WLM sends out messages and files as soon as I sign on by deffman on 02-23-2008 at 12:43 AM

As soon as I sign into WLM people on my contact list are getting a message saying something like hey check out this picture followed by a request to download a file.  I'm not sending these messages or files.  I have run numerous spyware programs, malware programs and virus checks and found nothing.  I have emailed MSN more times than I can count and everything they have suggested hasn't solved anything.  One of the emails suggested running onecare scanner which I did and came up with one problem under protection labeled:  backdoor:win32/oderoor.gen!B  followed by: C:windows\system32\ehknfpsgqz.exe.  No idea what the ehknfpsgqz.exe file is.  I put a check by the items to be cleaned and onecare said unable to clean.  I clicked on the more information button and it took to a msn page that explained what it was and under recovery it basically said manual deletion wasn't advised and to run a virus scan and gave the link to the onecare scanner.  So basically get the run around.  I'm not sure if this is what is causing the messages and file sends in WLM.  I am running windows XP Pro and using  WLM 8.1 I have also changed my password and security question numerous times.  Any help would be much appreciated.

RE: WLM sends out messages and files as soon as I sign on by Sunshine on 02-23-2008 at 01:08 AM

1. Make sure your Anti virus definitions are up to date (update first)
2. disable system recovery
3. do an AntiVirus scan in safe mode (continuously hit F8 on startup/restart).

RE: WLM sends out messages and files as soon as I sign on by deffman on 02-23-2008 at 01:10 AM

I have already run several virus scans including safe mode and nothing was found except for the problem I noted that onecare scanner found.  Also all my definitions are up to date.

RE: WLM sends out messages and files as soon as I sign on by CookieRevised on 02-23-2008 at 08:24 AM

Remember that a virus scanner is not the holy grale. It can only scan and maybe remove the stuff it knows about.

What you're experiencing is a _very_ typical Messenger-"virus". (note the quotes since it isn't a real virus).

Every so called script-kiddy can program such a malicious program and because there are so many of them and all done slightly different, there is no real way to detect them all. Not to mention that each probably needs to be cleaned/removed in a slightly different way (also the reason why you should first try to remove programs and other stuff by the proper official uninstallation instructions before attempting the use of a generic-removal program as that last one will rarely do the proper things).

So it is not surprising that your virus-scanner will not pick it up or can not remove it.

Anyways, yes, the messages and stuff you send via Messenger are caused by it. And that is also how this malicious program spreads: by tricking your Messenger-contacts you've send them something. They click on the link to see "your photo", but they actually download the malicous program.


To remove it you need to find out what _exact_ files and programs are run when you run Messenger.

C:windows\system32\ehknfpsgqz.exe is a start, but it would be no surprising at all if there are more files (like copies of that file, a setup, etc) laying around on your hard disk in some other places.

So, before running Messenger, go to your Task Manager (CTRL-ALT-DEL) and list _all_ the processes (process tab) which are running under your Windows account login name (see the 'User Name' column. Tip: you can sort the list by clicking on the column headers).

Then do the same thing while you're running Messenger. Run Messenger and go again to your Task Manager to check the processes. List any process which wasn't running before.

Post both lists here so we can take a quick look***.

*** A very very very good tool to do all this and which will give us all the information we need is Process Explorer:
- Download the above zipfile
- Open the zipfile (in Windows XP you can simply double click on it; or choose 'open' when you downloaded it)
- Double click on procexp.exe to start the program (no need for installing anything)

In Process Explorer
-1-  Go to the menu:   View > Select Column
-2-  Make sure at least the next columns are enabled: Process Name, Description, Company Name, Command Line (<= most important one!)
-3-  Click OK
-4-  Now that you've selected the columns, go to the menu:   File > Save As
       And save the process list to somewhere.
-5-  Start up Messenger (you don't need to close Process Explorer) and store the process list again, under a new name. Thus again:   File > Save As

Now zip those two files together (or add the second list to the first list so you end up with only 1 file) and attach it in a new post in this thread.

Essentially, what you need do next is booting up in Safe Mode, searching your hard disk for the malicious files and remove them manually

RE: WLM sends out messages and files as soon as I sign on by deffman on 02-23-2008 at 08:44 AM

I'm not to sure of the proper way to post the 2 files I saved from process explorer.

RE: WLM sends out messages and files as soon as I sign on by deffman on 02-23-2008 at 08:47 AM

Here is the the list with messenger shut down:
Process    PID    CPU    Description    Company Name    Command Line
System Idle Process    0    96.15           
Interrupts    n/a        Hardware Interrupts       
DPCs    n/a        Deferred Procedure Calls       
System    4               
  smss.exe    804        Windows NT Session Manager    Microsoft Corporation    \SystemRoot\System32\smss.exe
   csrss.exe    864        Client Server Runtime Process    Microsoft Corporation    C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
   winlogon.exe    888        Windows NT Logon Application    Microsoft Corporation    winlogon.exe
    services.exe    932    0.77    Services and Controller app    Microsoft Corporation    C:\WINDOWS\system32\services.exe
     svchost.exe    1096        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost -k DcomLaunch
      WLLoginProxy.exe    3952        WLLoginProxy.exe    Microsoft Corporation    "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe" -Embedding
     svchost.exe    1152        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost -k rpcss
     svchost.exe    1192        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\System32\svchost.exe -k netsvcs
     svchost.exe    1232        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
     svchost.exe    1292        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k NetworkService
     svchost.exe    1488        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k LocalService
     spoolsv.exe    1796        Spooler SubSystem App    Microsoft Corporation    C:\WINDOWS\system32\spoolsv.exe
     guard.exe    1916        AVG Anti-Spyware guard    GRISOFT s.r.o.    "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe"
     DefWatch.exe    1932        Virus Definition Daemon    Symantec Corporation    "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"
     NBService.exe    408        Nero BackItUp    Nero AG    "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe"
     Rtvscan.exe    440        Symantec AntiVirus    Symantec Corporation    "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"
     nvsvc32.exe    464        NVIDIA Driver Helper Service, Version 84.21    NVIDIA Corporation    C:\WINDOWS\system32\nvsvc32.exe
     RichVideo.exe    492        RichVideo Module        "C:\Program Files\CyberLink\Shared files\RichVideo.exe"
     svchost.exe    536    0.77    Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k imgsvc
     alg.exe    2348        Application Layer Gateway Service    Microsoft Corporation    C:\WINDOWS\System32\alg.exe
     svchost.exe    4056        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
     usnsvc.exe    2248        Messenger Sharing USN Journal Reader Service    Microsoft Corporation    "C:\Program Files\Windows Live\Messenger\usnsvc.exe"
    lsass.exe    944        LSA Shell (Export Version)    Microsoft Corporation    C:\WINDOWS\system32\lsass.exe
explorer.exe    268        Windows Explorer    Microsoft Corporation    C:\WINDOWS\Explorer.EXE
smax4pnp.exe    1220        SMax4PNP    Analog Devices, Inc.    "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
SMax4.exe    1364        Audio Control Panel    Analog Devices, Inc.    "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
rundll32.exe    1416        Run a DLL as an App    Microsoft Corporation    "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
realsched.exe    1420        RealNetworks Scheduler    RealNetworks, Inc.    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
jusched.exe    1472        Java(TM) Platform SE binary    Sun Microsystems, Inc.    "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
E_S4I2K1.EXE    1276        EPSON Status Monitor 3    SEIKO EPSON CORPORATION    "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
itype.exe    1524        IType.exe    Microsoft Corporation    "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
ipoint.exe    1568        IPoint.exe    Microsoft Corporation    "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
GrooveMonitor.exe    1708        GrooveMonitor Utility    Microsoft Corporation    "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
VPTray.exe    1712        Symantec AntiVirus    Symantec Corporation    "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe"
PDVDServ.exe    1504        PowerDVD RC Service    Cyberlink Corp.    "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
SearchProtection.exe    988        Yahoo! Application    Yahoo! Inc.    "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
E_S4I2K1.EXE    1824        EPSON Status Monitor 3    SEIKO EPSON CORPORATION    "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" /P44 "Auto EPSON Stylus Photo RX500 on PAULMARYANN" /O21 "\\PAULMARYANN\Printer" /M "Stylus Photo RX500"
avgas.exe    2328    0.77    AVG Anti-Spyware    GRISOFT s.r.o.    "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
ctfmon.exe    2384        CTF Loader    Microsoft Corporation    "C:\WINDOWS\system32\ctfmon.exe"
msmsgs.exe    2524        Windows Messenger    Microsoft Corporation    "C:\Program Files\Messenger\msmsgs.exe" /background
mirc32.exe    300        mIRC    mIRC Co. Ltd.    "C:\Program Files\mIRC\mirc32.exe"
mirc32.exe    1076        mIRC    mIRC Co. Ltd.    "C:\Program Files\mIRC\mirc32.exe"
mirc32.exe    1440        mIRC    mIRC Co. Ltd.    "C:\Program Files\mIRC\mirc32.exe"
IEXPLORE.EXE    2864        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
IEXPLORE.EXE    2104        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
IEXPLORE.EXE    2948        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
IEXPLORE.EXE    2180        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
procexp.exe    2276        Sysinternals Process Explorer    Sysinternals    "C:\Program Files\ProcessExplorer\procexp.exe"
javaw.exe    2228    1.54    Java(TM) Platform SE binary    Sun Microsystems, Inc.    "C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe" -Xmx512m -ms4m -Xminf0.10 -Xmaxf0.25 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog -Djava.library.path=.\lib -jar lib\MP3Rocket.jar

Here is the list from the 2nd file after messenger was logged into:

Process    PID    CPU    Description    Company Name    Command Line
System Idle Process    0    93.85           
Interrupts    n/a        Hardware Interrupts       
DPCs    n/a    0.77    Deferred Procedure Calls       
System    4               
  smss.exe    804        Windows NT Session Manager    Microsoft Corporation    \SystemRoot\System32\smss.exe
   csrss.exe    864        Client Server Runtime Process    Microsoft Corporation    C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
   winlogon.exe    888        Windows NT Logon Application    Microsoft Corporation    winlogon.exe
    services.exe    932    0.77    Services and Controller app    Microsoft Corporation    C:\WINDOWS\system32\services.exe
     svchost.exe    1096        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost -k DcomLaunch
      WLLoginProxy.exe    3952        WLLoginProxy.exe    Microsoft Corporation    "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe" -Embedding
     svchost.exe    1152        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost -k rpcss
     svchost.exe    1192        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\System32\svchost.exe -k netsvcs
     svchost.exe    1232        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
     svchost.exe    1292        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k NetworkService
     svchost.exe    1488        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k LocalService
     spoolsv.exe    1796        Spooler SubSystem App    Microsoft Corporation    C:\WINDOWS\system32\spoolsv.exe
     guard.exe    1916        AVG Anti-Spyware guard    GRISOFT s.r.o.    "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe"
     DefWatch.exe    1932        Virus Definition Daemon    Symantec Corporation    "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"
     NBService.exe    408        Nero BackItUp    Nero AG    "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe"
     Rtvscan.exe    440        Symantec AntiVirus    Symantec Corporation    "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"
     nvsvc32.exe    464        NVIDIA Driver Helper Service, Version 84.21    NVIDIA Corporation    C:\WINDOWS\system32\nvsvc32.exe
     RichVideo.exe    492        RichVideo Module        "C:\Program Files\CyberLink\Shared files\RichVideo.exe"
     svchost.exe    536    0.77    Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\system32\svchost.exe -k imgsvc
     alg.exe    2348        Application Layer Gateway Service    Microsoft Corporation    C:\WINDOWS\System32\alg.exe
     svchost.exe    4056        Generic Host Process for Win32 Services    Microsoft Corporation    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
     usnsvc.exe    2248        Messenger Sharing USN Journal Reader Service    Microsoft Corporation    "C:\Program Files\Windows Live\Messenger\usnsvc.exe"
    lsass.exe    944        LSA Shell (Export Version)    Microsoft Corporation    C:\WINDOWS\system32\lsass.exe
explorer.exe    268        Windows Explorer    Microsoft Corporation    C:\WINDOWS\Explorer.EXE
smax4pnp.exe    1220        SMax4PNP    Analog Devices, Inc.    "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
SMax4.exe    1364        Audio Control Panel    Analog Devices, Inc.    "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
rundll32.exe    1416        Run a DLL as an App    Microsoft Corporation    "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
realsched.exe    1420        RealNetworks Scheduler    RealNetworks, Inc.    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
jusched.exe    1472        Java(TM) Platform SE binary    Sun Microsystems, Inc.    "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
E_S4I2K1.EXE    1276        EPSON Status Monitor 3    SEIKO EPSON CORPORATION    "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
itype.exe    1524        IType.exe    Microsoft Corporation    "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
ipoint.exe    1568        IPoint.exe    Microsoft Corporation    "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
GrooveMonitor.exe    1708        GrooveMonitor Utility    Microsoft Corporation    "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
VPTray.exe    1712        Symantec AntiVirus    Symantec Corporation    "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe"
PDVDServ.exe    1504        PowerDVD RC Service    Cyberlink Corp.    "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
SearchProtection.exe    988        Yahoo! Application    Yahoo! Inc.    "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
E_S4I2K1.EXE    1824        EPSON Status Monitor 3    SEIKO EPSON CORPORATION    "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" /P44 "Auto EPSON Stylus Photo RX500 on ADMIN" /O21 "\\PAULMARYANN\Printer" /M "Stylus Photo RX500"
avgas.exe    2328    0.77    AVG Anti-Spyware    GRISOFT s.r.o.    "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
ctfmon.exe    2384        CTF Loader    Microsoft Corporation    "C:\WINDOWS\system32\ctfmon.exe"
msmsgs.exe    2524        Windows Messenger    Microsoft Corporation    "C:\Program Files\Messenger\msmsgs.exe" /background
mirc32.exe    300        mIRC    mIRC Co. Ltd.    "C:\Program Files\mIRC\mirc32.exe"
mirc32.exe    1076        mIRC    mIRC Co. Ltd.    "C:\Program Files\mIRC\mirc32.exe"
mirc32.exe    1440        mIRC    mIRC Co. Ltd.    "C:\Program Files\mIRC\mirc32.exe"
IEXPLORE.EXE    2864        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
IEXPLORE.EXE    2104        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
IEXPLORE.EXE    2948        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
IEXPLORE.EXE    2180        Internet Explorer    Microsoft Corporation    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
procexp.exe    2276    0.77    Sysinternals Process Explorer    Sysinternals    "C:\Program Files\ProcessExplorer\procexp.exe"
msnmsgr.exe    3724        Windows Live Messenger    Microsoft Corporation   
javaw.exe    2228    2.31    Java(TM) Platform SE binary    Sun Microsystems, Inc.    "C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe" -Xmx512m -ms4m -Xminf0.10 -Xmaxf0.25 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog -Djava.library.path=.\lib -jar lib\MP3Rocket.jar

RE: WLM sends out messages and files as soon as I sign on by ahmetgns on 02-26-2008 at 10:05 PM

Can you try this? I just wonder if that program really helps, because when my friend had a similar problem once, we scanned his computer with that program and it found and deleted something suspicious. But I didn't get any further information about the problem from my friend. Therefore I wonder that...

RE: WLM sends out messages and files as soon as I sign on by CookieRevised on 02-27-2008 at 01:32 AM

deffman: What I forgot to say: make those lists with as little as possible programs running.

Anyways, looking at those lists I don't see anything out of the ordinary (other than that you have a lot of stuff running in the background which you actually don't need).

What you can do next is manually searching your entire hard drive for the filename: "ehknfpsgqz". Remove any files you'll find, if possible.

Next, open up your registry editor (Start > Run > Regedit) and again search for any occurances of "ehknfpsgqz" and remove those entries.

Do all the above with System Restore turned off.

PS: Also note that you are always running the old Windows Messenger (C:\Program Files\Messenger\msmsgs.exe)! I strongly suspect you do not want that. So turn it off: see here for a detailed explaination.