IM AN IDIOT!
Someone sent me the MSN malware as a practical joke, it keeps sending itself to other people.
how do i remove it???
I dont have an AV at the min as i have just recieved my PC back from Dell reinstalled, I have KASPERSKY AV 08 (V.7) but i cant install it to remove malware because it has removed acsess to CD drive.

You can find a copy of the hijackthis log at http://seywar.110mb.com/hijackthis.log

KASPERSKY VIRUS DATABASE:

Backdoor.IRCBot.AIU



Backdoor.IRCBot.AIU spreads via MSN Instant Messenger Application.
Date Discovered
10/2/2007 6:00:00 PM

Added DAT Info 7.10.114
Threat assesment Low
Virus Type Backdoor
Affected OS Windows XP
Windows 2003 Server
Windows 2000
Windows ME
Windows 98

Length 76288 bytes
Aliases W32.Scrimge.O (Symantec)


On execution, the backdoor performs the following operations :


Sends one of the following messages to all the MSN Instant Messenger contacts on the infected machine:
?cette vieille image que j'ai trouv : |
?este retrato realmente de voc?? verificao louca do retrato ele para fora
ay no ese pelo fue lo mas chistoso...q estabas pensando
Caricher?questa foto al mio myspace adesso Qui sono il fotos di ci
Check out my nice photo album.
daut de la reproduction sonore ! regard
ehi aggiunger?quest'immagine di noi al mio weblog
ehi metter?quest'immagine di noi sul mio myspace :>
esa foto de tu y yo la voy a poner en myspace
Est aqui meus retratos confidenciais para somente n Eu estou indo p
Estas s as fotos que eu quis o mostrar
este retrato de n sobre meu Web site
Eu amo este retrato de nossos amigos
Eu cant acredito que este retrato ?voc? |
h?je vais mettre cette image de nous sur mon myspace :>
h?veux tu voir mes image de vacance??
Haha sollten Sie dieses Ihre Rkstellung auf myspace oder etwas pic bilden
haha vous devriez rendre ceci votre daut pic sur le myspace ou quelque chose
haha you moet die je standaard foto maken op hyves of myspace
he heb je ooit deze foto laten zien ?
he ich zeige Ihnen diese Abbildung von mir erhaupt?
he werde ich diese Abbildung von uns auf mein myspace setzen
he werde ich diese Abbildung von uns meinem weblog hinzufen
Here are my private pictures for you
hey eu fiz exame deste retrato fresco de mim em fias
Hey i zet deze foto van ons even op mijn myspace
hey ik voeg deze foto van ons ff toe op mijn weblog lol
hola esas son las fotos
I found these old school pictures... LOL
ik kan me nog herrinneren toen je haar zoals dit had
IS THIS REALLY YOU ??? i cant remember who sent it to me...
j'ai fais pour toi ce photo album tu dois le voire
jaja debes poner esa foto como foto principal en tu myspace o algo
jaja lei dovrebbe fare quest'il suo pic predefinito sul myspace o qualcosa
jaja recuerda cuando tuviste el pelo asi
jaja ricordo quando lei aveva i suoi capelli come questo
jajaja yo me recuerdo cuando tuvistes el pelo asi
JIESHOU WO DE ZHAO PIAN :> !!.
kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :<.
KAN WO DE ZHAOPIAN .
le lol se rappellent quand vous aviez l'habitude d'avoir vos cheveux comme ceci
lol erinnern sich, an als Sie pflegten, Ihr Haar so zu haben
mes photos chaudes
metta questi fotos in suo pagina myspace
mhten den pics von meinen Ferien sehen?
My friend took nice photos of me.you Should see em loL!
NI HE WO !!! .... QING KAN .
OMG YOU HAVE TO SEE THIS PICTURE!!!!
oye ponga esa foto en tu myspace como la foto principal voy a poner esa foto de nosotros en mi blog ya
oye voy a agregar esa foto a mi blog ya
oye voy a poner esa foto de nosotros en mi myspace :->
Per favore nessuno lasciare vede le nostre foto Io ricordo quando abbiamo portato questa fotoQueira ver esta foto que eu fiz exame de voc?o outro dia?
VOC?TEM QUE VER ESTE RETRATO DE MIM
Voc?viu este? o presidente est?inoperante...........
wanna see the pics from my vacation? :>
wil je fotos zien van mijn vakantie wow! moet je eens kijken welke foto ik nu gevondenhebWimmern! Blick auf diese alte Abbildung, die ich: fand
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :S !!.
ZHE SHI WO DE LUOZHAO :O QING BU YAO FA GEI BIEREN !!.

The file picts-[4 Random Digits].zip will be sent as an attachment along with the above message to all the contacts.
This .zip contains the file img0794-www.photoshare.com, which is a copy of the backdoor.
Copies itself as jucheck.exe in the %System%\dllcache folder.
Copies itself as picts-[4 Random Digits].zip in the Windows folder.
Adds the value
"jucheck" = "%System%\dllcache\jucheck.exe"

under the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

in the Windows registry to hook system startup.

Modifies the value
"%System%\dllcache\jucheck.exe" = "%System%\dllcache\jucheck.exe:*:Enabled:Windo ws Sharing"

under the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\Authoriz edApplications\List

in the Windows registry to lower security settings.

May connect to a specific IRC channel on a certain IRC server to await remote commands.

**bump**

Please post your hijackthis log into this post.



Download MSNFix.zip (by !aur3n7) on your desktop :
http://sosvirus.changelog.fr/MSNFix.zip

Unzip it (right click >> Extract here) and double click the file MSNFix.bat.
-Choose your language by pressing the letter corresponding to your language (E for english).
-Execute the option R.
--If an infection is detected, a message will indicate it and it will be enough to press any key to launch the cleaning.

Note :
If a delete error is detected a message will appear asking to reboot the computer to finish operations. In this case you just need to reboot in normal mode.

-The log will be saved in the same folder as MSNFix in date_hour form.

Post that log and a new hijackthis log please, into this thread.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:32, on 07/12/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Seymour\AppData\Local\Temp\Temp1_picts-9815.zip\img0794-www.photoshare.com
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: dlcf_device - - C:\Windows\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 3474 bytes

What is going on now?

Did msnfix find anything?

Still problems?

sorted!

still was having problems but kespersky have setup a removal tool that fixed it :-)