Stupid stupid AIM virus!
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Stupid stupid AIM virus!

  1. #1
    Member
    Join Date
    Apr 2006
    Posts
    42

    Stupid stupid virus!

    Get this,

    I've been a long time user of Aol Istant messaging. Ive been so aware of virus's and what links I click. Yet they finally got me, and its bad, really really bad.

    So I get one of them fake IM's from a good friend, saying " Yo! remember this pic from the beach? <Link here> .... Now this link was an exact replica of an image shack url. I looked over it twice, and agreed it was ok.

    ps... i went to the beach last month with this friend.


    Bad idea... It said something along the lines of.... install psd file. (psd, being photoshop) so again i agreed...

    a /cmd prompt window pops up does all these wierd things, enxt thing i know im swimming in 37 pop-ups...

    I didnt fret, nor worry.

    I ran ad-aware, Spy-bot search and destroy, and a nortons system scan. All these checks found millions of errors and I was told they were fixed... This was not the case... I still get 100's of pop-ups... what is going on???

    What do i gotta do???


    EDIT****

    I found some wierd processes with wierd numeric names that i disabled using WinPatrol.


    Can anyone help me out???

    Im stressing big time.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    First move:

    Update all your scanning software, reboot, and run them in safe mode you will have a much better chance of killing them that way

    Then get:

    1. Ewido
    2. A-squared
    3. Spybot search & Destroy
    4. AdAware SE

    And do the same.

    Then run PC-Cillin's "Housecall" online scanner.

    Be sure to set SpyBot to run in "advanced" mode..........use the "immunisation" feature, and use the "tools" to look at BHOs and the like.

    Please let us know how you get on as the next step is to use Hijack This! to find out what you have left

    Then we have to get you some software that interactively protects IM/P2P. It is by no means foolproof but it does catch the obvious

  3. #3
    Member
    Join Date
    Apr 2006
    Posts
    42
    right on it, ty for teh quick responce, ill let you know..

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Sorry, I forgot to mention.

    If you still have the file then go here and submit it.

    http://www.virustotal.com/en/indexf.html

    That might tell us what it is so we can find out how it works and how to kill it?

    At the very top you use "browse" to find the file and "send" to submit it. You might find yourself in a queue, so just minimise the window and check it now and again.

    You might also try this:

    http://www.softpedia.com/get/Antivirus/AIM-Fix.shtml



  5. #5
    It's a gas!
    Join Date
    Jul 2002
    Posts
    699
    If you have a spare (test) comp the best way to remove unwanted sh*t from the hdd is to attach it to the second box then run your scans on it. And remember, if all else fails just backup/format/reinstall...its alot less painful.

  6. #6
    Member
    Join Date
    Apr 2006
    Posts
    42
    alright... everything failed... I installed all the software recomended, i ran them all within safe mode, I ran the online scan... and it "said" viruses were found a taken care of, But thats not the case, im still heavy with pop ups.

    one more bit of info....

    When this all started happening I get this message when I restart.

    _An Execption has occurred while trying to run ""C;\WINDOWS\system32\wmbcheck.dll",DLLGetVersion"

  7. #7
    Member
    Join Date
    Apr 2006
    Posts
    42
    Originally posted here by r3b00+
    If you have a spare (test) comp the best way to remove unwanted sh*t from the hdd is to attach it to the second box then run your scans on it. And remember, if all else fails just backup/format/reinstall...its alot less painful.
    Take the HDD out of the none working pc and put it in as a secondary HDD with another one?
    ...

    as for reformat, I would... but Im afraid i might have tossed the cd key from XP...

    UNtill i find it, i guess i cant reformat

  8. #8
    Member
    Join Date
    Apr 2006
    Posts
    42
    here i am on the infected computer...

    now with the Hijack log file...

    Logfile of HijackThis v1.99.1
    Scan saved at 3:36:15 PM, on 9/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Dell\OpenManage\OMCC\iws\bin\win32\omaws32.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Dell\OpenManage\OMCC\oma\bin\omsad32.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\AOL\1145116971\ee\AOLSoftware.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\a-squared Anti-Malware\a2guard.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Documents and Settings\Erik M Zettersten\Desktop\hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [ShowLOMControl] 
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145116971\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
    O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\r2r60c9sef.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Client Connector Administrator (ccadmin) - Unknown owner - C:\Program Files\Dell\OpenManage\OMCC\iws\bin\win32\omaws32.exe" "OMACS_KEY_OMA=SOFTWARE\Dell Computer Corporation\Dell OpenManage OMCC\Dell OMA (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: OMCC OM Common Services (omccomsad) - Dell Inc. - C:\Program Files\Dell\OpenManage\OMCC\oma\bin\omsad32.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmm,

    Boot into safe mode and run HiJackThis!..................

    Get rid of:

    O4 - HKLM\..\Run: [ShowLOMControl] 
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145116971\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
    O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptem...login-devel.cab
    O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\r2r60c9sef.dll

    You might want to seek other opinions

  10. #10
    Senior Member
    Join Date
    May 2006
    Posts
    132
    there is/was an entire forum dedicated to reviewing hijackthis logs at www.security-forums.com if you don't find the help you need here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •