If one of your contacts pops up in MSN Messenger with the message:


Don't click it !!

It's a trojan, you'll think your downloading a picture, but if you try to view it, it will unpack it's payload.

If I'm too late here's how I got rid of it:

In Task Manager:

Stop the process wkssvc.exe (google for this don't just take my word for it)

Disable the startup entry for it in msconfig (Start -> Run -> type 'msconfig' without quotes and press enter)

Delete the file %SystemRoot%/System32/wkssvc.dll (You may need to reboot first, or use something like procexplorer to kill any handles too it as the file will probably be in use preventing you deleting it initially)

Your AV should pick this up if it's up to date, some people have reported their AV stopping this trojan. Mine didn't !!! Bah! Luckily I smelt a Rat straight away.

I just thought I would add that personally I would NOT remove the system32/wkssvc.dll as this is a legitimate library used for the workstation service!

I followed this help and realised that the machine was unable to log on to a domain.

More info here: (I did borrow from this page - thanks for getting me started Holly and the guys at Sophos helped with the rest)

http://www.escapestudios.com/forum/showthread.php?t=873

Cheers

Ben

Corbezier,

Thanks for the clarification and link.

Yes wkssvc.dll is important that runs inside one of the svchost processes. Its the wkssvc.EXE that's the culprit.

Anyone who does delete wkssvc.dll can restore it from the recycle bin. But Windows 2000 and XP have the ICS service that monitors changes/deletions of key system files and should resurrect wkssvc.dll for you, it certainly did in my case.

I think they took care of this,i get a 404 error when i goto the link..... (Good to see it dealt with so quickly)

what version of msn do you have?

live 8?

I have Windows Live Messenger Version 8.1