View Full Version : Something is hijacking Windows Live messenger

13-01-2008, 02:53 AM
My friend is having a problem where if i sign onto his windows live messenger 8.5 it would send a weblink to every online contact .The web link directs people to a file called jpeg.exe

If I shut down Windows Live messenger the virus seems to load windows live messenger every 15 mins and I can see it from the taskbar for about 5 seconds before it disappears.

If I talk to someone the chat window would flick constantly and the only way to exit the window is to end the process

I have scanned the computer with nod32 and spybot both haven't found anything.

Does anybody have any ideas what to do?

13-01-2008, 03:18 AM
Try completely removing Windows Live Messenger, scanning your computer with NOD32, Spybot and give it a scan with CCleaner as well. Restart your computer and then install it again and see what happens.

If that fails then you'll need to run a HijackThis scan and let Speedy tell you what is the exact problem.

13-01-2008, 03:20 AM
There is also this from Sept 13, 2007:

Worm whose spread is done via instant messaging clients from Microsoft (Windows Live Messenger, MSN Messenger and Windows Messenger) to the entire list of contacts.

El idioma del mensaje enviado varía según el lenguaje establecido para el equipo, con texto del estilo de los siguientes: “oye voy a poner esa foto de nosotros en mi myspace :->” o “jaja recuerda cuando tuviste el pelo asi”. The language of the message sent varies depending on the language set for the team, with the style of the text: "I will hear from us put this picture in my myspace: ->" or "jaja remember when you had hair well."
Junto al mensaje llega un fichero de nombre ‘IMG-0012.zip’ (o similar). Along with the message arrives a file named 'IMG-0012.zip' (or similar).

Abre una puerta trasera en el sistema que permite a un atacante remoto, entre otras acciones, listar/detener procesos, robar información del sistema y descargar/ejecutar código malicioso. It opens a backdoor in the system that allows a remote attacker, among other things, lists / stop processes, steal system information and download / execute malicious code.

Solucion: Solution:

1. Si utiliza Windows Me o XP, y sabe cuándo se produjo la infección, puede usar la característica de ‘Restauración del Sistema’ para eliminar el virus volviendo a un punto de restauración anterior a la infección. 1. If you are running Windows Me or XP, and knows when the infection occurred, can use the feature 'Restoration System' to eliminate the virus back to a restore point prior to infection. (Tenga en cuenta que se desharán los cambios de configuración de Windows y se eliminarán todos los archivos ejecutables que haya creado o descargado desde la fecha del punto de restauración). (Note that desharán configuration changes in Windows and remove all executable files you created or downloaded from the date of the restore point). Ayuda para utilizar la opción de Restauración en Windows XP. Help use the Restore in Windows XP.

Si esto no es posible o no funciona es recomendable desactivar temporalmente la Restauración del Sistema antes de eliminar el virus por otros medios, ya que podría haberse creado una copia de seguridad del virus. If this is not possible or does not work you should temporarily disable the Restoration System before removing the virus by other means, since it could have created a backup of the virus. Si necesita ayuda vea desactivar restauración del sistema en Windows Me o en Windows XP. If you need help see off System Restore in Windows Me or Windows XP.

2. Con un antivirus actualizado, localice todas las copias del virus en el disco duro de su PC. 2. With an updated antivirus, locate all copies of the virus on the hard drive of your PC. Si no dispone de antivirus, visite nuestra página de Antivirus gratuitos. If you do not have antivirus visit our Antivirus free. Repare o borre el fichero infectado. Repair or delete the infected file.
Si el antivirus no puede reparar la infección o borrar los ficheros, puede ser debido a que el fichero está en uso por estar el virus en ejecución (residente en memoria). If the virus can not repair or delete infected files, it may be because the file is in use by the virus to be running (in memory).
Nota: A Menudo los antivirus informan de que ‘no puede reparar un fichero’ en el caso de gusanos o troyanos debido a que no hay nada que reparar, simplemente hay que borrar el fichero. Note: Menudo antivirus report that 'it is unable to repair a file' in the case of worms or Trojans because there's nothing to repair, simply delete the file.

3. En el caso de que no se pueda eliminar el fichero del virus, debe terminar manualmente el proceso en ejecución del virus. 3. In the case of failure to remove the file of the virus, should complete the process manually running of the virus. Abra el Administrador de tareas (presione Control+Mayúsculas+Esc). Open Task Manager (press Control-Shift-Esc). En Windows 98/Me seleccione el nombre del proceso y deténgalo. In Windows 98/Me select the name of the process and stop the server. En Windows 2000/XP, en la pestaña ‘Procesos’ haga clic derecho en el proceso y seleccione ‘Terminar Proceso’. In Windows 2000/XP, in the 'Processes' right-click on the process and select' Finish Process'. A continuación vuelva a intentar el borrado o reparación del fichero. Then try erasing or repair the file. Para más información consulte Eliminar librerías .DLL o .EXE. For more information, see Remove bookstores. DLL or. EXE.

4. A continuación hay que editar el registro para deshacer los cambios realizados por el virus. 4. Below is to edit the registry to undo the changes made by the virus. Si necesita información sobre cómo editar el registro puede ver esta guía de edición del registro o este vídeo de ayuda que ilustra el proceso. If you need information about how to edit the registry can see this guide edition of this video recording or help to illustrate the process. Sea extremadamente cuidadoso al manipular el registro. Be very careful when handling the registration. Si modifica ciertas claves de manera incorrecta puede dejar el sistema inutilizable. Changing certain keys incorrectly can make the system unusable.

Para evitar que este código malicioso sea ejecutado automáticamente cada vez que el sistema es reiniciado, elimine de la siguiente clave del registro de Windows, el valor indicado: To prevent this malicious code to be executed automatically each time the system is restarted, remove the following registry key Windows, the value indicated:
Clave: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run Key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Valor: “Windows Lsass Services” = “%Windir%\system\lsass.exe” Value: "Windows Lsass Services" = "% Windir% \ system \ lsass.exe"

Para elimina el gusano de la lista de aplicaciones autorizadas por el cortafuegos de Windows, elimine el valor indicado de la siguiente clave del registro de Windows: To remove the worm from the list of approved applications for the Windows firewall, remove the value of the following registry key Windows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters
\FirewallPolicy\StandardProfile\AuthorizedApplicat ions\List \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List
Valor: “Predeterminado” = “- valor no establecido -” Value: "Default" = "- value not established -"

Elimine el valor indicado de la siguiente clave del registro de Windows: Remove the value of the following registry key Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Shell Extensions
Valor: “MSNPRC” = “[- ruta_al_ejecutable_del_gusano -]” Value: "MSNPRC" = "[- ruta_al_ejecutable_del_gusano -]"

Reinicie su ordenador y explore todo el disco duro con un antivirus para asegurarse de la eliminación del virus. Restart your computer and browse the entire hard disk with a virus to ensure the elimination of the virus. Si desactivó la restauración del sistema, recuerde volver a activarla. If deactivated System Restore, remember to re-activate it.

Fuente: Alerta-Virus Source:-Virus Alert

13-01-2008, 03:22 AM
You could also try this, not sure how good it is cos I've never used it: fe%3Doff%26sa%3DG
MSNCleaner v1.4.8

13-01-2008, 03:39 AM

Doesnt seem to be causing any problems now which is kinda weird

13-01-2008, 05:06 AM
I just realized that my 2nd post was completely in Spanish (damn you, Google Translator!! and doing this at 4am :lol:) so here's the link to the translated page:


13-01-2008, 08:21 AM
I think the best way to do is to have a firewall and also run your anti virus after un install windows messenger.

13-01-2008, 06:31 PM
I decided to format the computer as Nod32 the latest version 3.0.0621 and counterspy,spybot still cant detect the virus
It must be a worm

Thanks for the help guys

I had been insulted a bit from using Windows live messenger because the virus was spamming the web link to all my online contacts but after explaining to them they were like um ok...

I have written down the link and it directs you to a jpeg.exe

I downloaded the file and use nod32 to scan that file but didnt detect anything

If you guys are interested to see if your antivirus are up to date and just curious if it can catch that virus you can PS me and I'll give you the link.

Speedy Gonzales
13-01-2008, 06:37 PM
I dont think people want a file from a malicious / suspicious link.

You didnt run this file again did you?

Its probably this worm (http://vil.nai.com/vil/content/v_99201.htm)

Trojan remover will probably remove it. Its in its database.

13-01-2008, 06:42 PM
Yeah I had a look at that too when i was searching thru google

Its similar and it tried to send a file called haha.exe to one of my contact


the other thing it tried to do was sending spam messages to my online contact which was http:/// ...... jpeg.exe with haha:D at the end of the link

If it was that virus you meantioned and it dates back to 2001 surely nod32 would have detected it .My friend's pc was running the latest definition updates

Speedy Gonzales
13-01-2008, 06:51 PM
That haha.exe may belong to this a trojan (http://www.symantec.com/security_response/writeup.jsp?docid=2003-060109-1827-99&tabid=1)

Or it could belong to Zotob a worm (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.A&VSect=T)

Both put haha.exe in the system directory.

I would make sure whatever this haha.exe file is on, that the system is up to date.

Since most of the variants of this worm exploit the plug and play vulnerability (http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) in Windows