Computing.Net > Forums > Security and Virus > AOL Instant Messenger Virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

AOL Instant Messenger Virus

Reply to Message Icon

Name: CDCoolguy
Date: September 15, 2003 at 18:55:52 Pacific
OS: Windows XP
CPU/Ram: Pentium 4, 2.4 GHz, 512 M
Comment:

I inadvertently clicked on a link that someone sent me that said "Yo! Check out this camera I'm gonna get! Click Here", and by clicking on that I was infected with what my Symantec Anti-Virus says is the W32.Spybot.Worm Virus. THe virus occasionally deletes messages that I send out to other people and replaces it with the "Yo! Check out..." message that attempts to get others to get the virus.

I tried following Symantec's removal instructions from their website and I have done multiple scans with no results. When I originally clicked on the link, I was given notification that the link contained a virus and that the W32.Spybot.Worm virus had been placed in quarentine. Regardless, despite my attempts to delete the file in question with Symantec, I still have the virus. Please help me if you can.




Sponsored Link
Ads by Google

Response Number 1
Name: www
Date: September 15, 2003 at 22:49:39 Pacific
Reply:

try the thirty day free trial of
trojan remover after downloading and installing, click on update to get the latest definitions,
w32.spybot is listed in it's removal database.


0

Response Number 2
Name: CDCoolguy
Date: September 16, 2003 at 11:28:19 Pacific
Reply:

I installed the remover and unfortunately it did not detect anything...


0

Response Number 3
Name: Imp
Date: September 17, 2003 at 00:22:51 Pacific
Reply:

Only one last solution: erase AIM ( AOL Instant Message ) and reinstall it later...


0

Response Number 4
Name: theSpartan
Date: September 17, 2003 at 11:46:09 Pacific
Reply:

Uninstall and reinstall wont help. Maybe if you uninstall then delete remaining AIM95 folder, but i think i tried that and it didnt work. I ran latest Nortons in safemode and that cleaned off spybot virus but im afraid this has to be a seperate virus. What do you have under Run in your registry?


0

Response Number 5
Name: CDCoolguy
Date: September 17, 2003 at 13:10:32 Pacific
Reply:

I've surfed the web and read a lot of the stuff about things to look for in the registry. Unfortunately, nothing has matched up. I've tried the uninstall and reinstall and that definitey does not work. Is there anything in the registry in particular I should look for?


0

Related Posts

See More



Response Number 6
Name: theSpartan
Date: September 17, 2003 at 13:18:13 Pacific
Reply:

Just look for the stuff in the Run sections. List them and we can compare what is in each others. I suspect if we delete the right entry we should be fine, but sometimes its hard to tell what is supposed to be in there and what is not. Could you post the message you send and the url the link points to. I want to submit them to trendmicro but I wont have access to my friends pc, who actually has the virus, for a day or two.


0

Response Number 7
Name: CDCoolguy
Date: September 17, 2003 at 16:12:33 Pacific
Reply:

Here are the values in my registry:
AltnetPointsManager
AtiModeChange
ATIPTA
AutoBar
CARPService
Cpqset
Display Settings
hpsysdrv
PreloadApp
QT4HPOT
QuickTime Task
srmclean
SynTPEnh
SynTPLpr
vptray
winupdat

And the link that loads the virus on to your machine (DON'T CLICK THIS LINK...OBVIOUSLY!)


http://172.16.38.252:3338/JVCGRDV800USMiniDVDigital.pif


0

Response Number 8
Name: theSpartan
Date: September 18, 2003 at 05:49:54 Pacific
Reply:

The only one I have the same is winupdat but i was suspicous of this one because i have auto updates on my w2k machine and there is no entry for it in my run. another friend of mine with xp says they have auto update configured too but they have no entry in their run either.

Try deleting that value and rebooting, wouldnt hurt to run a scan after the reboot either. Let me know if it works. And dont worry you can always reconfigure auto update if in fact it was a legit value.


0

Response Number 9
Name: BARapa
Date: September 21, 2003 at 15:23:11 Pacific
Reply:

i have the exact same problem. it is actuallly impossible to get rid of this thing. it says its not there, but it is still sendin itself to people. if u figure it out, please tell me what to do.


0

Response Number 10
Name: theSpartan
Date: September 22, 2003 at 05:20:49 Pacific
Reply:

Deleting the winupdat value from HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and then running a anti-virus scan in safe mode seems to work.


0

Response Number 11
Name: theSpartan
Date: September 24, 2003 at 07:48:47 Pacific
Reply:

Here is a more complete fix.

http://www.skywolf.net/fixes/aim.html


0

Response Number 12
Name: JonathanKane
Date: October 10, 2003 at 08:00:50 Pacific
Reply:

CDCoolGuy,

I work for a TV news company that is doing a news story about what you've just went through. We'd like to interview you about your experience as our personal (we need to put a human face on the issues to show people "it can happen to you.") If you're willing to be interviewed (and you live in the USA - we can't shoot outside the US), please e-mail me as soon as possible so we can set something up. Your help will be greatly appreciated. Please get back to me as soon as possible.


0

Response Number 13
Name: mscho74
Date: October 11, 2003 at 20:47:01 Pacific
Reply:

This thing is driving me crazy as well!

Norton Antivirus keeps warning me about this virus but states that it could not repair it. I checked the log files and it states:

Date: 10/11/2003, Time: 18:46:32, Guest on INSPIRONLAPTOP
The file
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\OPEN_ME.exe
is infected with the W32.Spybot.Worm virus.
Access to the file was denied.

The problem is, the "Documents" folders does not exist! At least, I cannot find it using Windows.

I went to Symantec's page, and they advise a manual fix (Windows in Safe Mode, Run Scan, Check/Delete using RegEdit).

I followed all of their steps, and still no luck. The "virused" file cannot not be found in the Run and RunOnce RegKeys.

Can anyone help? Is this thing capturing my passwords and sending it out? I'm completely paranoid at this point.

Thanks!


0

Response Number 14
Name: JonathanKane
Date: October 13, 2003 at 08:23:08 Pacific
Reply:

Hi,

I'm still looking for somebody to interview about IM viruses, especially the one we're talking about now (see my eearlier post). If anybody can help me out with this, not only will you be helping me out, but you'll also help warn lots of people about this problem and make sure nobody else gets this virus.


0

Response Number 15
Name: Merry6319
Date: October 19, 2003 at 17:34:48 Pacific
Reply:

Try this: Open Task Manager, click Processes tab. In the list of running programs, locate the malware process: WUAUMQR.exe Select and either End Task or End Process. To see if it's been terminated close Task Mgr., open it again. To remove Auto Start entries from Registry: 1. Click Start>Run, type Regedit, then press Enter. In left panel, dbl click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>current version>Run 3. In the right panel, locate & delete: WINSOCK2 driver=WUAUMQR.exe 4. In the left panel, dbl click the following: HKEY_current_user_>software>microsoft>windows>current version>Run Once 5. In the right panel, locate and delete entry: winsock driver=WUAUMQR.exe I hope this works for you as I am having trouble getting Task Manager to stay open. Any advice?


0

Response Number 16
Name: cleatondumas
Date: October 23, 2003 at 17:16:46 Pacific
Reply:

Sometimes if you disable backup and delete all shares, you get rid of hidden viruses.

Also, you can get hijackthis, do a scan and post it on here and other forums for tech support, and some can help you.

I just got a free antivirus that got rid of 8 virus that AVG and Panda online scan did not. I believe it scan for trojans too. It is called AVAST 4.0 home edition. Very good, much better than AVG for me.

This got rid of spybot worm and many others from my machine.


0

Sponsored Link
Ads by Google
Reply to Message Icon






Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links

Ads by Google


Results for: AOL Instant Messenger Virus

aol instant messenger and ports? www.computing.net/answers/security/aol-instant-messenger-and-ports/13789.html

Instant Messenger problem www.computing.net/answers/security/instant-messenger-problem/10895.html

Goldenhero virus? www.computing.net/answers/security/goldenhero-virus-/9697.html