Expert: Lorry - 6/27/2005

Question
Ok, I'm running Windows XP home edition with service pack 2. I have Spybot with the latest update downloaded, and I have AVG with the latest update also.

If I open up MSN Messenger I automatically send messages to my friends list that say: "Is this you in this picture?" followed by a link to a website. I think its countryhomepets.com, I'm not sure. That's how I got it also. A download window popped up and I mindlessly clicked to save it. It was a screen saver file.I have ran both of those programs and nothing comes up.

I've found the files running that aren't supposed to be there. One is called Nites.exe and other is Mesn.exe. There is also a batch file called a.bat that appears in the root of my directory as well. Everytime I delete them they come back, and if I let them run AVG and Spybot don't detect them. I ran another program (a trial copy) that found 22 malware on my computer, several of them relating to something called New.net. It wouldn't remove them unless I purchased the full edition though.

Do you have any idea what this thing is and if there's already a solution out for it? I've been googling for anything that can help, and it's not helping. Thanks.

Answer
Hi C.D.,

Go to: http://sarc.com/  Scroll down and click on,"Free Online Virus and Security Check"  Write down exactly anything it finds, then return to: http://sarc.com/  and do a search for what was found. Symantec usually has a removal tool and/or directions for removing manually.

Download Ad-AwareŽ SE Personal Edition, a free program that you can download at:

http://www.lavasoftusa.com/support/download/

Check for updates before running program. Then follow the directions here to do a full scan:

1. In the 'General' window make sure the following are selected with a checkmark and are green:

ˇ Automatically save log-file
ˇ Automatically quarantine objects prior to removal
ˇ Safe Mode (always request confirmation)

2. Click on the 'Scanning' button on the left and select :

ˇ Scan Within Archives
ˇ Scan Active Processes
ˇ Scan Registry
ˇ Deep Scan Registry
ˇ Scan my IE favorites for banned URL's
ˇ Scan my Hosts file
ˇ Under 'Click here to select drives + folders, choose: All of your hard drives.

3. Click on the 'Advanced' button on the left and select:

ˇ Include additional file information
ˇ Include additional object details
ˇ Include environment information

4. Click the 'Tweak' button and select:

Under the 'Scanning Engine' be sure a checkmark is beside:

ˇ Unload recognized processes & modules during scanning
ˇ Scan registry for all users instead of current user only
ˇ Obtain command line of scanned processes

Under the 'Cleaning Engine' be sure a checkmark is beside:

ˇ Automatically try to unregister objects prior to deletion
ˇ Let Windows remove files in use at next reboot
ˇ Always try to unload modules before deletion
ˇ During removal, unload explorer and IE if necessary
ˇ Delete quarantined objects after restoring

5. Click on 'Safety Settings' and select "Write-protect system files after repair (Hosts file, etc)"

6. Click on 'Proceed' to save the settings.

7. Click 'Start' and on the next screen choose 'Activate in-depth Scan' at the bottom of the page and then choose:

ˇ Perform full system scan

8. Close all programs except Ad-Aware.

Click on "Next" in the bottom right corner to start the scan.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted.

After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

When you first open Ad-aware, click "Check for updates now", click Connect, if there any updates available - get them, when done click Next or Finish.

Now click Start, Next and let it run.

When it is done scanning, you will see the Scanning results window, check all of the boxes, then click Next.

The next window will say "X" number of objects will be removed - click OK.

Anything that is removed is quarantined, making the computer safe.

Hope this helps!
Lorry