Windows Live/MSN Virus lurking around - image**.zip
Update: For those not aware, I released a new website earlier this year to remove MSN Viruses. This software is completely free, and will remove over 6,000 MSN viruses! For more info, visit www.msnvirusremoval.com
Windows Live Messenger, as formally known as MSN Messenger, is a popular messaging service for both the young and the old. However, it seems that more and more viruses are lurking to the surface by exploiting the system.
A new virus, dubbed the “image**.zip” virus has become popular, leeching itself to your contacts and sharing the virus onto them. The virus begins by infecting one machine, however that came 
about. It then joins to your contacts, sending them a copy of a file, usually called “image24.zip”, “image25.zip”, “image35.zip” or something similar. It’s usually joined with a message such as “wow! look at this old picture i found….” or “Hey just finished my new myspace album! 
theres a few kinky ones in there!”. (examples can be seen by clicking images to the right) If the contact accepts it, then the virus infects that machine and the loop continues, infecting more and more machines as it goes along.
The problem with this type of virus is that people think that a file they’re being sent is completely safe, it’s from their contacts after all isn’t it? But no, it isn’t.
Now, I’m attempting to create some type of program to remove this virus from people’s machines, or at least to the best of my abilities. So, here are my instructions to far (not yet tested but will hopefully work, please let me know if it does or doesn’t).
Prevention is the best cure
Don’t get yourself in this trouble, follow this guide:
- Don’t accept files unless you know exactly what they are, even if they are from your friends
- If you get a message such as the above mentioned, ask the user back what the file is. Usually if it’s a robot it won’t respond.
- Be safe and install anti-virus applications. They’re even good free ones such as AVG Antivirus (http://free.grisoft.com)
Remove the virus
So it’s too late, ok well now it’s time to try my removal tool. If I know it works for a large amount of people I’ll create a better application that’ll be much easier to fix the bug.
- Download http://www.miccas.net/files/remove24.reg
- Open the file, and click Yes when prompted. Then click Ok once it’s completed
- Reboot/Restart your computer
- Delete the following files (%windir% is usually c:\windows\)
- Hopefully that’ll be it! Let me know if this works.
%windir%\system\ehSched.exe
%windir%\system\IMG024.JPG.zip
October 4th, 2007 at 4:45 am
I try the remove virus instruction…..but i can’t find the two files to remove.
I try to show all hidden and system files but in c:\windows\system there isn’t any of these two files.
October 5th, 2007 at 1:45 am
image21.zip was located in my C/DocumentsandSettings/User/local settings/temp folder, still searching for ehSched.exe
October 6th, 2007 at 3:44 am
I don’t find those files (%windir%\system\ehSched.exe and the second one)… But I need to solve this problem! Help me please!
October 6th, 2007 at 9:42 am
So did you find ehSched.exe yet Nig?
October 6th, 2007 at 10:35 am
Have a go at running this guys: http://www.forospyware.com/Msncleaner/MsnCleaner.zip
October 11th, 2007 at 5:45 am
hmm I dont have that files too, I will try if I can figure out how that program works
by: The Flying Dutchman!
October 12th, 2007 at 1:39 am
…..i cant find the two files too….pls help…tks
October 15th, 2007 at 8:59 am
[...] 2 threads to be sure you’ve taken care of the necessary steps AFTER you rebooted the computer: MiCCAS.net Official Blog ? Blog Archive ? Windows Live/MSN Virus lurking around - image**.zip IMG-XXXX.zip, IRCBot.ahm spreading - C.I.S.R.T. - Chinese Internet Security Response Team (GMT [...]
October 16th, 2007 at 1:51 am
não encontro o ficheiro ehSched.exe…where it is??? i cant find it….
October 18th, 2007 at 6:59 pm
help me i cant get rid of virus
October 23rd, 2007 at 6:36 pm
har har all you people are noobs shame on you for accepting the virus mauahahahahahahahahahaha
October 24th, 2007 at 6:12 pm
hey miCCAS, my comp and 2 other mates got it, i cant get rid of it, i can find the files there on the c-drive, but one ive uninstalled them with advanced unistaller pro they come back, have u got any certainty, your application works, cos i dont want anything else to happen,
really stressed atm, please help
October 28th, 2007 at 8:31 pm
how do i knwo if its gone????
October 29th, 2007 at 11:10 pm
May i know what have been change in registry, because i suspect after running the remove24 , some of my programe cant run anymore help
October 30th, 2007 at 7:17 pm
hi i also got this virus too and i tried following the above method but the virus come back after a while.
any way to solve it???
October 31st, 2007 at 12:07 am
hey guys, get the file MiCCAS provided the link for, it worked perfectly. i had the virus for abt 5 mins before i hit on this site, got it cleared already, thx alot !!
October 31st, 2007 at 12:16 am
i cant find the ehSched.exe…got the other one tho
October 31st, 2007 at 12:35 am
oh hold on, i just realised, the file that miCCAS provided only cleared up the image 24, theres still the thing thats sending it. so now my contacts just got the message and not the file
October 31st, 2007 at 10:27 am
hey miccas,
i am still lost. i ran that program torospyware and it found the image file and another one and deleted them both, but i can’t find anything in the registry - cripes this thing is freaking me out
any help appreciated
October 31st, 2007 at 11:08 am
Its known as W32.Scrimge!gen
http://www.symantec.com/security_response/writeup.jsp?docid=2007-081716-1758-99
This is what i do.
Uninstall the whole msn messenger
Do a full scan using antivirus program
If virus still cannot be detected
Reboot, and do a full scan using anti virus program
It should detect and clean it off by then
Cheers
October 31st, 2007 at 11:58 am
Hi Guys,
I’m still working on a proper resolution. Unfortunately I cannot test any patches as I don’t have the virus myself. However, I may need someone to send me the virus (yes, I’m serious) so I can take a further look at it.
Please contact me if you have the virus and I will get you to add me and send me the virus. Thanks.
October 31st, 2007 at 12:07 pm
i have it!
October 31st, 2007 at 2:37 pm
MiCCAS ,help me pls…
last nite i hv recieved a zip file from my friend…
n this morning when i sign in my MSN,have fews friend ask me that “wat did i send to them?”
Then i say,i din send anything ,then they say my MSN got VIRUS d..
so hw?
October 31st, 2007 at 7:23 pm
AH!!!! A stupid small virus thingy could make everyone headache…zzzzz then if there is big virus then how???….
Even norton anit-virus cannot block it… lols
October 31st, 2007 at 9:55 pm
http://www.trendsecure.com/portal/en-US/tools/security_tools/housecall#
free download but it takes ages – mine took over an hour to complete. Found 11 viruses - all the image.zip files and backdoor trojans
November 1st, 2007 at 9:19 pm
ye i found an image23 and image 24 in the C:\Documents and Settings\user\Local Settings\Temp folder and i have deleted and used the registery thing already not sure if i got rid of it ill repost when if it comes back
November 3rd, 2007 at 4:01 pm
LOL i just prevented a friend of mine to open that file on the school network. If he opened it who knows what it can do to the other 300 computers and the Admin computer. Yes, I have the virus in my own computer as well and I’m trying Angeline’s way. I also found image.24.zip in my ipod for some reason and I deleted it cuz I know wat it can do. btw how come all these viruses (me) are related to http://www.photobucket.com? do u guys think it’s them who started it/members?
November 3rd, 2007 at 6:45 pm
almost forgot, everyone try checking this directory: C:\Documents and Settings\user\Local Settings\Temp. Becuz I found Image27.zip in there and deleted it manually. You can find yours by checking ur msn’s chat history becuz ur computer records everything u do on msn plus sending and receiving. If that doesn’t work then we have to wait for MiCCas…
November 4th, 2007 at 7:32 pm
hey MiCCAS, im trying to find a solution for my friend.
hopefully you have found a solution
if u have, please e-mail me. i’ve typed in my email
November 5th, 2007 at 7:26 pm
Hey guys.
I have thus stupid virus for Image 25 thats keeps on Image 24 and so on. I scanned my pc and I have no virus, I deleted the file and scanned it again and again but I keep on sendin my contacts this stupid thing!!
I tried your way but still … Nothin!!
Any other ideas??
Tnx for answerin me asap!!!
November 6th, 2007 at 12:08 am
Problem solved in 2 minutes…Search “System Restore” in search and go back a few days! Easy as
November 6th, 2007 at 12:36 am
thanks miccas!
i used d http://www.forospyware.com/Msncleaner/MsnCleaner.zip
i found all 6files!!
Thanks!!
November 6th, 2007 at 11:10 am
pls solve the problem for me
November 6th, 2007 at 3:40 pm
hi, i tried micca’s way, but got nada. i think i managed to kill the persistent bugger thou. Trend didnt manage to kill or quarantine it, neither did the advice from symantec online help much. instead i turned off system restore (in ‘my computer’, right click properties>system restore), rebooted and then my trend was finally able to quarantine it. worked with some other creepy stuff i found lurking around. ugh.
November 7th, 2007 at 8:20 am
I had a friend send me this, I scanned the .zip file with AVG before I extracted it and there was no virus detected. I extracted it and scanned the .exe file but again no virus detected. Ofcourse I didn’t run the .exe, but my question is does the virus attack when you receive the .zip or when you’re actually stupid enough to run the application?
November 7th, 2007 at 3:25 pm
i tried using both ways >
November 7th, 2007 at 3:28 pm
the remove virus instruction and the link that miccas provided..
but it still can’t get rid of the virus..
anyone know what else i can do??
November 8th, 2007 at 5:39 am
The solution is XoftSpySE.Its really the best antispyware.I got the file “image.jpg” from an msn contact and i download and saved it,but before i clicked on it ,the XoftSpy detected it and autodeleted it.I think my pc didnt got ill .
November 8th, 2007 at 6:37 pm
tried everything i had read here, and it still comes back (just when you think you have fixed it) is there no quick fix?
plus does anyone else know what (if any) damage this virus is doing to your machine? or is it just making using MSN impossible to use?
November 9th, 2007 at 10:25 am
Hi Guys, I just wondered. this has been happening to my friends. May i ask how it is used and what it is tht makes it behave the way it does?
November 10th, 2007 at 4:25 am
Yay, new virus, fun!
Anyway, what does the virus do exactly?
November 10th, 2007 at 9:22 am
right best thing to do is just run a virus scan i did and it workd i used mcafee 2007 but that cost me £50 , theres also a cheaper option compltly free buy useing avg or avast which is the better one iv told 7 ppl to sue avast and it got rid of there virus and hell of alot of tojan horses that there old anti virus didnt discover!!
if u need any help jsut say
November 11th, 2007 at 8:58 pm
Hey
i think i have a slight variation on this virus. rather than image24.zip or whatever i have myspaceimage.zip or kodak.zip
should the same proccess in theory work for me?
thanks for any help
November 12th, 2007 at 8:26 pm
hey,
I seem to have the same/similar problems as everyone else, I have done the following:
Norton Anti-Virus Quick and Full Computer Scans,
Attempted Several System Restores, to various dates, Action cannot be performed at any date,
Ran the remove24.reg, followed all steps, was unable to find the files
Downloaded and ran the MSNCleaner program, comes up with absolutely nothing.
Removed MSN, deleted files remaining in Program files, completed a Full Virus Scan
Re-installed MSN, warned all my contacts, and it is still there,
I’m really stressed for idea’s now, and am thinking about re-formatting…
This is really not the time I wanted to be dealing with this stuff, when I have exams coming up.
If anyone has any more idea’s, and/or solutions, please post them on here.
Thanks
November 13th, 2007 at 4:18 am
i can’t
find the two files
u say
i 8ink that i will
have to do format
:S
November 14th, 2007 at 10:32 am
I had this sent to me, but luckily i was running linux. what does it actually do to your system?
November 14th, 2007 at 3:30 pm
Hey guys
Yeah, none of this shat worked for me. WTF!!1
November 15th, 2007 at 3:53 am
I have the same problem. I performed your steps as posted but like Zack, I am unable to locate the files to delete. I`v tryed everything and to be honest fed up. I`m losing contacts because people are so pissed off at me.
If anyone reads this post and wants to help please leave me an email at whosyourdaty@hotmail.com
Thanks for your help
November 15th, 2007 at 1:58 pm
I have deleted it using the msn cleanup but it seems to re appear?!?
I can’t find the other 2 files you mentioned?
Hope someone can help?
Thanks guys
November 17th, 2007 at 12:31 am
Only thing working for me so far is to do system restore in SAFE MODE.
November 17th, 2007 at 4:41 am
hi, can some one find a solution for it? my pc got crazy of it !!
MiCCAs , any new solution of it?plz ! my email is provided , any one can help me ? i need my msn soo badly!
November 19th, 2007 at 7:32 pm
I fell for this one in about late September, and since then have been trying to get rid of it.
I’ve tried just about everything:
- miCCAS’ file
- MSNcleaner
- Uninstalling and reinstalling MSN
- Full scans using a few different programs (Avast! and Spybot)
Everything I’ve tried does what I’m told it will, except for one SMALL detail. I can’t find the files ANYWHERE. Nothing can locate them, I don’t appear to have them at all. For about two weeks I though the virus had gone, but today it came back and I had no idea what was going on.
I know everyone’s asking for the same thing, but if ANYONE thinks of another way I can try (I can’t purchase antivirus programs off the net due to lack of credit card and paypal), please tell me. This has caused me no end of stress, and now it’s so far back in history that I can’t do a system restore. So yeah, thanks for all the work people are putting in to find this annoying thing, but some more help would be much appreciated.
November 19th, 2007 at 7:37 pm
Had the same problem, ClamWin didn’t see this virus.
I did several online scans whitch only detected the imageXX.zip files but not the source of this virus.
My solution was:
I uninstalled ClamWin and installed the latest Kaspersky trail, it detected the source files and cleaned my system.
http://www.kaspersky.com/virusscanner
Good luck!
November 19th, 2007 at 9:53 pm
Actually, as a follow up of that…
I went and did a search on my computer for ‘.zip’
There were 7 files that were zip folders to do with ‘msnimage’ or something of the sort, so I deleted them. Perhaps that could do something useful?
November 19th, 2007 at 10:19 pm
hey, i tried usin msn cleaner but when i detected image 21 after tht i deleted it , the next day i go on msn and it came up again. so i scanned again and i foound image 35 and i deleted and it seems to be recurring
November 20th, 2007 at 4:03 pm
Dan Says:
November 11th, 2007 at 8:58 pm
Hey
i think i have a slight variation on this virus. rather than image24.zip or whatever i have myspaceimage.zip or kodak.zip
should the same proccess in theory work for me?
thanks for any hel
hey man, Umm if u have tried it.. just tell us, Friend has the same an really trying to help her with it.. but so far no idea if this stuff will work or not with myspaceimage.zip.. someone tell us..thanks
November 24th, 2007 at 11:51 am
A word of warning, this is a rootkit virus.
This virus is encyrypted in form, therefore, you can’t reverse engineer it.
It modifies your system dlls. It is a backdoor trojan that uses MSN to access the internet and download more payloads.
Formatting is the only foolproof option.
That is all I know about it. It is very dangerous.
I want to know how to see if it is still running on my PC or not. Is there any way to detect it?
December 7th, 2007 at 8:05 am
iv tried ur method but cant find any of the files to delete please help
December 7th, 2007 at 8:59 am
Try running my tool, and the other tools in SAFE MODE. Basically, keep pressing F8 when you start your computer until the black window with the appropriate options show up.
December 10th, 2007 at 1:33 pm
OH EM GEE, thx MiCCAS, srsly, i ran it without safe mode and it worked. dude u rock. lol. if ppl cant find the msg MiCCAS left with the site then here it is
http://www.forospyware.com/Msncleaner/MsnCleaner.zip
December 21st, 2007 at 1:46 pm
I have download the zip file from http://www.forospyware.com/Msncleaner/MsnCleaner.zip, but nothing can be found. Pls Help
December 22nd, 2007 at 2:21 am
ok everyone who has this virus listen up : there are various steps you can take to removing this annoying virus. 1st go to your C:\Documents and Settings\Administrator\Local Settings\Temp folder and search in there only for the image**.zip (note check fo r the image that your were sent not the 1 micca is using bcos of course not all of you will have the same named file) if you discover the image**.zip delete it , (now this is the bit most ppl havent tried) if its gettin its source from the internet(as in charles post) then take its source away (unplug the internet cable or turn off the internet) then search for the file %windir%\system\ehSched.exe (if >) (in start menu click run type in regedit) (if the file is on your computer you will find it here) , then download xoftspy SE (please try and get the latest version) download it here if you have trouble finding it http://www.paretologic.com/xoftspy/se/newlp/xray/?uid=x928s , after you have ran this program DO NOT turn the internet back on RESTART your computer and do another virus scan using xoftspy after scannin switch internet back on (note norton/kasperspy/other will not detect this virus bcos there are so many names for it) if this works please let me know , thank you
December 22nd, 2007 at 11:06 am
I got the image_****.zip virus from a friend and out of curiosities sake i downloaded and opened it. I’ve tested many different supposed methods of removal (except antivirus and spyware, simply because i have never needed them and in my opinion they add clutter more than they actually help) but non of them have accomplished anything. The only way i have found to eraticate it, short of reformatting, is to set the system back, and all I can say is it isn’t as y2k, end of the world as people seem to think. at most it is an annoyance
December 28th, 2007 at 6:29 pm
I seriously reckon that ppl who have to virus should get a decent AV and do a virus scan. I downloaded 1 and it picked up the virus in a few minutes. O and DO NOT GET NORTON! its terrible. get AVG or something.
January 8th, 2008 at 7:07 am
Hey,
I have this problem too, i accepted it out of curiosity aswell. I tried running several scans using Mcafee, it detected the trojans and quarantined them but this annoying virus kept sending itself to my contacts :S
I then realized that each time i located and deleted the imageXX.zip files, it kept coming back but with a different number. It also created more and more files, i decided to run my computer on safe mode. I checked the registry and searched for “image059.zip”(this was the name of my file, write in the one that you have”) and it picked up it and i deleted it. I also searched for “ehSched.exe” and to my surprise it acutally showed up!
I deleted it and i think it may have fixed my msn
Try it and see if it works
January 11th, 2008 at 7:32 pm
If you’re still having problems, try http://www.msnvirusremover.tk that should fix it.
January 18th, 2008 at 9:38 pm
Hey guys,
News will be posted very soon about a final resolution to this problem. Keep your eyes peeled for January 25th!
February 5th, 2008 at 2:34 pm
please help
February 5th, 2008 at 2:35 pm
help
May 8th, 2008 at 11:07 pm
support@mattspchelp.co.ukhey guys need a hand email me on the above and ill try and help , have removed this several times from clients PC’s , i can do remote dektop if youd like me to fix
Thanks Matt