new messenger virus!

Discussion in 'Windows Desktop Systems' started by Psyborg, Aug 21, 2005.

  1. Psyborg

    Psyborg google addict Political User

    Messages:
    109
    Location:
    Limerick, Ireland
    guys anyone heard bout this latest virus thats killin me msn, basically i've done all the virus scans and its still there, i cant do ctrl-alt-del, it sends on a link to my contacts evry so often like download the latest version of msn and then the link

    do NOT click on the link!

    http://www. warezddls.com/funny-stuff/download3849.exe
     
  2. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    It would be best not to post the link of the virus. for the safety of the members and vistors. try using a trojan remover software
    to remove the pest... on another note, dont ever click on a link in your messanger with the word warezddl..:rolleyes:


    trojan remover software


    and remember...............
    # Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.

    # Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.

    # Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.

    # Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered spam, which is unsolicited, intrusive mail that clogs up the network.

    # Do not download any files from strangers.

    # Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.

    # Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. You may also need to update the product's scanning engine as well.

    # Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.

    # When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates which include those for your operating system web browser, and email
     
    Last edited: Aug 22, 2005
  3. zeke_mo

    zeke_mo (value not set) Staff Member Political User Folding Team

    Messages:
    1,984
    Location:
    Placerville, CA
    I think this was just a warning to were the link was directing him, I dont think he had an intention to post an illegal site
     
  4. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN

    my bad...:eek: corrected post...
     
  5. egghead

    egghead Double O Egghead

    Messages:
    504
    thanks for the headsup with the url
    i friend just sent me the link on msn and this time it was the same place but no exe in the url

    i bet if i clicked the link it would open the sava as wizard

    anyway

    how do we clean these?
     
  6. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    with things like NOD32, Kaspersky AV, F-Secure, etc :)
     
  7. Psyborg

    Psyborg google addict Political User

    Messages:
    109
    Location:
    Limerick, Ireland
    no luck, tried a few malware removers and antivirus products, they seem to be just classic symptoms of other viruses, but another thing bugs me, i cant access anti-virus sites such as symantec, trend micro, grisoft, etc.

    i dont want to do a re-install because then i'll never find out the cause, or the virus itself... :(

    forgot to include, copies of task manager and msconfig showed nothing out of the ordinary :(
     
  8. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    Xie and I investigated the virus earlier on IRC.

    Symantec, trend and grisoft are probably not that much good in any kind of serious virus problem as they are some of the poorer scanning engine son the market.

    TRy Nod32 or Kaspersky AV (Xies kaspersky for mac detected it correctly) or failing that - format and reinstall.
     
    Psyborg likes this.
  9. trukkmann

    trukkmann OSNN Addict

    Messages:
    110
    Look here for a command line process killer. Kill whatever process(es) you suspect is the virus or under the control of the virus. Once killed, taskman.exe should be accessible and any virus scan should be able to remove it. Some virii require the registry to be edited to completely remove any recurrance and others can hide in the boot sector. Remember to turn off System Restore and reboot to remove any backup of a virus that might be hiding in there. This site could be helpful in your case, it sounds like you have the "W32.Aplore@mm" virus.

    PS I also heard that it could be "Explorer.exe" in msconfig startup that initiates it.
     
  10. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Word.

    W32.Aplore@mm is a mass-mailing worm that attempts to spread using email, IRC, and AOL Instant Messenger (AIM).

    MSN is not affected.

    Can I get a Hijack This log?
     
  11. Psyborg

    Psyborg google addict Political User

    Messages:
    109
    Location:
    Limerick, Ireland
    one hijack this log
    ==============

    Logfile of HijackThis v1.99.1
    Scan saved at 17:33:12, on 22/08/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dynu Systems\Basic\basicsvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\EzButton\CPLDBL10.EXE
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\WINDOWS\system32\bcmwltry.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
    C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Dynu Systems\Basic\DynuBas.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Brendan\Local Settings\Temp\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8088
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
    O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [svshost] C:\WINDOWS\system32\nirndh\svshost.exe
    O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O4 - Global Startup: Basic Client.lnk = C:\Program Files\Dynu Systems\Basic\DynuBas.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
    O23 - Service: Dynu Basic Dynamic DNS Client v3.24 (DynuBasic) - Unknown owner - C:\Program Files\Dynu Systems\Basic\basicsvc.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
     
  12. Psyborg

    Psyborg google addict Political User

    Messages:
    109
    Location:
    Limerick, Ireland
    i sed i'd post the logfile separately, now there is a lotta junk in there and fair credit to LordOfLA for the kaspersky link, the TRIAL version, found no less than FOURTEEN viruses! and then i ran the NOD32 which caame up with nothing.

    Now i have back my task manager, regedit, msconfig etc, but some antivirus websites i still cant access, so i know theres stil something there, e.g-

    like when i google "symantec" i can access symantec.co.uk, but i cant access symantec.com, it just comes up "page not displayed" on the first try, and then http://www.google.ie/search?hl=en&q=symantec&meta= on the second try. its pretty much the same with all the antivirus sites :(
     
  13. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Remove:
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

    and - not sure if you need this?
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

    Otherwise most of this stuff checks out. It's a sweet trojan - that's for sure (still googling 4 ya)
     
  14. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Run that all in safe mode
    (tap F8 at boot) choose 'Safe Mode' and run the scans again.
    While in safe mode delete your cache and cookies for IE or whatever your browser is at this time.

    Then run CCleaner - www.ccleaner.com - in safe mode.

    can you give the list of the 14 Lord's recommended software found?
     
  15. Psyborg

    Psyborg google addict Political User

    Messages:
    109
    Location:
    Limerick, Ireland
    "14 Lord's recommended software"?? :(

    wel i jst dun a regedit there without typin the *.exe and got a blank DOS box with regedit.com in the titlebar. so i got to the proper regedit by addin the exe and searched for symantec hopin to find some key that stopped my browser (IE6) from opening these antivirus sites, but no luck :(

    i really appreciate all the help on this one, i even e-mailed the admin@"that"site.com to alert him to the fact that his site was propagating the virus but as yet have got no reply.

    I normally would have done a fresh format ages ago, but i'm really interested now in solving this one cuz, if you'll ppardon the pun- its really buggin me. I dont kno wat it is, or the name of it or anythin :(
     
  16. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    That one. Gimme list of the offenders. All 14 of em.
     
  17. Psyborg

    Psyborg google addict Political User

    Messages:
    109
    Location:
    Limerick, Ireland
    ah i dont stil have em :( i deleted em all from the quarantine and then i had to uninstall norton, mcafee, avg, and kaspersky, to install nod32 ( i ran each prog and uninstalled before i installed the next one so there would be no conflicts ) :(

    im gonna restart now in safe mode and try all that stuff in ur last post and then i'll be back on to update you, and thanks for this :)
     
  18. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    shizz.....

    also remove this (unless you knowingly have a proxy server)

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8088
    that's probably what's stopping you from getting to symantec.

    and don't worry, this is my favorite game (tracking and killing computer garbage) - we will figure it out.

    also - paste me your current hosts file. if you don't know how to get to it let me know.

    *********** Just read your last.... going for lunch - be back in an hour. *************
     
    Psyborg likes this.
  19. Psyborg

    Psyborg google addict Political User

    Messages:
    109
    Location:
    Limerick, Ireland
    wahey, finally in leaps and bounds, i didnt even know such a file existed, and i'd forgotten to mention that IE was redirecting me to 127.0.0.1 sumtimes, and now i know why, and i know why i couldnt access the websites! take a looksie at the hosts file: View attachment hosts.txt

    and i learned a whole load o stuff, and now, while im waitin for Mastershakes im gonna go ahead n mod the hosts file andd see how that works for me :)


    edit: Mastershakes U BEAUTY!! lol :D

    works like a charm now :)
     
    Last edited: Aug 22, 2005
  20. skeven

    skeven OSNN One Post Wonder

    Messages:
    2
    Well im glad that worked out... too bad I was late for the party... lol =P