Fog Creek Software
Discussion Board




Possibly a virus

Since the last few hours, I see a Visual Basic form with a plain textbox in it displaying the text "hi" pop up on my screen every few minutes. If I close it, it terminates. It also starts as soon as I restart my system. When I Ctrl+Alt+Del, the form disappears and neither is the process displayed in any of the two tabs of the Task Manager. I checked msconfig, AutoExec.bat and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run as well as HKEY_LOCAL_MACHINE\...\RunOnce as well as RunOnceEx and the entries all seem normal. Have anyone of you had a similar problem. Is this some new virus? Virus it is I am sure, but what do I do?

Sathyaish Chakravarthy
Wednesday, November 12, 2003

Is your messenger service running?

Philo

Philo
Wednesday, November 12, 2003

Probably a NET SEND message. You can send them to other people too!

Disable the messenger service to stop this. (MSN Messenger is not the same thing -- that will continue to work.)

Insert half smiley here.
Wednesday, November 12, 2003

No, the MSN messenger ain't running, neither is the NET SEND service enabled on my system. I checked it with,

Net name
it prompted me if I wanted to start the service. I said no first. Then for experiment sake, I said yes, and it said "either the service is disabled or has no enabled devices associated with it."

And the form that comes up is not the NET SEND message dialog. Its a plain VB form with one text box.

Sathyaish Chakravarthy
Wednesday, November 12, 2003

Read closer "MSN MESSENGER IS NOT THE SAME THING"

www.MarkTAW.com
Wednesday, November 12, 2003

Does this happen if you're not connected to the internet?

www.MarkTAW.com
Wednesday, November 12, 2003

> neither is the NET SEND service enabled on my system

I should follow my own advice.

www.MarkTAW.com
Wednesday, November 12, 2003

>Does this happen if you're not connected to the internet?

I am always connected to the Internet via proxy. Should I remove the proxy and plug off the Net and see?

Sathyaish Chakravarthy
Wednesday, November 12, 2003

>I should follow my own advice.

Never mind. It happens with everyone all the time. I know what NET SEND is and have also made a VB app long ago that lets you Net send formatted messages (NetSendMsgBuffer API)

Sathyaish Chakravarthy
Wednesday, November 12, 2003

Yuck! I plugged off the net and it won't budge. It anyway won't budge once its there, no?

Sathyaish Chakravarthy
Wednesday, November 12, 2003

I also have McAfee and VSShield from Network Associates running. Yet, it does seem to me to be a new virus.

Sathyaish Chakravarthy
Wednesday, November 12, 2003

I downloaded the File Monitor (FileMon) from SysInternals site to see what this VB form (a virus in disguise) was doing. It is actually an EXE called msmdsrv.exe.1024 (and this number keeps changing) that's inside C:\Program Files\Microsoft Analysis Service (huh!)\Bin\. Here it writes to an MDB file called msmdqlog.mdb. It keeps opening and reading files and writing something after every few files to this database.

What do I do? How do I find the anti-virus for this?

Sathyaish Chakravarthy
Wednesday, November 12, 2003

Go to Control Panel > Scheduled Tasks, or command prompt and run the "at" comand to see if this thing has scheduled itself to run.

What's in the MDB file (it's an MS Access database)?

Duncan Smart
Wednesday, November 12, 2003

http://www.google.com/search?q=msmdsrv.exe&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8

mhp
Wednesday, November 12, 2003

No, I don't have any tasks scheduled. What is convincing about it being a virus is that it does not show itself in the Task Managerand as soon as I hit Ctrl+Alt+Del, even before I can see the task manager, the form disappears.

I guess I was wrong about msmdsrv.exe. That might be some genuine MSFT thing monitoring a file copy operation from my machine to another machine on the LAN. When the file copy stops, I'll run FileMon again.

Sathyaish Chakravarthy
Wednesday, November 12, 2003

Use CTRL-SHIFT+ESC to bring up Task Manager without going via the Windows Security dialog.

I'd run Process Explorer from sysinternals. And in the Options menu set the "Difference Highlight Duration" to something quite long so you can see what processes have just started/exited for longer.

Duncan Smart
Wednesday, November 12, 2003

I think I figured it out. It was one harmless quasi-screen saver. It was Project1.scr but interestingly someone had placed it in %System%\ which is C:\Winnt\System32 on my Win2K machine. Why? I still think it was a virus and the screen saver was only a delusive eye-candy from the internal malicious  khooker.exe that ran along with it. I believe one mean SOB planted a key logger on my system.

Sathyaish Chakravarthy
Wednesday, November 12, 2003

You can try this utility just to rule out messaging...

http://grc.com/stm/shootthemessenger.htm

Tim Lara
Wednesday, November 12, 2003

Just run a free scan using Trend Micro's web site:

http://housecall.trendmicro.com/housecall/start_corp.asp

Nothing to install, it scans using an ActiveX control.

.
Friday, November 14, 2003

i hate this one chick and i want to send her a virus...... but im not very computer literate..... can someone contact me and help me??? thanxs  email me back please at xoNewMa8704ox@aol.com or this sc name:)

Jane marie Doe
Thursday, April 01, 2004

*  Recent Topics

*  Fog Creek Home