Options
My friend got the bestfriends.scr virus
Hello to all!
After a lengthy discussion with my friend, we figured out he got the virus from my computer. However, I am now virus free thanks to you fine people. I was hoping with my new knowledge and your expertise, we could get it off of his computer as well.
I would assume the process is the same. For both him and I, I believe the virus files were the WINMX.EXE ones, so... (for his computer this afternoon) we located the WINMX.EXE file, booted into safemode and deleted, rebooted and then it popped up again in the HJT log....did we do something wrong? Is there two of them?
Note: He does not run a program called WinMX. We did find the randomly generated file though.
Thank you Everyone!
Here is the HJT Log
Logfile of HijackThis v1.98.2
Scan saved at 5:27:17 PM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\System32\?hkntfs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Tauber.DAVIDRULES\My
Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.blazers.com/
O2 - BHO: (no name) - {69AF1501-EC16-1EFA-D503-665508857D4F} -
C:\WINDOWS\System32\jaxw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [WinMX Music App] WINMX.EXE
O4 - HKCU\..\Run: [Tess] C:\Documents and Settings\David
Tauber.DAVIDRULES\Application Data\taat.exe
O4 - HKCU\..\Run: [Vjypljfr] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRA~1\AIM\aim.exe
After a lengthy discussion with my friend, we figured out he got the virus from my computer. However, I am now virus free thanks to you fine people. I was hoping with my new knowledge and your expertise, we could get it off of his computer as well.
I would assume the process is the same. For both him and I, I believe the virus files were the WINMX.EXE ones, so... (for his computer this afternoon) we located the WINMX.EXE file, booted into safemode and deleted, rebooted and then it popped up again in the HJT log....did we do something wrong? Is there two of them?
Note: He does not run a program called WinMX. We did find the randomly generated file though.
Thank you Everyone!
Here is the HJT Log
Logfile of HijackThis v1.98.2
Scan saved at 5:27:17 PM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tp4mon.exe
C:\WINDOWS\System32\?hkntfs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Tauber.DAVIDRULES\My
Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.blazers.com/
O2 - BHO: (no name) - {69AF1501-EC16-1EFA-D503-665508857D4F} -
C:\WINDOWS\System32\jaxw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [WinMX Music App] WINMX.EXE
O4 - HKCU\..\Run: [Tess] C:\Documents and Settings\David
Tauber.DAVIDRULES\Application Data\taat.exe
O4 - HKCU\..\Run: [Vjypljfr] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRA~1\AIM\aim.exe
0
Comments
O2 - BHO: (no name) - {69AF1501-EC16-1EFA-D503-665508857D4F} -
C:\WINDOWS\System32\jaxw.dll
O4 - HKLM\..\Run: [WinMX Music App] WINMX.EXE
O4 - HKCU\..\Run: [Tess] C:\Documents and Settings\David
Tauber.DAVIDRULES\Application Data\taat.exe
O4 - HKCU\..\Run: [Vjypljfr] C:\WINDOWS\System32\?hkntfs.exe
Fix those entries then find and delete the files listed above, boot back into normal mode and post a new log.