you ran so many programs through my laptop over two days it's not funny. I wrote to messenger support which was helpful but they only advised on more of the antivirus etc programs to scan my laptop with, and of course nothing was found. I deleted everyone on my contact list, and blocked the person it started from, told my friends to block me till I find a solution. I changed my password on my account and like ur friend's it stopped, but I did open another account just to be extra safe. Till they solve this whole issue I am not getting messenger, i'll go back to the old fashioned way of keeping in touch, by using my phone!
  • Kaz
    Thank you for that, my son appears to have this virus, I have passed on the info to him so that he can get rid of it.
    Kaz
  • Alex
    Read your above post at your solution and just to let you know the changing of your password would not of helped what so ever.

    These viruses overwrite your local files for msn and try running some sort of script which sends out these mails. By deleting the local copy of these files the virus was deleted and the original files were downloaded upon logging in.

    There is one specific file in there that they overwrite, dont ask what one because i cant remember but if you try to google around you may be able to find out what file it is and delete that one.
  • blake allum
    hi im blake im pretty troubled i have got the worm on my computer on msn messanger i dont know how to get rid of the damn thing ,i have not got file options so i do not know wat to do please message me back on how to get rid of it plz i need help
  • sherry
    thanks 4 posting... i changed my password and it seems to hve gone thanks
  • kyle
    hello thanks for the page, the bloody thing is on my MAC laptop, i will change my password cos thats the only thing i can think it is? any other ideas how i can get rid of it on my mac?
  • Sue500100
    My friend had this virus and tried the file deletion but this didn't help however when he changed his password then the infection seems to have cleared. Not sure if changing the password on its own would have worked, but deleting the files on their own definitely doesn't work on its own.

    I hope this helps someone
  • philipz
    Hi Alex,

    If what you are saying is true then after you delete the local copy of these files, change your password and that should fix it because the virus wouldnt be able to jump back on your pc once you have changed the password.
  • JC
    Business contact, has the infection, uses multiple computers, as soon as they sign in, it sends:


    http://ImageCamz.com/?user=USERNAMEHERE&ima... ?!?

    ... HAHAHA!!


    I suggested to remove messenger, delete files if available in:

    C:\Documents and Settings\user account\Local Settings\Application Data\Microsoft\Messenger\email@host.com folder

    &

    to reset all settings to default (Security/PrivacY), clear history, temporary internet files, cache, cookies, reset ssl certificates.

    This may vary depending on your operating system, she uses Vista and XP, I wont use vista :)

    *Additional comments, as a trusted contact I did click the link and enter my details. However I didnt change my password for about two days and did not get infected myself.

    Why? Possibly because I am using what was a beta build of Windows Live Messenger / Version 2009 / Build 14.0.8064.206.

    ***AND I used an application on it called Apatch, this disables all the web based ads in it and much more, it has 85 features, you can visit the authors site here: http://apatch.org/features.php

    Hope this info helps, everyone elses helped me too :)
  • Kelly O'Driscoll
    HELP PLEASE
    lol i dont know what to do keep on sendin everyone dirty messages need to get rid of this virus........
    thanks kelly
  • FragTamer
    I've not had complaints from others about my account spamming them. Apparently it never has. Over time, have seen numerous FAKE MSN emails that want you to verify your account details and send them. I don't fall for them, even the ones that try to look genuine. I do receive spam from others though that have never revealed their account details or passwords so i guess the virus/trojan was distributed to their PC from infected others and logged their passwords without filling any FAKE new MSN community box as described. I don't know why it is if others treat their MSN accounts with integrity, why is it they are troubled and I'm not when they too wouldn't fill out a fake box. It's concerning that accounts are being accessed and there is millions of dollars worth to be found of personal details linking to sensitive information in emails stored on those accounts that are being being exploited. I'm amazed MSN has let this go for so long. Their servers are difinately unsecure. Use PoP email other if your concerned.
  • kikino
    I'm using slacky with pidgin and changing the password seems to have resolved the issue.

    kikino
  • lily
    Hi,

    I have a similar problem.
    The 'show hidden files and folders' instructions don't work for me because I can't find Folder Options under Tools in Windows Explorer.
    The msn virus has been sending me the same message about berry pills to a few of my friends (not all) and myself (I added myself on msn). I've realized they all originate from the same date and time: May 16, 5:59pm.
    I've also tried changing my password for my account twice, but the messages continue to send.

    What should I do? :(

    -Lily
  • philipz
    Hi Lily,

    It is likely your in an account which has limited access, so you need to log into an account that has administrator access.

    http://www.microsoft.com/windowsxp/using/setup/...
  • Gail
    God this is the most annoying thing on msn i have came across, its is extremly annoying recieving websites 2 porn site but on xbox its even worse, i have 2 mates who has this virus. i havent told them anything until 1 of them told me "i have a virus can u help me", and thanx to this site i can. i have looked on google, yahoo....u name it but havent came across anything like what is going on, Thanx mate, u really do rock \../, if u need any help spreadin the answer im here

    x-x GZMN262 X-X
  • Cmar
    Just wanted to say that you rock, buddy! i was trying everything on my friend's comp to get rid of this virus. its almost annoying thinking all i had to do was get him to change his password...lol


    cheers!
    -cmar
  • Jacquie
    I foolishly clicked on a link sent to me through Messenger telling me that my friend could now be reached through "This" site..DUMB! right afterwards another friend informed me that my Messenger was sending her repeated messages and that it was obvious I had a virus. Arrrgh! I tried many virus scanners to no avail. I came upon this site and followed the above steps to a "T".. Happy to announce that the pesky virus is no longer sending my friends dumb messages in my absence. It worked! Thank you for sharing!
  • Just
    This is new virus... Didn't have luck to remove it... Tried everything and nothing helps...
    Symptoms are: it sends link in the middle of the conversation and spams sometimes my Mozzila Firefox tabs when i check mail in any kind of webmail server (opens 10-20 tabs with blank pages)... Links are similar to imageshack and rapidsheare... Thats why everyone is clicking... Pls help!
  • scorpio_2097
    thanks for all your help i got this virus and ur advice was invaluable
blog comments powered by Disqus

Enter your email address:

Delivered by FeedBurner


Lijit Search

Lijit Search

Categories

Calendar

March 2009
S M T W T F S
« Dec   May »
1234567
891011121314
15161718192021
22232425262728
293031  

Recent Posts

Recent Comments

Archives

Tags



Search for Jobs in Dubai, UAE Search for Properties in Dubai