Electronic Greeting Card - msdataaccess.exe
Removal Instructions and Help

Are Electronic Greeting Cards Dangerous?

Lately every time I open my email, I have an electronic greeting card message in it. It used to be fun to open one of these messages and find a funny greeting from a good friend or relative, however now each ecard generally carries a dangerous payload of viruses, spyware, malware, and more. Sort of an electronic mixed cocktail of evil programs designed to do your computer harm. Don't get me wrong, you may still receive "good" e-cards from time to time, but these mass mailed greetings in the last couple months are something you don't want to open.

The latest cards want you to click on a link and download a free copy of "Microsoft Data Access" so you can read the card. The popup message accompanying the install even says the file is from Microsoft Corporation. Don't believe this for a second, the file msdataaccess.exe is a dangerous file, please do not open it.

However, I was bored the other day...So I took a freshly formatted Windows XP laptop and installed this file. I didnt get to view the greeting card message, instead my computer became a spam sending drone connected to a network of evil.

What do these e-cards look like?

A sample of a recently received electronic greeting card is shown below.
---------------------------------------------------------------------------------------
FROM: email@someaddress.com 
DATE: Thu, 16 Aug 2007 00:35:36 -0400 
TO: <pchell@gmail.com>  
SUBJECT:    Love ecard 
 
Good day.
Your Sister has sent you Love ecard from marlo.com.
Click on your card's direct www address below:
http://71.88.198.238/
Copyright (c) 1991-2007 marlo.com All Rights Reserved
---------------------------------------------

Some of the subject lines used by these cards are:

Animated card
Love postcard
Thank you postcard
Birthday e-card
Animated e-card
Funny card
Holiday ecard
Musical e-card


After clicking on the URL in the body of the message, a screen appears asking you to download "Microsoft Data Access" to view the message.

Body of Electronic Greeting Card virus

You'll notice the popup asking you to install the program even mentions it's from "Microsoft Corporation".



Then the msdataccess.exe file infects the computer and causes a chain reaction of disabling security programs like antivirus and firewalls, joining a peer-to-peer botnet to receive more commands and dangerous software from a wide range IP addresses, corrupting a file called TCPIP.SYS, and changing your DNS settings on your local area network or dialup connection. Once your computer is infected, its difficult to remove.

Scanning MSDATAACCESS.EXE with a Virus Scanner

Before I installed this dangerous file, I used Jotti's Malware Scanner to check the file. Jotti's scan checks the file with a variety of scanning engines to see if its dangerous. Many times, one scanner wont report a problem while another one will. Here are the results after scanning msdataaccess.exe:

Jotti Scan Results
Scan taken on 16 Aug 2007 17:54:11 (GMT) 

A-Squared Found nothing
AntiVir Found WORM/Zhelatin.Gen
ArcaVir Found Trojan.W32.Lager.Dr42
Avast Found Win32:Tibs-BEC
AVG Antivirus Found Downloader.Tibs.7.D
BitDefender Found DeepScan:Generic.Malware.FMPH@mmign.B1DE8244
ClamAV Found Trojan.Small-3376
CPsecure Found Troj.Downloader.W32.Tibs.mv
Dr.Web Found Trojan.Packed.142
F-Prot Antivirus Found Possibly a new variant of W32/Fathom.1-based!Maximus
F-Secure Anti-Virus Found Email-Worm.Win32.Zhelatin.gq
Fortinet Found nothing
Kaspersky Anti-Virus Found Email-Worm.Win32.Zhelatin.gq
NOD32 Found Win32/Nuwar.Gen
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Dorf-D
VirusBuster Found Trojan.Tibs.Gen!Pac.132
VBA32 Found nothing

After installing the file, my computer immediately starting opening connections and sending spam to a variety of addresses. I used a program called TCPView to show this flood of email.


After seeing my computer spewing spam in all directions, I immediately disconnected from my network and began the cleanup of this lovely greeting card. I rebooted the computer once before beginning the removal and was presented with a Windows Blue Screen when shutting down too.

What's the Best Way to Remove these NuWar-type infections from My Computer?

Since no files are added to startup, or as a browser hijack object (BHO), normal tools like Hijackthis and others simply don't find this problem. This particular attack using msdataaccess.exe installs the following files:

  • spooldr.exe is installed in the Windows directory
  • spooldr.sys is installed in the Windows\System32 on Windows XP
  • tcpip.sys in the Windows\System32\Drivers directory is infected
  • tmcomm.sys is installed in the Windows\System32\Drivers directory (not normally a Windows file)

The computer then proceeds to change your DNS Settings and starts sending email. It also hides the files it installed from view when running Windows so they are hard to detect.

Tools you may want to download before attempting this removal procedure.
  • CCleaner - Free tool for removing temporary files, cookies, history, and cleaning up registry problems

Removal Procedure for Nuwar/Zhelatin/Tibs Greeting Card Infection

Download CCleaner to your desktop and install it, so you can use it later. Then unplug your computer from your internet connection before continuing. If you are uncomfortable with any of the procedures shown below, please do not continue with this removal. Take your computer to a repair facility or have a trusted friend follow these procedures instead. In all cases, please be careful with deleting windows files, since this could cause your computer to become inoperable.

Booting into the Recovery Console

You'll need to use the Windows XP Recovery Console to help with this removal procedure. This will either require you to boot from a Windows XP Installation CD or boot directly to the Recovery Console if its installed. Follow these steps to boot into the Recovery Console from a Windows XP Installation CD.

1)
Place your Windows XP in the CD-ROM Drive
2) Restart your computer and make sure your BIOS is set to boot from CD
3) When you see the following command press the space bar.

"press any key to boot from cd..."

4) Wait until you see the "Welcome to Setup" screen, and press R to start the Recovery Console
5) Choose which Windows installation you wish to load (this is usually #1 unless you have a multi-boot system)
6) Type the administrator password and Press Enter
7) You should now be at the C:\Windows> prompt

Deleting the Infected Files

From the Windows prompt type the following and press Enter after each line

del c:\windows\spooldr.exe
del c:\windows\system32\spooldr.sys
del c:\windows\system32\drivers\tcpip.sys
del c:\windows\system32\drivers\tmcomm.sys (may not be found in all cases)
Type exit and press Enter to reboot into Windows.

Installing a new copy of TCPIP.SYS

When Windows restarts, follow these steps to expand a new copy of tcpip.sys to your hard drive.

  1. Click on Start, Run
  2. Type CMD and Press Enter
  3. Make sure your Windows XP CD-ROM is in the drive and type the following to extract a new copy of TCPIP.SYS to the hard drive. Substitute the appropriate drive letter for your CD-ROM drive, in this case Drive D.

    EXPAND D:\I386\TCPIP.SY_ C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS

  4. Type Exit to Close the Command Prompt
Turn off System Restore to Remove Saved Copies of Virus

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click Apply at the bottom of the screen.
8. Now uncheck
"Turn off System Restore" or "Turn off System Restore on all drives." to re-enable it and clear any viruses that were backed up by System Restore.
9. Click Apply, and then Click OK.
10. Double-click on CCleaner on your desktop and remove any temporary files and registry problems it finds.
11. Restart your computer
12. Re-enable your network connection

Scan Your Computer For Viruses

You may use any of the following online virus scanners to be sure your computer is now clean of problems. After cleaning my test machine, I ran Trend Micro Housecall, Kaspersky Virusscanner, and Ewido (Now AVG) Online Scan and my system was clean. I infected the machine using three different emails, however the above procedure worked in my case each time.

Online Virus Checkers
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
Ewido Online Scanner - will scan and remove threats
Jotti's Online Malware Scan
Kaspersky Online Scanner - appears to only scan for but not remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check
- user can upload and test for threats on particular files

Congratulations! Your computer should be free of this msdataaccess.exe infected greeting card. Although not all email greeting cards are bad, if it looks suspicious it probably is. Please be careful whenever a e-card asks you to download viewer or install programs you are not sure of.



Printer Friendly Version of This Page






Bookmark and Share this Article on PCHELL with these Social Networks:
Add to: Mr. Wong Add to: Digg Add to: Del.icio.us Add to: Reddit Add to: Simpy Add to: StumbleUpon Add to: Slashdot Add to: Netscape Add to: Furl Add to: Yahoo Add to: Spurl Add to: Google Add to: Blinklist Add to: Blogmarks Add to: Technorati Add to: Blinkbits Add to: Ma.Gnolia


Removal Instructions for Other Programs

Spyware Removal and Other Resources

Essential Tools for Removing Spyware, Adware, and Malware

Rootkit Removal Tools and Help

How to Delete Undeleteable Files

Review of Free Registry Cleaner

How to Manually Run the Microsoft Malicious Software Removal Tool

Review of WinsockFix

How to Remove Windows Diagnostic or Windows Restore malware

Review of SuperAntiSpyware

How to Remove SurferBar

How to Remove Starware

Bargain Buddy Removal Instructions and Help

Bonzi Buddy Removal

Click2FindNow and I-Lookup Removal

Comet Cursor Removal

Electronic Greeting Card Virus - MSDATAACCESS.EXE Removal Instructions and Help

Date Manager Removal

Powered by Zedo Popup Ad Removal Instructions and Help

Search and Destroy Removal Instructions and Help

Spyaxe, Spy Trooper, Spy Sheriff, Brave Sentry and Similar Removal Instructions and Help

TheSpyBot Removal Instructions and Help

Spam Blocker Utility Removal Instructions and Help

DriveCleaner Removal Instructions and Help

Alfacleaner Removal Instructions and Help

Spylocked Removal Instructions and Help

AntivirusGolden Removal Instructions and Help

VirusProtectPro Removal Instructions and Help

UltimateDefender and UltimateCleaner 2007 Removal Instructions and Help

VirusRescue Removal Instructions and Help

PestCapture Removal Instructions and Help

SystemDoctor 2006 Removal Instructions and Help

How to Fix Task Manager disabled by your Administrator

How to Fix Problem Changing Desktop Wallpaper

How to Remove SmitFraud Variants like WinAntivirus Pro 2007 and PestCapture

SurfSideKick Removal Instructions and Help

How to Remove Zango Search Assistant and Toolbar

How to Remove Alot Toolbar

About:Blank Homepage Hijacker Removal Instructions and Help

Kazaa Removal Instructions and Help

How to Disable Windows XP Security Alert Balloons and Notifications

res://random.dll Homepage Hijacker Removal Instructions and Help

IBIS Web Search (websearch.com) Removal Instructions and Help

Open Search Web (Lop.com) Removal Instructions and Help

UPDMGR.EXE Removal Instructions and Help

FCADVICE.EXE Removal Instructions and Help

U3 Smart Drives - What are they and how to remove U3

Dubolom.com Homepage Hijacker Removal Instructions and Help

DSO Exploit Removal Instructions and Help

FastSearch.cc Homepage Hijacker Removal Instructions and Help

My Web Search Removal Instructions and Help

Cursor Mania Removal Instructions and Help

Fun Buddy Icons Removal Instructions and Help

Smiley Central Removal Instructions and Help

My Mail Stamps Removal Instructions and Help

My Mail Stationery Removal Instructions and Help

My Mail Signatures Removal Instructions and Help

Fun Web Products Popular Screensavers Removal Instructions and Help

Webfetti Removal Instructions and Help

What is PDF Spam and Does it Contain Viruses

Gator Software Removal

Hugesearch.net Homepage Hijacker Removal Instructions and Help

Search-Space.com and Start-Space.com Homepage Hijacker Removal Instructions and Help

How to Remove Global-Finder.com Homepage Hijacker

Globaltoolbar Removal

GoHip Software Removal

HotBar Toolbar Removal

Huntbar and Search Toolbar Info and Removal

Look2Me Removal Instructions and Help

Lookfor.cc (res://mshp.dll/index.html) Homepage Hijacker Removal Instructions and Help

MaximumSearch.net Homepage Hijacker Removal Instructions and Help

Ncase Removal Instructions and Help

People OnPage Toolbar Info and Removal

Precision Time Removal

Prolivation.com Removal

SaveNow and NewDotNet Removal

SearchMyRequest.com Homepage Hijacker Removal Instructions and Help

Smartsearch.ws Homepage Hijacker Removal Instructions and Help

SysUpd.exe (TSCash) Removal Instructions and Help

Ezula TopText (yellow underlined links) Removal Instructions and Help

How to Remove SpeedBlaster and MemoryMeter

TopRebates and WebRebates Removal Instructions and Help

Twaintec.dll Removal Instructions and Help

Viewpoint Removal Instructions and Help

WeatherBug Removal

WildTangent Removal Instructions and Help

WinTools Removal Instructions and Help

Xupiter Removal

Xzoomy.com Removal

ZY Web Search (db105.com) Removal

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google