AIM virus

**Angmar_nite** · May 30, 2007, 06:05 PM

My friend sent me a virus (not intentionally I think), and I accidentally clicked it. It was a .com files...

What happens is, is that periodically when I'm online, I mass send the virus. My friend used to have it and nothing he had would detect it, and AVG wont detect it on my comp either.

The only thing thats appeared is 2 trojans on auto protect. But they won't get deleted.

Some help please?

Someone even warned me!

**Elrond** · May 30, 2007, 06:09 PM

Try another anti virus software - most are good.

**~~removeduser_426582376423734~~** · May 30, 2007, 06:14 PM

What's it called?

**Angmar_nite** · May 30, 2007, 06:16 PM

Both show up as trojans. Neither can be deleted. One is bootloader.exe, which is unseeable in C:\ while the other is in C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6GMXW7A2

I can't manually delete both, but I suspect that it would be useless.

Edit: Drink?

**~~removeduser_426582376423734~~** · May 30, 2007, 06:18 PM

Try ewido antispyware.

**Angmar_nite** · May 30, 2007, 06:21 PM

Ewido ehhh. I used to use that, but heard they merged with AVG which what I use. I'll give it a shot.

**Incinerate_IV** · May 30, 2007, 09:17 PM

Delete it in safe mode, it's worth a try.

**Angmar_nite** · May 31, 2007, 05:45 AM

It will probably work, but how will I initiate autoprotect in the first place once safe mode has started?

**Legio XX** · May 31, 2007, 06:44 AM

1. Update your virus software to include the latest definition files.
2. Run a full system scan.
3. If any files are detected as infected with VBS.Waterworks.Worm, delete them.
4. Click Start, and then click Run. (The Run dialog box appears.)
Type regedit, and then click OK. (The Registry Editor opens.)
Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

BootLoader C:\WINDOWS\SYSTEM\BootLoader.exe.vbs

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

In the right pane, delete the value:

Win32 Strt.EXE \Win32 Strt.exe.vbs (or %windir%\Win32 Strt.exe.vbs)

Exit the Registry Editor.

If your anti-virus software doesn't work, visit http://www.free-av.com/ and download AVIRA (free version). You can also download a software called hijackthis.exe to search your registry files. Also a program called startuplist.exe is useful when looking for malicious software... You'll find the last two programs with Google...

**Angmar_nite** · May 31, 2007, 04:21 PM

AVG free edition and AVG antispyware both won't detect anything except some adware which were quickly deleated. Nothing espicially malicious. I skipped to step 4, but there was no C:\WINDOWS\SYSTEM\BootLoader.exe.vbs

or RunServices

so im going to try avira and scan with that, then search the registry again.

Edit: That's one trojan down at 50%! It was TR/Crypt.ULPM.Gen! Let's see if there are any more.

On another note, will I mass send the virus if I make another account or use AIM 6.0 instead of 5.9?

**Legio XX** · June 01, 2007, 06:05 AM

You can also try this removal tool to see if it helps:

http://www.avira.com/en/support/anti...r_windows.html

**Angmar_nite** · June 01, 2007, 04:03 PM

I've been doing lots of stuff. In the end it was a quickscan by symantec that found it -aolspy.exe. However in the mean time, I did purge many other bad stuffs from my computer.

Thanks Legio!
Edit: I've done a few more scans for the sake of it, and often it would simply reach a file and progress no further (the time thing keeps ticking). I've waited whole nights but it seems that the scan is stuck at that point.

**Professor420** · June 02, 2007, 11:59 PM

http://icrontic.com/forum/

Ask there. You'll be all fixed up in no time.

**Legio XX** · June 04, 2007, 02:09 AM

Try this tool to remove aolspy.exe...

1. Download SDFix and save it to your Desktop.

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Please then reboot your computer in Safe Mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
5. Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
6. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Hopefully this helps...

**Angmar_nite** · June 05, 2007, 09:39 PM

The forum Prof420 recommended recommended me a aimfix.exe which seems to have worked great!

Now we are working on fixing any other possible errors.

**Legio XX** · June 08, 2007, 05:51 AM

From what I have heard aimfix.exe stops the virus from working but doesnt remove it... I might be wrong... Glad you solved your problem!

**Pnutmaster** · June 09, 2007, 10:23 AM

My sister, a product of this 'lol'/myspace generation, inadvertently downloaded the same bootloader.exe on her computer.

I was first made aware of the Trojan by a periodical AVG free Computer Scan. With the file safely secured in the AVG Virus Vault, I assumed my troubles were over. The following day a score of new Trojans were discovered in the Temporary Internet Folder.

Registry files were cleaned, SDFix and aimfix.exe were both run, yet the Trojans found a way to return every time (I now have a collection of 30 Trojans in the AVG Virus Vault, captured between yesterday and the 31st of May).

Though I had been unplugging my sister's CAD5 cable continuously between daily AVG scans and experimental internet surfs, the lovely exes found a way to travel across My Network Places and insert themselves onto my new computer. In the ultimate expression of frustration (partly towards the virus's writer, AIM, and my sister's IMing habits), I deleted the partition on the drive (to save myself the hassle of deleting viruses and sweeping registry keys only to discover more viruses).

I have yet to wipe my sister's ancient 20 gig hard drive, but in this brief interlude, I wonder, are there any other alternatives...and how the hell were these Trojans returning? Were 'normal' Windows registries corrupted, instructing the Trojans to redownload themselves every time my sister's computer was reconnected to the internet?

Bah...I'll paste this at http://icrontic.com/forum/

**Angmar_nite** · June 09, 2007, 04:32 PM

The lol/myspace generation is great!

But anyways, I highly recommend the forum prof posted. They erradicated every last trojan and none have came back yet.

If you want to see what they did with me look at the aolspy.exe and 97 viruses thread.

**Pnutmaster** · June 11, 2007, 04:47 PM

To alleviate any and all fears (

), I am pleased to say that the Icrontic Forums provided me with the resources to successfully clean my registry and hard drive of malware.

My thanks to you for the link, Prof!