Member Avatar for hollystyles

If one of your contacts pops up in MSN Messenger with the message:

<friend> says: Hey, isn’t this YOU?? :S http://mainmsn.com/images/viewimage.php?=your@email.com

Don't click it !!

It's a trojan, you'll think your downloading a picture, but if you try to view it, it will unpack it's payload.

If I'm too late here's how I got rid of it:

In Task Manager:

Stop the process wkssvc.exe (google for this don't just take my word for it)

Disable the startup entry for it in msconfig (Start -> Run -> type 'msconfig' without quotes and press enter)

Delete the file %SystemRoot%/System32/wkssvc.dll (You may need to reboot first, or use something like procexplorer to kill any handles too it as the file will probably be in use preventing you deleting it initially)

Your AV should pick this up if it's up to date, some people have reported their AV stopping this trojan. Mine didn't !!! Bah! Luckily I smelt a Rat straight away.

  • 4 Contributors
  • 5 Replies
  • 191 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by hollystyles

Recommended Answers

All 5 Replies

Member Avatar for corbezier

I just thought I would add that personally I would NOT remove the system32/wkssvc.dll as this is a legitimate library used for the workstation service!

I followed this help and realised that the machine was unable to log on to a domain.

More info here: (I did borrow from this page - thanks for getting me started Holly and the guys at Sophos helped with the rest)

http://www.escapestudios.com/forum/showthread.php?t=873

Cheers

Ben

commented: Oops indeed. Thanks. +6
Member Avatar for hollystyles

Corbezier,

Thanks for the clarification and link.

Yes wkssvc.dll is important that runs inside one of the svchost processes. Its the wkssvc.EXE that's the culprit.

Anyone who does delete wkssvc.dll can restore it from the recycle bin. But Windows 2000 and XP have the ICS service that monitors changes/deletions of key system files and should resurrect wkssvc.dll for you, it certainly did in my case.

Member Avatar for The Dude

I think they took care of this,i get a 404 error when i goto the link..... (Good to see it dealt with so quickly)

Member Avatar for jbennet

what version of msn do you have?

live 8?

Member Avatar for hollystyles

I have Windows Live Messenger Version 8.1

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.