How to Remove Windows Live MSN Messenger common Message Spread and Image Virus

  • log out of Windows Live MSN Messenger.
  • Click "Start" and then select "Run", Type "msconfig" to bring up the System Configuration window.
  • Click on "Startup" tab. Search for the file "xxxsvc.exe," which is the MSN photo virus, or "hotkeysvc.exe" and "MsgSpread" which are also common MSN viruses. Uncheck their boxes to shut them down.
  • Select "OK" to accept the changes.
  • Restart your computer to boot the new configurations and MSN Messenger should now be clean.


To remove PIC1234 msn virus:


  • Close Windows Live MSN Messenger
  • Goto ‘Start> Run’ [type] “msconfig”
  • Click the tab at the top right hand corner of the window that pop up that says “Startup”
  • Uncheck the box next to “MSN Messenger”.
  • Hit Ok, when it asks if you want to restart your computer say “no”.
  • Hit Ctr, Alt, Del find “MsgSpread” and click End Task (if the file is there).
  • Open My Documents
  • Double click “Messenger Service Received Files” if you don't see a folder called that then go to My Computer> C> Program Files> Messenger Service Received Files
  • delete the file called PIC1234(1)(1)(1)(1)(1)(1)(1)(1).exe, - right click it ONCE and select delete.
  • On the desktop right click the “Recycle Bin” and click empty.

Trojan Removal - Trojan.PWS.Onlinegames.KDCI

Trojan Behavior


  • hidden autorun.inf file on the root of your system (usually C:\autorun.inf)
  • creates a hidden executable file on the same folder location as the autorun.inf, pointed in the autorun.inf by an open statement
  • creates a hidden Link Library file and a hidden executable file in your temporary folder (located in your [LocalSettingsFolder], i.e it could be in C:\Documents and Settings\username\Local Settings\Temp)

Trojan Technical Description


it is one of the most spreading online-games password stealer malware "families" out-there.

Upon execution, it creates autorun.inf files pointing to copies of itself, making sure it can survive after a system restart. These files will be located on root of the local drives of an affected system.

It creates another copy of itself into the temporary folder of the current user, where it also drops a new dll file which implements all the functionality required for stealing passwords related to MapleStory, The Lord Of The Rings Online, Knight Online, Dekaron or other games. The newly created copy will be registered for running at the system start-up by a new entry created under HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run (named cdoosoft, having the path of the file as its value). At this point, the original infected file deletes itself from the disk, removing its traces.

The .dll file from the temp folder will then be written into the memory space of the explorer.exe process and executed. The malicious code injected into explorer.exe is responsable for setting the hooks needed for stealing passwords and also for further propagation by periodical (two times a minute) creation of autorun.inf files (and of the associated executable files) in the root folder of the local partitions.
Computers blogs