Stupid stupid AIM virus!

**ezdesigns** · September 5th, 2006, 04:02 AM

Get this,

I've been a long time user of Aol Istant messaging. Ive been so aware of virus's and what links I click. Yet they finally got me, and its bad, really really bad.

So I get one of them fake IM's from a good friend, saying " Yo! remember this pic from the beach? <Link here> .... Now this link was an exact replica of an image shack url. I looked over it twice, and agreed it was ok.

ps... i went to the beach last month with this friend.

Bad idea... It said something along the lines of.... install psd file. (psd, being photoshop) so again i agreed...

a /cmd prompt window pops up does all these wierd things, enxt thing i know im swimming in 37 pop-ups...

I didnt fret, nor worry.

I ran ad-aware, Spy-bot search and destroy, and a nortons system scan. All these checks found millions of errors and I was told they were fixed... This was not the case... I still get 100's of pop-ups... what is going on???

What do i gotta do???

EDIT****

I found some wierd processes with wierd numeric names that i disabled using WinPatrol.

Can anyone help me out???

Im stressing big time.

**nihil** · September 5th, 2006, 05:31 AM

First move:

Update all your scanning software, reboot, and run them in safe mode you will have a much better chance of killing them that way

Then get:

1. Ewido
2. A-squared
3. Spybot search & Destroy
4. AdAware SE

And do the same.

Then run PC-Cillin's "Housecall" online scanner.

Be sure to set SpyBot to run in "advanced" mode..........use the "immunisation" feature, and use the "tools" to look at BHOs and the like.

Please let us know how you get on as the next step is to use Hijack This! to find out what you have left

Then we have to get you some software that interactively protects IM/P2P. It is by no means foolproof but it does catch the obvious

**ezdesigns** · September 5th, 2006, 05:44 AM

right on it, ty for teh quick responce, ill let you know..

**nihil** · September 5th, 2006, 08:07 AM

Sorry, I forgot to mention.

If you still have the file then go here and submit it.

http://www.virustotal.com/en/indexf.html

That might tell us what it is so we can find out how it works and how to kill it?

At the very top you use "browse" to find the file and "send" to submit it. You might find yourself in a queue, so just minimise the window and check it now and again.

You might also try this:

http://www.softpedia.com/get/Antivirus/AIM-Fix.shtml

***r3b00+*** · September 5th, 2006, 04:55 PM

If you have a spare (test) comp the best way to remove unwanted sh*t from the hdd is to attach it to the second box then run your scans on it. And remember, if all else fails just backup/format/reinstall...its alot less painful.

**ezdesigns** · September 6th, 2006, 07:03 PM

alright... everything failed... I installed all the software recomended, i ran them all within safe mode, I ran the online scan... and it "said" viruses were found a taken care of, But thats not the case, im still heavy with pop ups.

one more bit of info....

When this all started happening I get this message when I restart.

_An Execption has occurred while trying to run ""C;\WINDOWS\system32\wmbcheck.dll",DLLGetVersion"

**ezdesigns** · September 6th, 2006, 07:11 PM

Originally posted here by r3b00+
If you have a spare (test) comp the best way to remove unwanted sh*t from the hdd is to attach it to the second box then run your scans on it. And remember, if all else fails just backup/format/reinstall...its alot less painful.

Take the HDD out of the none working pc and put it in as a secondary HDD with another one?
...

as for reformat, I would... but Im afraid i might have tossed the cd key from XP...

UNtill i find it, i guess i cant reformat

**ezdesigns** · September 6th, 2006, 08:37 PM

here i am on the infected computer...

now with the Hijack log file...

Logfile of HijackThis v1.99.1
Scan saved at 3:36:15 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell\OpenManage\OMCC\iws\bin\win32\omaws32.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Dell\OpenManage\OMCC\oma\bin\omsad32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\1145116971\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Erik M Zettersten\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145116971\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {81025641-DE98-4F76-902A-44F48B3510BE} - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\r2r60c9sef.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Client Connector Administrator (ccadmin) - Unknown owner - C:\Program Files\Dell\OpenManage\OMCC\iws\bin\win32\omaws32.exe" "OMACS_KEY_OMA=SOFTWARE\Dell Computer Corporation\Dell OpenManage OMCC\Dell OMA (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OMCC OM Common Services (omccomsad) - Dell Inc. - C:\Program Files\Dell\OpenManage\OMCC\oma\bin\omsad32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

**nihil** · September 6th, 2006, 09:51 PM

Hmmm,

Boot into safe mode and run HiJackThis!..................

Get rid of:

O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145116971\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptem...login-devel.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\r2r60c9sef.dll

You might want to seek other opinions

**er0k** · September 6th, 2006, 11:48 PM

there is/was an entire forum dedicated to reviewing hijackthis logs at www.security-forums.com if you don't find the help you need here.

Thread: Stupid stupid AIM virus!

Thread Tools

Display

Stupid stupid virus!

Posting Permissions