How to clear possible infection via MSN Messenger? 2

[Brettt]

I clicked on a link from what I believed to be a safe source on MSN Messneger. See below

13:10] XXXXXXXXXXXXXXX: look at my profile
[13:10] *** Auto-response sent to XXXXXXXXXXXX: I am currently idle.
[13:10] (XXXXXXXXXXXXX): (Link:

http://niazitravel.com/profile.php?...rofile.php?email=brett.a.turner@accenture.com

(The email is an old address that I don't have any more, so I haven't received any mail)

The link did nothing but now when I boot my PC it tries to execute some files that it cannot find and gives me the message:
"Could not load "xxxx" specified. Check the registry to make sure the file exists on your computer or remove the reference in the registry"
The two files it lists in the "xxxx" place are
C:\Program
Files\help\zeh.exe

Also following start-up my Zone Alarm firewall prompts me request internet access for msnmsg.exe. I have been denying this as it seems to be a new addition. MSN Messenger is working as normal, without asking anything from Zone Alarm when it executes

A Norton scan of my computer does not find any virus's

I am not sure how to maintain the registry safely, but looking in the start-up tab of msconfig shows four files I am suspicious of
They are list below with the enstries that appear in the
Start-up item |Command | Location columns

msnmsg
msnmsg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ctfmon
C:\ProgramFiles\System32\ctfmon.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msnmsg
msnmsg.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Is this a virus or program that people are aware of
How can I remove the problem and make the computer safe
Should I uninstall and reinstall MS Messenger?

Thanks, apologies for the long post

 

[tchatzi]

Go to these entries on your registry by Start->Run->registry ,

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and list here the [NAME] value and the [DATA] value, so we can see what's going on.

and also go to Start->Programs->Startup and list any name that is in that menu.

And don't touch the ctfmon.exe
And don't delete or uncheck anything yet


``The wise man doesn't give the right answers,
he poses the right questions.''
TIMTOWTDI

 

[Brettt]

Thanks for the reply, Here are the answers to your questions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

(Default) (value not set)
BigPond Toolbar "C:\Program Files\Telstra\Toolbar\bpnumTray.exe"
BigPondCable "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HP Software Update "C:\My XP Program Files\HP\HP Software Update\HPWuSchd.exe"
IMJPMIG8.1 C\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
iTunesHelper H:\My XP Program Files\iTunes\ITunesHelper.exe
Msn Messenger Service msnmsg.exe
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
PHIME2002Async C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
vptray C:\MYXPR~1\SYMANT~1\vptray.exe
Zone Labs Client "H:\My XP Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

(Default) (value not set)
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Msn Messenger Service msnmsg.exe

The entries in the Start -> Programs -> Startup are

Billminder
Hotsync Manager
HP Digital Imaging Monitor
Microsoft Office
Quicken Startup

Thanks

 

[LloydSev]

Msn Messenger Service msnmsg.exe

That entry in both sections should be removed.
That is not the real Messenger, as the real messenger is msmsgs.exe

Computer/Network Technician
CCNA

 

[Brettt]

LloydSev

Thanks for the info about the msnmsg.exe entries, removing them has stopped me being prompted for this program to access the internet.

I still have the messages about the files that cannot be found during start-up. There are two pairs one for
C:\Program and one for Files\help\zeh.exe

The messages I get are
Dialog Box -> C:\Program
Windows cannot find "C:\Program. Make sure you typed the name correctly and then try again. To search for a file click the start button and then click Search

Dialog Box -> Desktop
Could not load or run 'C:\Program' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registy

The same two messages repeat for Files\help\zeh.exe before the icons in taskbar are loaded

I am not sure which registry entries refer to these files.
There is a zeh.exe file on my computer. It is is C:\Program Files\help\zeh.exe. It is not a file I recognise and it has a modified date of 18 April and a created date of 19 April. The help directory has only two files in it zeh.exe and help32.exe

It may be that a line has not been constructed correctly for "C:\Program Files\help\zeh.exe" and it is being broken into two separate item "C:\Program" and Files\help\zeh.exe

Any suggestions on what zeh.exe is or where it is being reqquested from?

 

[tchatzi]

This application may exhibit the features of adware, spyware, or both.
I dont know what applications you realy installed on your system, so i want you to tell me if you know what these programs are, without try to run, if you don't.

At the registry:
BigPond Toolbar
BigPondCable
IMJPMIG8.1
iTunesHelper
PHIME2002A
PHIME2002Async

At the StartUp folder:
Quicken Startup

Also go Start->Run->sysedit
A window will open with smaller windows inside. They are your system files (Autoexec.bat, Config.sys, Win.ini, System.ini)
Check each one if the path to this file zeh.exe, is in any of them and if yes then delete it.

Also go Start->Run->services.msc
A window will open with your services which are running at the background. Check their names (many of them will sound familiar).
Then sort them by Startup Type and check those that are set to Automatic, by double clicking on them you can see which *.exe do they use.
If you see the zeh.exe anywhere, then change 'Startup Type' to 'Disable'.

If you don't find it then try also the ones that have Manual as a Startup Type

Tell me what happen.


``The wise man doesn't give the right answers,
he poses the right questions.''
TIMTOWTDI

 

[Brettt]

The programs that I DO NOT know about are

IMJPMIG8.1 C\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
PHIME2002Async C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

There are no references to zeh.exe in the following files config.sys(empty), autoexec.bat(empty),win.ini, system.ini

None of the services refered to in services.msc have an exe of zeh

Is there a way I can see the commands being executed as windows go through the startup process?
I tried safe mode but it stops before it gets to this point
I think its is calling something to be done but is not being successful in doing hence there errors when I start

Thanks

 

[Brettt]

I have since discovered this was an infection of the W32.Kelvir.AC virus. I am not sure why it was not detected by Norton Antivirus. It may not have been posted when I did my first virus Live Update.

I have successfully cleaned it using the security response on the Symantex website

http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.ac.html