can someone please help me on my hijackthis log

Unknown

Hey, I have the 'bestfriends' virus on my AIM and I cant find a way to get rid of it, can you help me???

Heres my log:

Logfile of HijackThis v1.97.7
Scan saved at 9:13:39 PM, on 9/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\XKF.EXE
C:\WINDOWS\SYSTEM\MSCRON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TS.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\MY DOCUMENTS\ERIC'S FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngi neMain
O4 - HKLM\..\Run: [Windows Services] C:\XKF.EXE
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [wkfiem] C:\WINDOWS\SYSTEM\kwkfjq.exe
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7733.5933333333
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/...55/sdcregie.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/gam...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/gam...nts/y/pt1_x.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29c1a8f...ip/RdxIE601.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...d9a51cd67008108
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab

SpywareShooter

Welcome to Short Media Forums. Have you seen the [link=http://www.short-media.com/forum/showthread.php?t=16748]bestfriends.scr removal guide[/link] yet?

OSIRISskater08

yes i have tried it, and i cannot find any of the things it says to delete

OSIRISskater08

The virus I have makes my away message on AIM pop up and say the link to the 'bestfriends.scr' site where the virus is located.

OSIRISskater08

One of my friends got rid of this virus by using the JayLoden AIMFix, but when I downloaded it and try to run it nothing happens. I don't know what to do. Please help!!

primesuspect

This is the bestfriends part:

O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE

But you have a ton of other spyware.

First you need LSPFix from our security downloads page. Get that from my signature, run it, and then tell it to fix the LSPAK.DLL file. When that is done, reboot, and post a new log.

OSIRISskater08

Thanks a lot man!! Your a genius!

Heres my new log:

Logfile of HijackThis v1.97.7
Scan saved at 9:09:58 PM, on 9/8/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\XKF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSCRON.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\MY DOCUMENTS\ERIC'S FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Services] C:\XKF.EXE
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [wkfiem] C:\WINDOWS\SYSTEM\kwkfjq.exe
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37733.5933333333
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29c1a8fc8b3d3d655103/netzip/RdxIE601.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8fdb4c19145711da9492ab0e6580b3c005a64b72a9dd4ffe503a6beb39cd4321a3ef475bcca80e50088793d40faab8a6054dab:697aaa231542f6fefd9a51cd67008108
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

SpywareShooter

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [wkfiem] C:\WINDOWS\SYSTEM\kwkfjq.exe
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...d9a51cd67008108
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab


Have hijackThis fix those, then find and quarentine those files.

primesuspect

And then reboot and post a new log for us

OSIRISskater08

how do i find and quarintine these items??

OSIRISskater08

and o yeah, the 'best friends' virus came back on its own

primesuspect

Okay, next delete these items:


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Services] C:\XKF.EXE
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE

O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [wkfiem] C:\WINDOWS\SYSTEM\kwkfjq.exe
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...d9a51cd67008108

After you do all that, reboot, and then post a new log.

OSIRISskater08

ok, i delete all those things, now heres my new log:

Logfile of HijackThis v1.97.7
Scan saved at 2:53:08 PM, on 9/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\XKF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
C:\WINDOWS\SYSTEM\MSCRON.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TS.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\ERIC'S FOLDER\HIJACKTHIS.EXE
C:\WINDOWS\WUAUCLT.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows Services] C:\XKF.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [Microsoft CronD Service] MSCRON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
O4 - HKCU\..\RunServices: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
O4 - HKCU\..\RunOnce: [Microsoft CronD Service] MSCRON.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37733.5933333333
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29c1a8fc8b3d3d655103/netzip/RdxIE601.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

OSIRISskater08

but can you please help me with the best friends virus??

primesuspect

Okay, look, we're trying to help you. If you want our help, just do what we ask and then when we are all done, you won't have bestfriends anymore.

Remove those entries, and reboot, and post a new log and we will go from there.

OSIRISskater08

i did, the log above what you wrote is my new one

primesuspect

Okay, now according to the Removal Guide (which you had mentioned you already followed), do this:

the removal guide that you already read wrote:

6. Now, to delete these files, one must force the computer into a state which it is unable to lock the user out of being able to remove them. To do this, you must boot Windows into “Safe Mode”.

To boot into safe mode:

* Reboot the machine while repeatedly pressing the “F8” key located on your keyboard. Stop once a menu appears.
* Use the arrow keys to select “Safe Mode” from the menu, and press Enter.

Once Windows finishes booting (it’s ok for it to look a little different compaired to booting Windows normally) you should successfully be in Safe Mode (you’ll also notice the word “Safe Mode” on all four corners of the screen).



7. Select Start, than Run (just as you have done in step 1). In the Run box, type “cmd”, than select the “Ok” button. A new, black window will open.



8. In the box, type:

1. cd\ **ENTER**
2. cd %systemroot%\system32 **ENTER**
3. DEL [the filename you found in step 5] **ENTER**

The files you need to delete are:

C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE

Then, you need to SEARCH your hard drive for MSCRON.EXE

- AS LONG AS YOU HAVE MSCRON.EXE ON YOUR SYSTEM, YOU WILL CONTINUE TO BE INFECTED BY BESTFRIENDS.

You MUST find this file and delete it, in safe mode.

Report back

OSIRISskater08

ok, i went into safe mode, went to start, then run, and typed in cmd, and an error came up saying it couldnt find it and to check to see if i spelled something wrong.

SpywareShooter

Some versions of Windows (I use ME and it cmd doesn't work with it) require you to type command in the Run box.

OSIRISskater08

i have windows ME too

SpywareShooter

Okay, then you want to type in command in the Run dialog.

OSIRISskater08

so what do i need to type in to get cmd to work??

OSIRISskater08

i typed command and nothing happened

OSIRISskater08

any suggestions?

primesuspect

type "command"

(without the quotes)

Or maybe you have an icon in your start menu that says "MS-DOS Prompt"

Push enter after typing "command"

OSIRISskater08

this is what happens, i click start, i click run, type "command" and press enter, and the box goes away for not even half a second, then the same exact box comes up again.

SpywareShooter

Try going to Start»Programs»Accessories»MS-DOS Prompt

primesuspect

okay, reboot again. But this time, when you're pressing "F8" to boot into safe mode, there should be a menu, and on that menu should be an option to boot to "command prompt".

Try that.

OSIRISskater08

ok i rebooted into safe mode, and when i clicked on MS-DOS Prompt nothing happened,
and there wasnt an option to boot into "command Prompt"

OSIRISskater08

can you think of anything else??

primesuspect

Osiris, PLEASE stop "bumping" your thread, not only is it annoying, it's useless. I'll refer you (for the second time) to the etiquette guidelines. We are all doing this on a volunteer basis. When we get to your thread, we get to it. We're busy, working adults, and this is a volunteer service that we offer. PLEASE be patient, you are MUCH more likely to get helped faster that way