Options

Stupid Aim Beach Pix Virus

Unknown
edited October 2005 in Spyware & Virus Removal
There was a link in my friends profile that said "Check out my new beach pix" followed by a link. Stupid me clicked the link!! When i press Ctrl+Alt+Del the thingie pops up for a minute and then closes and ive tried Spybot that didnt help. Every 5 minutes an away message would pop up on my AIM and it would have that link in it so i signed off AIM but now every 5 minutes it just signs right back onto AIM PLEASE HELP I HAVE NO IDEA WHAT TO DO!! I asked my friend about it she said it was a virus and i really dont know what to do about it please help! thanks

HERES MY HIJACKTHIS LOGFILE THINGIE:

Logfile of HijackThis v1.99.1
Scan saved at 5:44:40 PM, on 10/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\popcorn72.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\AOL\1128286338\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128286338\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1128286338\ee\AOLServiceHost.exe
C:\WINDOWS\SYSTEM32\csrcs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\AntiVirus\hIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\AntiVirus\SpybotSnD\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Windows Custom Services] CSRCS.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\AntiVirus\SpybotSnD\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Windows Custom Services] CSRCS.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

Comments

  • lemonlimelemonlime Canada Member
    edited October 2005
    Hi LiLbLoNdHoTTi158,

    Take a look at TheSMJ's removal guide avaliable at the following link:
    http://www.short-media.com/forum/showthread.php?t=16748

    If you have any difficulties, let us know and we can further assist..

    <<EDIT>>

    It does appear that you have the TrojanDownloader:Win32/Small.MA virus.

    You should remove this line from HijackThis immediatly:
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile

    Also, try to 'End Task' the popcorn72.exe application from the task manager (CTRL+ALT+DEL, Task Manager, Processes, select popcorn72.exe and click End Process).

    I'd also recommend a full system scan using an anti-virus application. If you do not have one, you can use some on-line tools, such as Trend Micro's. Please post the results in this thread.
  • LiLbLoNdHoTTi158
    edited October 2005
    NEW LOGFILE:


    Logfile of HijackThis v1.99.1
    Scan saved at 6:27:36 PM, on 10/3/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\popcorn72.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Common Files\AOL\1128286338\ee\AOLHostManager.exe
    C:\Program Files\Common Files\AOL\1128286338\ee\AOLServiceHost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\SYSTEM32\csrcs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\AOL\1128286338\ee\AOLServiceHost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\AntiVirus\hIJACK\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
    O4 - HKLM\..\Run: [Windows Custom Services] CSRCS.EXE
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\AntiVirus\SpybotSnD\TeaTimer.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunOnce: [Windows Custom Services] CSRCS.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  • lemonlimelemonlime Canada Member
    edited October 2005
    Sorry, I overlooked this initally, but it appears that you have the TrojanDownloader:Win32/Small.MA virus.

    You should remove this line from HijackThis immediatly:
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile

    Also, try to 'End Task' the popcorn72.exe application from the task manager (CTRL+ALT+DEL, Task Manager, Processes, select popcorn72.exe and click End Process).

    I'd then recommend a full system scan using an anti-virus application to pick up the rest of the virus. If you do not have one, you can use some on-line tools, such as Trend Micro's Housecall. Please post the results in this thread.
Sign In or Register to comment.