Spyware Removal Instructions

[#: The article MSN worm “myphoto*.zip msmpserv.exe removal is an article in Spyware Removal Instructions, the original author is admin .you can read more articles at Worm,the next article:.#]

the registry autorun entry: 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

 <Microsoft Services><msmpserv.exe>

the running process:

C:\WINDOWS\system32\msmpserv.exe

Hijackthis log :

O4 - HKLM\..\Run: [Microsoft Services] msmpserv.exe

======================================================

removal case :

that every time you  reboot it regenerates because the virus is in your autorun entry,just like “MsnMsgr.Exe” when your windows startup ,the MSN will be running .the key process “msmpserv.exe” is the boss of the MSN worm,and you don’t delete it ,it will regenerate others.
the case link:http://dasherxxx.blogspot.com/2008/03/msn-myphoto-viruse-disableremoval.html

Removal Instructions:
1. delete malware files
those files are malware files,you can use “unlocker” or “killbox” to delete them.

c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
c:\windows\system32\ssqqjkcv.dll
C:\WINDOWS\system32\msmpserv.exe
c:\windows\system32\tuvwqqqn.dll

2. delete the autorun entry in the registry,you can use “msconfig”
how to do :http://dasherxxx.blogspot.com/2008/03/msn-myphoto-viruse-disableremoval.html
 or the software:SRENG that you using scan the srenglog
how to do:open SRENG—Boot Items–registry ,find those entries.

[WinlogonNotify: tphotkey]    <tphklock.dll>
[WinlogonNotify: tpfnf2]    <notifyf2.dll>
[WinlogonNotify: ssqQjKCv]    <ssqQjKCv.dll>
[Microsoft Services]    <msmpserv.exe>  

 or you can download the fix reg file

the name “Microsoft Services”  pretend to puzzle people think it’s normal windows entry,the author of MSN worm is crafty

Usually there will be have Some similarly in  Combo Fix Log or HijackThis Log ,just like this

C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe

This malware  is most likely downloaded many other  adwares and  spywares to a user’s PC without one’s  knowledge.
   
the running process:

C:\WINDOWS\mrofinu1188.exe

the startup item :

HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

some links about removal mrofinu1188.exe:

http://forums.techguy.org/malware-removal-hijackthis-logs/652411-solved-winable-popups-limewire-gone.html
http://www.castlecops.com/t206741-malware_and_spyware_Dont_know_how_to_remove_Help.html

if you can not get rid of it by yourself ,you can try to go:

http://www.geekstogo.com/forum/Malware-Removal-HijackThis-Logs-Go-Here-f37.html

It is difficult to removal mrofinu1188.exe because it has downloaded lots fo other harmful malware.

How to remove?

download SREng:
http://www.kztechs.com/sreng/sreng2.zip
Extract it to the Desktop
Double click SREng.exe to run it
Select: Smart Scan
Then, click the [Scan] buttonWhen finished, click on the [Save Reports] button
Save the log to the Desktop,and send me a email with the log as Attachment.mailto:egomoo#gmail.com

I would be glad to help you to removal this Trojan.

MSN worm variant still keeps updating  after “imageXX.zip“.

It may also called Win32.IRCBot.gen.

The worm will auto send a message to your friend with Attachment: “myphoto.zip” file,the message maybe will one of this:

checkout my newest pic before I upload!!
　　hey over there… check out my new photo!
　　when youre around accept.. its my new default pic.
　　u seen this crazy shit?
　　holy shit this new pic is hot as fuck!
　　I just made this design for a friend. U like it?
　　I think I had sex with them :X What should i do?
　　You don’t think I had sex with them… rite?
　　Is it horrible if I only remember the sex?
　　Is this really a pic of you?
　　Would you have had a threesome with them?
　　Wow! I can’t believe I had a threesome with them!
　　You see these crazy people? Almost havin sex on the dance floor!
　　u want to see something really funny? Take a look!
　　I cant stop laughing!

Creation of these files -
  %Startup Folder%\dllxw.exe
  %Windows%\rundllx.sys
  %Windows%\winload.log
 %System%\l32x.exe
 %System%\vxd32v.exe
 %Temp%\zip.tmp
%System%\msthost.exe
%System%\rdshost.dll

The virus may also steal password information for e-gold and other data, then send this information to the hard-coded email address
‘anyname2@btw.egold-hosting.com’

The virus will auto run at Windows startup after modifying the registry as in this example -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = C:\WINNT\System32\l32x.exe

The virus will load a second time as an accomplice to the Windows shell as in this example -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
“Shell” = explorer.exe C:\WINNT\System32\vxd32v.exe

How to remove?

download SREng:
http://www.kztechs.com/sreng/sreng2.zip
Extract it to the Desktop
Double click SREng.exe to run it
Select: Smart Scan
Then, click the [Scan] buttonWhen finished, click on the [Save Reports] button
Save the log to the Desktop,and send me a email with the log as Attachment.mailto:egomoo#gmail.comI would be glad to help you to removal this worm.