Mitglieder.BO virus and compromised computer?

[dnl]

My Kerio firewall just caught a new version of msmsgs.exe trying to access
the internet when I haven't updated it and now it appears that I have a
virus. I'm trying to figure out what else besides the virus may be on my
computer now.

I have MSN Messenger installed but Messenger was disabled in services. I've
tried ending the msmsgs process in the task manager but it keeps returning.
I just noticed that WinPatrol has not been running either so I'm wondering
if that was disabled by whatever activity is going on.

Norton doesn't report any viruses but Panda Online reports that I have
Mitglieder.BO. Spybot and Adaware aren't detecting anything. Spywareguard
is also running. Any suggestions for the best way to clean this computer
and get rid of whatever is going on?

Thanks.

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Follow-up to alt.comp.anti-virus]

dnl wrote:
> My Kerio firewall just caught a new version of msmsgs.exe trying to access
> the internet when I haven't updated it and now it appears that I have a
> virus. I'm trying to figure out what else besides the virus may be on my
> computer now.
>
> I have MSN Messenger installed but Messenger was disabled in services. I've
> tried ending the msmsgs process in the task manager but it keeps returning.
> I just noticed that WinPatrol has not been running either so I'm wondering
> if that was disabled by whatever activity is going on.
>
> Norton doesn't report any viruses but Panda Online reports that I have
> Mitglieder.BO. Spybot and Adaware aren't detecting anything. Spywareguard
> is also running. Any suggestions for the best way to clean this computer
> and get rid of whatever is going on?

First of all you should know that MSN Messenger and the Messenger service
are two completely separate and independent programs.

That being said, MSN Messenger still loads on Windows XP after you telling
it not to. If you would like I can email you a batch file that will prevent
MSN Messenger from loading. (And one that will restore it in case you
decide you want to use it!)

It is expected behaviour for one to kill msmsgs.exe and reboot only to find
it running again.

On the Mitglieder.BO front, note that it is described by Panda as causing
anti-virus software to malfunction. I quote David H. Lipman's immutable
instructions on this matter:

1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Trend Sysclean Method 1
- --------------------------------
Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt524.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
- ---------------------------------
The utility SYSCLEAN_FE in "Procedure F" at the following URL
http://www.ik-cs.com/got-a-virus.htm automates the download and execution
process of the
Trend Sysclean Package.



2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan
of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *

Regards,


Adam Piggott,
Proprietor,
Proactive Services (Computing).

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCSpJ/7uRVdtPsXDkRAiXmAJ9CMDcqyabL54PBZTgpfjsmnTt/BwCgm7j8
XXuHL1j4ArssnwSlRVhK3xU=
=YdkU
-----END PGP SIGNATURE-----

[Mich]

"dnl" <dnl@dnl.123.dnl.org> wrote in message
news:Xns962994939C5dnldnl123dnlorg@216.196.97.131. ..
> My Kerio firewall just caught a new version of msmsgs.exe trying to access
> the internet when I haven't updated it and now it appears that I have a
> virus. I'm trying to figure out what else besides the virus may be on my
> computer now.
>
> I have MSN Messenger installed but Messenger was disabled in services.
I've
> tried ending the msmsgs process in the task manager but it keeps
returning.
> I just noticed that WinPatrol has not been running either so I'm wondering
> if that was disabled by whatever activity is going on.
>
> Norton doesn't report any viruses but Panda Online reports that I have
> Mitglieder.BO. Spybot and Adaware aren't detecting anything. Spywareguard
> is also running. Any suggestions for the best way to clean this computer
> and get rid of whatever is going on?
>
> Thanks.
>
>

Messenger service and MS Messenger are not the same got into your Admin
tools and look...

MSN Messenger is a pain in the butt

To stop messenger from loading when visiting sited such as hotmail delete
the following key. But remember to backup your registry before doing
anything to it. This works in Windows 2000 also.

1. Start > run > type regedit

2. Navigate to the following key
[HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A441-00C04F795683}\LocalServer3
2]
@="\"C:\\Program Files\\Messenger\\msmsgs.exe\""

3. This can be done easily by searching for F3A614DC in the registry and it
will automatically take you there.

4. Delete this key and you will see that messenger does not load anymore
when visiting hotmail. Happy tweaking.

[dnl]

"Mich" <Mich8hb@netscape.net> wrote in
news:d3x2e.32589$qN3.31860@trndny01:

>
> "dnl" <dnl@dnl.123.dnl.org> wrote in message
> news:Xns962994939C5dnldnl123dnlorg@216.196.97.131. ..
>> My Kerio firewall just caught a new version of msmsgs.exe trying to
>> access the internet when I haven't updated it and now it appears that
>> I have a virus. I'm trying to figure out what else besides the virus
>> may be on my computer now.
>>
>> I have MSN Messenger installed but Messenger was disabled in
>> services.
> I've
>> tried ending the msmsgs process in the task manager but it keeps
> returning.
>> I just noticed that WinPatrol has not been running either so I'm
>> wondering if that was disabled by whatever activity is going on.
>>
>> Norton doesn't report any viruses but Panda Online reports that I
>> have Mitglieder.BO. Spybot and Adaware aren't detecting anything.
>> Spywareguard is also running. Any suggestions for the best way to
>> clean this computer and get rid of whatever is going on?
>>
>> Thanks.
>>
>>
>
> Messenger service and MS Messenger are not the same got into your
> Admin tools and look...
>
> MSN Messenger is a pain in the butt
>
> To stop messenger from loading when visiting sited such as hotmail
> delete the following key. But remember to backup your registry before
> doing anything to it. This works in Windows 2000 also.
>
> 1. Start > run > type regedit
>
> 2. Navigate to the following key
> [HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A441-00C04F795683}\LocalSe
> rver3 2]
> @="\"C:\\Program Files\\Messenger\\msmsgs.exe\""
>
> 3. This can be done easily by searching for F3A614DC in the registry
> and it will automatically take you there.
>
> 4. Delete this key and you will see that messenger does not load
> anymore when visiting hotmail. Happy tweaking.
>

I know that MSN Messenger and Messenger are different. That's why I
mentioned that I had one disabled in services. Despite that, it keeps
launching on its own.

[David H. Lipman]

From: "dnl" <dnl@dnl.123.dnl.org>

| I know that MSN Messenger and Messenger are different. That's why I
| mentioned that I had one disabled in services. Despite that, it keeps
| launching on its own.

It could also be the following worm...

W32/Funner.worm -- http://vil.nai.com/vil/content/v_128750.htm

"...It then attempts to invoke MSN Messanger (msmsgs.exe) and creates the following registry
key..."

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the Sysclean Front End utility ( SYSCLEAN_FE ) in "Procedure 1"
at the following URL, SYSCLEAN_FE automates the download and
execution process of the Trend Sysclean Package.
http://www.ik-cs.com/got-a-virus.htm

Direct URL:
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close

Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }

2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Doc]

"Mich" <Mich8hb@netscape.net> wrote in
news:d3x2e.32589$qN3.31860@trndny01:

>
> Messenger service and MS Messenger are not the same
>

No **** Sherlock.
The OP said already knew that ....

>I have MSN Messenger installed but Messenger was disabled in services.

so I guess your advice is up to your usual standard.

--
Life should NOT be a journey to the grave with the intention of arriving
safely in a pretty and well preserved body, but rather to skid in
broadside, thoroughly used up, totally worn out and loudly proclaiming
"WOW, WHAT A RIDE"

[Mich]

"dnl" <dnl@dnl.123.dnl.org> wrote in message
news:Xns9629EA5DB2D7Ednldnl123dnlorg@216.196.97.13 1...
> "Mich" <Mich8hb@netscape.net> wrote in
> news:d3x2e.32589$qN3.31860@trndny01:
>
> >
> > "dnl" <dnl@dnl.123.dnl.org> wrote in message
> > news:Xns962994939C5dnldnl123dnlorg@216.196.97.131. ..
> >> My Kerio firewall just caught a new version of msmsgs.exe trying to
> >> access the internet when I haven't updated it and now it appears that
> >> I have a virus. I'm trying to figure out what else besides the virus
> >> may be on my computer now.
> >>
> >> I have MSN Messenger installed but Messenger was disabled in
> >> services.
> > I've
> >> tried ending the msmsgs process in the task manager but it keeps
> > returning.
> >> I just noticed that WinPatrol has not been running either so I'm
> >> wondering if that was disabled by whatever activity is going on.
> >>
> >> Norton doesn't report any viruses but Panda Online reports that I
> >> have Mitglieder.BO. Spybot and Adaware aren't detecting anything.
> >> Spywareguard is also running. Any suggestions for the best way to
> >> clean this computer and get rid of whatever is going on?
> >>
> >> Thanks.
> >>
> >>
> >
> > Messenger service and MS Messenger are not the same got into your
> > Admin tools and look...
> >
> > MSN Messenger is a pain in the butt
> >
> > To stop messenger from loading when visiting sited such as hotmail
> > delete the following key. But remember to backup your registry before
> > doing anything to it. This works in Windows 2000 also.
> >
> > 1. Start > run > type regedit
> >
> > 2. Navigate to the following key
> > [HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A441-00C04F795683}\LocalSe
> > rver3 2]
> > @="\"C:\\Program Files\\Messenger\\msmsgs.exe\""
> >
> > 3. This can be done easily by searching for F3A614DC in the registry
> > and it will automatically take you there.
> >
> > 4. Delete this key and you will see that messenger does not load
> > anymore when visiting hotmail. Happy tweaking.
> >
>
> I know that MSN Messenger and Messenger are different. That's why I
> mentioned that I had one disabled in services. Despite that, it keeps
> launching on its own.


Sorry I did not catch that... I have a terrible cold and I'm a little slow
lately.
Did you try the reg hack yet ?

Mich...

>