Another AIM virus

Discussion in 'malware problems & news' started by max42, Sep 8, 2003.

Thread Status:
Not open for further replies.
  1. max42

    max42 Guest

    I have an AIM related virus where my IM sends the message: "Yo!! New Camera piC". Clicking on the piC link downloads the virus. It doesn't really seem to do anything else, but it's annoying to be sending these messages to my friends.

    My HijackThis log is as follows:

    Logfile of HijackThis v1.96.4
    Scan saved at 9:34:40 PM, on 9/8/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\winupdat.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Warcraft III\war3.exe
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\rbraun\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.princeton.edu/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.princeton.edu/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23e3c24e7dea827efb00/netzip/RdxIE601.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37763.4696759259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princeton.edu
    O17 - HKLM\Software\..\Telephony: DomainName = princeton.edu
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princeton.edu

    any help would be great. cheers.
    Max
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi max42,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23e3c24e7dea827efb00/netzip/RdxIE601.cab

    Reboot after doing so, preferably into safe mode
    and rename the following files from .exe to .bak:
    C:\WINDOWS\winupdat.exe <= definitely not what it pretends to be. Please mail that file to the addy in my profile
    C:\WINDOWS\System32\wltrysvc.exe <= Can't find anything about this one, check it's properties before renaming it

    Regards,

    Pieter
     
  3. max42

    max42 Guest

    Thanks so much, that seems to have cleared things up.

    cheers
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi max42,

    Glad we were able to help. :)
    If you sent me winupdat.exe it got lost somewhere. I really would appreciate it, so it can be spread among developers.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.