Removal guide for "bestfriends.scr" AIM adware/virus.
PLEASE SEE THE UPDATED REMOVAL GUIDE FOR THE MOST CURRENT INFORMATION.
Click here for the updated guide.
My sis managed to get one of the family comps infected with what would appear to be a new variant to the "bestfriends.scr" AIM adware/virus.
She clicked a link in somebody's away message with a link labeled "LOOK HERE". Clicking the link would launch the default web browser and ask you to download the file bestfriends.scr.
Upon executing the downloaded file, two popups would appear which both contain banners hosted on an Angelfire site, along with setting the same AIM away message as mentioned before. Also, if one were to attempt to open either task manager or regedit on the infected machine, the windows would stay open for a mere second, and instantly close.
The installed executable could be named one of two things; either YAHOOMSG.exe, or NETSTATT.EXE, both saved in your %winroot%\system32 folder. To find out which variant you have, I'd recommend closing everything related to AIM and Yahoo Messenger, running Hijackthis, and removing EVERYTHING labeled [Yahoo Messenger] in HJT.
After you check the files and remove them, wait 10 seconds and have it scan again. Any file(s) which reappear on your list labeled as [Yahoo Messenger] is your culprit file (I have seen it labeled either "YAHOOMSG.EXE" or "NETSTATT.EXE", but your results may very).
To remove this file for good, boot Windows into safe mode, select Start/Run and type "cmd" (without quotes) into the new dialog box and hit "Ok". A DOS-like console box will open. In the box, type:
cd\ **ENTER**
cd %systemroot%\system32 **ENTER**
DEL *the filename found* **ENTER**
Note - **ENTER** = press the Enter key on your keyboard.
Once you have done this, reboot the machine back into normal mode. Run HJT again, and check and remove the infected file from the list (if the file starts reappearing in the HJT log, go back into safe mode and repeat the steps above being sure you haven't received any errors) AND the "AIM Button" .
Assuming you have followed these steps correctly, you should now be rid of the problem. If not (or you cannot find the files causing it) please post your HJT log.
Edit: Other files found which may be the cause of the problem (as taken from a HJT log):
[AOL Messenger] HQSNPFLH.EXE
[Microsoft Gina V Encryption] MSGINAV.EXE
IF YOU HAVE OTHER SPYWARE IN YOUR HJT LOG YOU MUST MAKE A NEW POST TO GET HELP WITH REMOVING IT. THIS THREAD IS FOR BESTFRIENDS.SCR ONLY!
Click here for the updated guide.
My sis managed to get one of the family comps infected with what would appear to be a new variant to the "bestfriends.scr" AIM adware/virus.
She clicked a link in somebody's away message with a link labeled "LOOK HERE". Clicking the link would launch the default web browser and ask you to download the file bestfriends.scr.
Upon executing the downloaded file, two popups would appear which both contain banners hosted on an Angelfire site, along with setting the same AIM away message as mentioned before. Also, if one were to attempt to open either task manager or regedit on the infected machine, the windows would stay open for a mere second, and instantly close.
The installed executable could be named one of two things; either YAHOOMSG.exe, or NETSTATT.EXE, both saved in your %winroot%\system32 folder. To find out which variant you have, I'd recommend closing everything related to AIM and Yahoo Messenger, running Hijackthis, and removing EVERYTHING labeled [Yahoo Messenger] in HJT.
After you check the files and remove them, wait 10 seconds and have it scan again. Any file(s) which reappear on your list labeled as [Yahoo Messenger] is your culprit file (I have seen it labeled either "YAHOOMSG.EXE" or "NETSTATT.EXE", but your results may very).
To remove this file for good, boot Windows into safe mode, select Start/Run and type "cmd" (without quotes) into the new dialog box and hit "Ok". A DOS-like console box will open. In the box, type:
cd\ **ENTER**
cd %systemroot%\system32 **ENTER**
DEL *the filename found* **ENTER**
Note - **ENTER** = press the Enter key on your keyboard.
Once you have done this, reboot the machine back into normal mode. Run HJT again, and check and remove the infected file from the list (if the file starts reappearing in the HJT log, go back into safe mode and repeat the steps above being sure you haven't received any errors) AND the "AIM Button" .
Assuming you have followed these steps correctly, you should now be rid of the problem. If not (or you cannot find the files causing it) please post your HJT log.
Edit: Other files found which may be the cause of the problem (as taken from a HJT log):
[AOL Messenger] HQSNPFLH.EXE
[Microsoft Gina V Encryption] MSGINAV.EXE
IF YOU HAVE OTHER SPYWARE IN YOUR HJT LOG YOU MUST MAKE A NEW POST TO GET HELP WITH REMOVING IT. THIS THREAD IS FOR BESTFRIENDS.SCR ONLY!
0
This discussion has been closed.
Comments
Logfile of HijackThis v1.97.7
Scan saved at 7:49:24 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\HQSNPFLH.EXE
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Lemon Software\AOL Hider\AOLHider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jordan\My Documents\HijackThis.exe
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [AOL Messenger] HQSNPFLH.EXE
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [AOL Messenger] HQSNPFLH.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38144.056724537
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{659CE590-2FD2-40CE-BAA0-9F26700759CD}: Domain = idenupdate.motorola.com
O4 - HKCU\..\RunOnce: [AOL Messenger] HQSNPFLH.EXE
Check to see if that file is in system32. If so, go into safemode and delete it like I outlined in my first post.
Logfile of HijackThis v1.97.7
Scan saved at 10:43:00 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\aolmsngr.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Dominic Gagliardo\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redi...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Messenger] AOLMSNGR.EXE
O4 - HKCU\..\RunOnce: [AOL Messenger] AOLMSNGR.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/013efeb...ip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8013.8954513889
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...5/Installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binari...tpe32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4451E1-126A-4B1B-96B9-250881F520FE}: NameServer = 205.152.37.23 205.152.144.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B4451E1-126A-4B1B-96B9-250881F520FE}: NameServer = 205.152.37.23 205.152.144.23
Any help would be appreciated. Thank you.
It also appears that you have quite a few other spyware related entries as well. Be sure to post your HJT log in another thread to get help with this.
I also cannot run 'msconfig' to start my computer in safe mode. It is acting just like the task Manager as it pops up for a second but then goes away. Any suggestions?
you need to also manually delete that file from your system32 folder
Dexter...