Trojan implanted on MSN Messenger. Cant get rid of it.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Anti spyware does not remove this stupid program off my messenger whatssover.
Ok so this is what appears in my messenger talk window from time to time it
appears on many computers. It infects every other system from computer to
computer. This is a terrible bug http://www.haibatrung.info/play.exe

Problem is when u press this link on messenger it automatically opens it up
on your system and it infects your system with no chance of protecting
yourself. It opens up a program automatically and unloads the virus into your
system. Very bad cause its annoying.
 
Hi Again

Sorry for the delay It took me awhile to test then I fell asleep as it was
late here UK :) I can see why you are having problems with this, It drops two
files on the system which are exact copies of the original file, Its hard to
describe this as It behaves like a worm by sending itself to everyone in the
infected pc's address book via MSN but the main file does keep contacting out
so It could have some Backdoor features.

The File gets copied as spoolsv.exe into the windows folder but it will not
be visible unless you enable operating system files and hidden files and
folders, you cannot delete it as Its the same name as the genuine Microsoft
spoolsv.exe file even using the same name in properties "Spooler SubSystem
App", I tried to delete it with a batch script and set attributes to remove
hidden, read and system status but still got access denied messages when I
run the script, Then it drops another file into the system32 folder called
resys.exe which again is a exact copy of the infecting file and has hidden
and read only status. It then enters itself as SVCHOST=
C:\Windows\spoolsv.exe into the Run area of the registry and also hooks into
explorer.exe to make sure it starts with windows, This makes the Worm/Trojan
even run in safe mode and finally you cannot use Task Manager when its on the
system, You can open task manager but cannot end the Worm process, If you
left click the end process windows doesnt show up , If you right click on a
entry and choose end process it will end the process of items below it but
the Worm keeps running.

You picked a great infection there :o)

I've made a simple batch script and included taskkill in the folder so that
I can stop the worm version of Spoolsv.exe, Then the batch with remove
hidden, read only and system status on both files and remove them, It then
removes the Run Key and restores explorer.exe back to the way it should be
then deletes all temp files,

One important part to this is the fix needs to be run in safe mode, The Worm
will be running in safe mode but not the genuine file so taskkill will only
stop the Worm and when you reboot the genuine file starts up as normal, My
email is on the fixtool so if you have any problems just let me know, The
alternative would of been using Hijack This as the Antivirus scanners may not
of restored the explorer.exe entry but that could lead to mistakes or the
genuine file being removed because the Worm is very difficult to find with it
being hidden as a operating system file.

Its a good idea to change passwords on programs you use including MSN and
remeber this worm will send itself to everyone on the infected pc's MSN list
so you may get this again if your contacts are infected :)

Download the Remover Here :

http://andymanchesta.com/DL/Remover.zip

Save to desktop and extract the file, Please Then reboot into safe mode !!
(Reboot and keep tapping F8 and choose safe mode from the list)

Once your in safe mode go into the remover folder and double click
Remover.bat and follow the on screen prompts , Its very small and will only
take 10 seconds to run and then the Worm will be removed,

Let us know if you need more help with this

Regards

Andy
 
I know Microsoft software Engineers should figure this one out really they
should find out where this person is and arrest him for corruption. They are
using an address link so shouldnt that lead us to their servers somewhere in
the world.
I cant believe this is spreading like wildfire and Microsoft has done
nothing yet..

I ran TrendMicro detailed a virus called WORMBAITAP.A now here this non
cleanable.......Microsoft Engineers please do something.....oh brother!
I also ran I ran panda software- it said it found 4 viruses and twelve
spyware that Microsoft's AntiSpyware missed. Ok so it said it removed 4
viruses but like u said if it selfreplicates in the computer over and over
again then its stuck in my system

I will try your remedy but what a bitch of a virus / trojan to rid of ....i
will give u more updates today as i attempt to fix it.... All my friends
systems are infected with this damn trojan and i dont have the heart to tell
what it is. I used my MSN messenger for an hour and the damn thing didnt
show up. Could that be good news? I will tell u if it shows up again from
my computer.

If it self replicates we have a timebomb around the world on everyones
computers especially if it resembles and looks like the Windows operating
system program.
 
Hi Again

The remover I post will kill it and can even be run in normal mode without
any problems I just think safe mode would be an easier option to stop it
trying to contact out but its not essential as the genuine spoolsv will be
restarted at the end of the script. When the Worm runs it opens a site
silently called WhatIsMyIP.com this then displays the IP address of the
infected pc and sends it back to the attacker.

Microsoft Antispy probably wouldnt include this with it being a Worm/Virus

If you have other spyware issues then download Ewido Security Suite (It says
its a 14 day trial but it works fine after that expires)

download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "clean"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.


Like you say its very easy to trace the person behind this, I already have 2
email addresses for him and full contact details, The site name is the same
as the link you post but he also uses the name futureofscience.com , His
Hosting provider is based in the US and he is in France so Im sure they will
suspend his account when they are made aware he is infecting people.

This isnt the right place to post his full details but If you want to make a
complaint then contact his hosting provider here

DreamHost Abuse Team

+1-323-583-7991

(e-mail address removed)

And give them full details and the link to the infected file

Let us know if you have any problems

Andy
 
Just wanted to repost about the abuse address, Ive run the worm again and
the site the worm is hosted on isnt the one I post details about last time, I
was getting that info from reading packet sniffing logs as those sites open
once the worm is run on the system but its possible the attacker is just
using that site to distract users so the user isnt aware they just got
infected,

There's 3 sites involved, two being hosted by the company I gave abuse
details for.
The third site has a email contact of *Modified*[email protected], Given
that the name 'cracker' is a term used for someone who breaks security on a
system if you was going to make a complaint Id do it at this hosting company
and provide them with the link :

Schlund + Partner AG (e-mail address removed)

Just to finish this topic here's the results using the Microsoft Antispy
Advanced File Analyzer :)

Genuine spoolsv.exe

Detailed File Analysis
Display name: Microsoft Spooler SubSystem App
Name: spoolsv.exe
Description: Spooler SubSystem App
Publisher: Microsoft Corporation
Path: C:\WINDOWS\system32\spoolsv.exe
Version: 5.1.2600.0
Size: 51200 bytes
Copyright: © Microsoft Corporation. All rights reserved.

MD5: 9b4155ba58192d4073082b8fc5d42612
This file is currently running

worm spoolsv.exe and copies

Detailed File Analysis
Display name: Microsoft Spooler SubSystem App
Name: resys.exe
Description: Spooler SubSystem App
Original file name: play.exe
Publisher: Microsoft Corporation
Path: C:\WINDOWS\system32\resys.exe
Version: 2.4.0.34
Size: 114688 bytes
Copyright: © Microsoft Corporation. All rights reserved.

MD5: 71058a03e4136655482e8255acd10754
This file is currently running

Detailed File Analysis
Display name: Microsoft Spooler SubSystem App
Name: SPOOLSV.EXE
Description: Spooler SubSystem App
Original file name: play.exe
Publisher: Microsoft Corporation
Path: C:\WINDOWS\SPOOLSV.EXE
Version: 2.4.0.34
Size: 114688 bytes
Copyright: © Microsoft Corporation. All rights reserved.

MD5: 71058a03e4136655482e8255acd10754
This file is currently running

Detailed File Analysis
Display name: Microsoft Spooler SubSystem App
Name: play.exe
Description: Spooler SubSystem App
Publisher: Microsoft Corporation
Path: C:\Documents and Settings\Andy Manchesta\Desktop\play.exe
Version: 2.4.0.34
Size: 114688 bytes
Copyright: © Microsoft Corporation. All rights reserved.
Create date: Wednesday October 12, 2005
Access date: Wednesday October 12, 2005
Modified date: Wednesday October 12, 2005

MD5: 71058a03e4136655482e8255acd10754
This file is currently running

All The best

Andy
 
Andy thanks again for your help

Your post of the first three sites i downloaded the fix there and lost guess
what in normal mode my spooler completely

Looking to reinstall the damn spooler again. Anyway trying too but i forgot
how to do it again. When i start my computer this is the message that comes
out in a box. It says it cannot find C:/Windows/Spoolsv.exe which means it
took both spollers out. That was from the third site u mentioned. It worked
it just took both out.

Oh well the computer is working fine but the Spooler is missing completely.

A fast remedy for this Andy i appreciate getting that TROJAN out

Hey take a look at this site for some answers of how bad this TROJAN really
was or still is.....IT IS A KILLER OF A TROJAN.....still noticing my computer
goes off and then blinks gets stuck on a page and locks up completely. It has
never done that before. It happens from time to time since now.....just
locks up

Cureable i think so but damn this thing really is still bothering me. I dont
see that www.haibatrung thing anymore on Messenger but then again i wonder if
my system is clean since i cant find any Spooler.

Check this site out found it today
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ciadoor.b.html

tell me what u think i should do next to make sure this stupid thing isnt
still in the computer

Thanks Andy
 
D: I have the same problem and I've downloaded the "Remover", but I can't open it... can someone please send the actual file(s) to me please? Thanks!
 
I don't understand anything you people just said.

I must have this spoolsv.exe virus because my Windows Task Manager says it is running. It's laggin my pc to death. I don't even own a printer. I have no idea what you all just said. You are making no sense to me. I'm not a computer genius.

What about one of this instant fix programs I'm seeing online? Like this one: http://www.instant-registry-fixes.org/how-to-fix-spoolsvexe-application-error/? Would that do it? I can't do all that complicated computer stuff you guys were talking about. Is there a program I can download to fix this?

What would happen if I just shut it off in the task manager?

I have a free Norton Antivirus acct. I run full scans regularly. Will that help? Or do I have to buy Norton for them to help me with this?
 
Back
Top