new messenger virus!

Psyborg

google addict
Political Access
Joined
18 Apr 2005
Messages
109
guys anyone heard bout this latest virus thats killin me msn, basically i've done all the virus scans and its still there, i cant do ctrl-alt-del, it sends on a link to my contacts evry so often like download the latest version of msn and then the link

do NOT click on the link!

http://www. warezddls.com/funny-stuff/download3849.exe
 
It would be best not to post the link of the virus. for the safety of the members and vistors. try using a trojan remover software
to remove the pest... on another note, dont ever click on a link in your messanger with the word warezddl..:rolleyes:


trojan remover software


and remember...............
# Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.

# Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.

# Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.

# Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered spam, which is unsolicited, intrusive mail that clogs up the network.

# Do not download any files from strangers.

# Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.

# Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. You may also need to update the product's scanning engine as well.

# Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.

# When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates which include those for your operating system web browser, and email
 
Last edited:
I think this was just a warning to were the link was directing him, I dont think he had an intention to post an illegal site
 
zeke_mo said:
I think this was just a warning to were the link was directing him, I dont think he had an intention to post an illegal site


my bad...:eek: corrected post...
 
thanks for the headsup with the url
i friend just sent me the link on msn and this time it was the same place but no exe in the url

i bet if i clicked the link it would open the sava as wizard

anyway

how do we clean these?
 
no luck, tried a few malware removers and antivirus products, they seem to be just classic symptoms of other viruses, but another thing bugs me, i cant access anti-virus sites such as symantec, trend micro, grisoft, etc.

i dont want to do a re-install because then i'll never find out the cause, or the virus itself... :(

forgot to include, copies of task manager and msconfig showed nothing out of the ordinary :(
 
Xie and I investigated the virus earlier on IRC.

Symantec, trend and grisoft are probably not that much good in any kind of serious virus problem as they are some of the poorer scanning engine son the market.

TRy Nod32 or Kaspersky AV (Xies kaspersky for mac detected it correctly) or failing that - format and reinstall.
 
Look here for a command line process killer. Kill whatever process(es) you suspect is the virus or under the control of the virus. Once killed, taskman.exe should be accessible and any virus scan should be able to remove it. Some virii require the registry to be edited to completely remove any recurrance and others can hide in the boot sector. Remember to turn off System Restore and reboot to remove any backup of a virus that might be hiding in there. This site could be helpful in your case, it sounds like you have the "W32.Aplore@mm" virus.

PS I also heard that it could be "Explorer.exe" in msconfig startup that initiates it.
 
Word.

W32.Aplore@mm is a mass-mailing worm that attempts to spread using email, IRC, and AOL Instant Messenger (AIM).

MSN is not affected.

Can I get a Hijack This log?
 
one hijack this log
==============

Logfile of HijackThis v1.99.1
Scan saved at 17:33:12, on 22/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dynu Systems\Basic\basicsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dynu Systems\Basic\DynuBas.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Brendan\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8088
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [svshost] C:\WINDOWS\system32\nirndh\svshost.exe
O4 - Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Basic Client.lnk = C:\Program Files\Dynu Systems\Basic\DynuBas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Dynu Basic Dynamic DNS Client v3.24 (DynuBasic) - Unknown owner - C:\Program Files\Dynu Systems\Basic\basicsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
 
i sed i'd post the logfile separately, now there is a lotta junk in there and fair credit to LordOfLA for the kaspersky link, the TRIAL version, found no less than FOURTEEN viruses! and then i ran the NOD32 which caame up with nothing.

Now i have back my task manager, regedit, msconfig etc, but some antivirus websites i still cant access, so i know theres stil something there, e.g-

like when i google "symantec" i can access symantec.co.uk, but i cant access symantec.com, it just comes up "page not displayed" on the first try, and then http://www.google.ie/search?hl=en&q=symantec&meta= on the second try. its pretty much the same with all the antivirus sites :(
 
Remove:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

and - not sure if you need this?
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

Otherwise most of this stuff checks out. It's a sweet trojan - that's for sure (still googling 4 ya)
 
Run that all in safe mode
(tap F8 at boot) choose 'Safe Mode' and run the scans again.
While in safe mode delete your cache and cookies for IE or whatever your browser is at this time.

Then run CCleaner - www.ccleaner.com - in safe mode.

can you give the list of the 14 Lord's recommended software found?
 
"14 Lord's recommended software"?? :(

wel i jst dun a regedit there without typin the *.exe and got a blank DOS box with regedit.com in the titlebar. so i got to the proper regedit by addin the exe and searched for symantec hopin to find some key that stopped my browser (IE6) from opening these antivirus sites, but no luck :(

i really appreciate all the help on this one, i even e-mailed the admin@"that"site.com to alert him to the fact that his site was propagating the virus but as yet have got no reply.

I normally would have done a fresh format ages ago, but i'm really interested now in solving this one cuz, if you'll ppardon the pun- its really buggin me. I dont kno wat it is, or the name of it or anythin :(
 
Psyborg said:
and fair credit to LordOfLA for the kaspersky link, the TRIAL version, found no less than FOURTEEN viruses!

That one. Gimme list of the offenders. All 14 of em.
 
ah i dont stil have em :( i deleted em all from the quarantine and then i had to uninstall norton, mcafee, avg, and kaspersky, to install nod32 ( i ran each prog and uninstalled before i installed the next one so there would be no conflicts ) :(

im gonna restart now in safe mode and try all that stuff in ur last post and then i'll be back on to update you, and thanks for this :)
 
shizz.....

also remove this (unless you knowingly have a proxy server)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8088
that's probably what's stopping you from getting to symantec.

and don't worry, this is my favorite game (tracking and killing computer garbage) - we will figure it out.

also - paste me your current hosts file. if you don't know how to get to it let me know.

*********** Just read your last.... going for lunch - be back in an hour. *************
 
wahey, finally in leaps and bounds, i didnt even know such a file existed, and i'd forgotten to mention that IE was redirecting me to 127.0.0.1 sumtimes, and now i know why, and i know why i couldnt access the websites! take a looksie at the hosts file: View attachment hosts.txt

and i learned a whole load o stuff, and now, while im waitin for Mastershakes im gonna go ahead n mod the hosts file andd see how that works for me :)


edit: Mastershakes U BEAUTY!! lol :D

works like a charm now :)
 
Last edited:
Well im glad that worked out... too bad I was late for the party... lol =P
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back