I just got this message on msn:

quote:

---

{contact} says:
     http://{domain}/member.php?msn={email} those ur pics?

---

This type of thing has been around for a long time. Always clarify with your contacts what exactly they're linking you to (or what file they're sending you) if there was no preceding conversation, but anything with your email in it is usually bad, especially when a contact claims them to be "pics of you".

EDIT: Just noticed I didn't really provide a conclusion.
Those type of things are usually malicious in one way or another and in this scenario I would really advise against visiting the site.

I'm well aware of that, and I have helped other people out with this problem before. I was just wondering if anyone has found a cure. I am sending the file into Norton, McAffe and avast! tonight to see their diagnosis on the situation.

Edit: When I was downloading the file, avast! had allready had the file in it's definition files

code:

---

File name:      http://{domain}/member.php?msn={email}\[PECompact]
Malware name:   Win32:VB-KP [Trj]
Malware type:   Trojan Horse
VPS Version:    000747-0, 04/06/2007

---

I just got it today>_< though it was from www2.imsector.com/m.php?m= (e-mail)

did you say you know how to get rid of it?

quote:

---

Originally posted by sir_deadlock
did you say you know how to get rid of it?

---

quote:

---

Originally posted by sir_deadlock
Edit: There is a guide to remove the virus here: http://www.spywaredb.com/remove-backdoor-vb-kp/

---

well, after nearly 2 hours, the program has scanned my computer and found the virus in entirety ^_^

now how about you tell me a way to get rid of these things that won't cost me $40?

I'm not exactly up for paying money to get rid of something that was forced upon me, I call that robbery.

The link which has been quotes no less than twice in this thread (http://www.spywaredb.com/remove-backdoor-vb-kp/) seems to have a tool available for download for removing it as well as providing instructions for manual removal.

all I saw were a couple names, and a dowloadable  program. I downloaded the program, scanned my computer with it, and it requires a $40 subscription to use.

can you copy and paste these instructions that I'm having trouble finding?

and if it's:
"Backdoor.VB.kp Removal Instructions

Kill the following processes
bpcpost.exe, x2a.exe

Remove the following files
bpcpost.exe, x2a.exe. "
it won't work for me, because those processes aren't running in my task manager.

the scanner tool it offers showed me I've got:
"W32/Chode-Gen
trojan-backdoor-nochod
Troj/Dloadr-AYQ
Troj/Femad-B
Troj/ByteV-Fam
Exp/Animee-A
trojan-downloader-waverevenue"

I only know one way to get rid of these without subscribing to the tool, and that's wiping my hard drive clean
re-formating kinda sucks.

-bangs head on keyboard-  I just got it.....I'm scanning for it now,  oh crud................

ouch
was it a "those ur pics" thing?

I was really stupid to accept it. I got the warning thing that says "run/abort" and I even saw that it was an MS-dos file, yet I still accepted.... why did I want to see myself so badly? I guess I was hoping that this person actually wanted to talk to me. a cruel trick

I felt the exact same way.......I rlly hope the scan finds it,  or else I'm dead,

did you download spy sweeper? you realise that costs $40 to use. it does the scan for free, but actually fixing problems is something they'll charge you for.

I have trend micro pc cillin,  and I'm doin a spyware scan,  so hopefully it will find it.

I have spybot, it finds the stuff, and "fixes" it, but after I restart, it just comes back.

I think i got it.......I'll shut down and hopefully in the morning it will be gone.

I think it's finally gone,  I was terrified that it would srew up our computer.....(my parents would kill me lol)  but I'll go for the real test tonite when I talk to all my friends.

well, if you used a virus remover/registry cleaner, you probably got rid of it. I'm stuck with reformatting.

my brother suggested moving all the stuff I want to keep onto my secondary hard drive... that's pretty much all of my iTunes folder, and a couple save files from games. 34 minutes left on that transfer^_^'

I don't really understand the purpose of this virus, it seems like all it does is spread itself via MSN.

ya that's what I thought about it too,

  but apparently part of it is still on my computer,  and it won't let me delete it,  how can I do this?

Good news!!!!

I got the website banned

I looked up the website (whois) and sent an e-mail to the company who registered the domain (NameCheap.com), explaining what the website was being used for (also linked them to the mess.be news post) and they disabled imsector.com. It appears the imtract.com has also been disabled, which I wasn't aware of until reading this thread.

quote:

---

Hello Chris,

Thank you for advising us,
the domain has been disabled.

Regards,
Michael K.

---

so, does that mean the virus can't hurt anymore?  and THANK YOU THANK YOU THANK YOU

Great work Chris, you would of saved a lot of people unnecessary stress .

Thanks Chris4, nice thinking .

I'm not sure if this will help or not, but I have been following this virus for the past 24 hours, my log is as follows:

******** says:
http:// www6. imsector .com/ m.php?m= (email) those ur pics?

^This message appeared around 4:00 PM and 4:30 PM June 8th EST.
After which my computer hasn't been able too run 'Registry Mechanic'.
or certain Internet Exploer web pages (such as norton/windows/microsoft).
It was sent via over MSN Messenger.
wowexec.exe is a possible corrupted file.
retadpu32.exe is a possible corrupted file.

Update: June 8th; 8:50 PM EST

I've deleted ' wowexec.exe' and it keeps "regenerating" its self.
I have ridden 'retapu32.exe' from my task manager, and it seemed to
only allow me to accept the web pages, but my 'Registry Mechanic' still
has no responce when I try too open it; that or it opens and closes
its self without notice.

Update: June 8th; 9:00 PM EST

I am now unable too use the 'Search' function on my computer.
' wowexec.exe' has appeared in my task manager after I had 'deleted' it.


Update: June 8th 9:47 PM EST

cidaemon.exe is a possible corrupt file.
services.exe is a possible corrput file.
crss.exe is a possible corrput file.

Update: June 8th; 10:55 PM EST

'Search' Function comes back online after reboot, everything esle
still applies.

Okay, I had this program but I forget what it's called but my dad never answers the phone. But you can go into safemode and click on start / run / and put in regedit and look for the registry's and delete it and it'll be gone.

I can't even find it in the registry

I reformatted my c drive. it seems that if you hsve two hard drives, it only affects the one it is saved to (the one with the OS?). so upon my brother's advice, I moved my important stuff to the 2nd hard drive, and formatted the c drive, then reinstalled the OS.

strange how I forgot to save my favorites gonna have to find'em all over again

ugh this virus is still bugging me,  if i click a link for the first time,  it will take me to ebay.............................................it's really annoying.........where is it located in the registry?

This lil program works wonders:

Download and restart in safe mode -

http://downloads.malwareremoval.com/MsnVirRem.exe

DL and click the Search and Destroy button.  If you are infected, it will tell you to reboot.

While in Safe Mode Search the registry AND local drive for these files:

retadpu32.exe
netstat.com
taskkill.com
core.cache.dsk
inetget2
ws.exe
ws-1.exe
wr-1.exe
csrss.lnk

Once registry is clean then you need to change your home page back

It took me 2-3 times of cleaning registry and rebooting in safemode to get rid of this one..

i did that,  but i still get the pop up saying there is spyware on my pc plus my homepage is an google advertisement for mozilla firefox.............

oh nvm i'm not done lol

.....I think it's gone,  but I still have a problem where if i click a link,  it will take me to some random site like ebay, or find stuff.com.................how do i fix that?

they've jumped over to IMward.com now it would seem

um.....okay