About bestfriends.scr (please, need help ASAP)

Unknown

a day or two ago my friend had the AIM away message up that said OMG LOOK! w/ the link to that bestfriends.scr. i got fooled into it, and got infected. i updated and scanned both ad-aware and spybot, but neither came up with anything. so then i used AVG antivirus. still nothing. so i then used AntiVir Guard. STILL nothing. then i d/l'd HijackThis (v.1.99.0) and did at the other forum said. i scanned, saved the log file, (and my computer already had it selected so it showed all files, etc.) and then searched the log for the items that it said to search for. it found none of them. i don't know if its a new version of this bestfriends.scr or what, but i've had no luck. please help. i even unsaved my password for AOL, and it logs on by itself even then.

TheSmJ

I'm updating the guide right now. Post your log and lemme see if the new EXE is something I havent just added a few minutes ago.

TheSmJ

Read my updated guide (just added the newest variant of the EXE). I'll do an even better rewrite tomrrow once I get some sleep.

http://www.short-media.com/forum/showthread.php?p=159805#post159805

Foghorn

Logfile of HijackThis v1.99.0
Scan saved at 1:17:45 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\SVCHOSTA.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.risetoglory.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\RunOnce: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab30149.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Foghorn

i looked at your new list of things to look for, and i don't know if it was in the old one or not, but its SVCHOSTA.exe. last night when i booted my computer in safe mode and went into msconfig, SVCHOSTA.exe was in there as a startup item. if i disable it in safemode will it 1) disable it in regular startup and 2) fix the problems i've been having?

Foghorn

i uninstalled some stuff, etc. since that log, but i'm still affected by the virus. any chance u want me to post the new log, or should it still be the same? cuz i searched the log for the new files that you listed, and i still found nothing

TheSmJ

Yes to both 1 and 2, but be sure to delete the file itself while in safemode as well.

Foghorn

well i would delete the file itself, but i can't seem to find it. i looked in the directory it said it was in, even searched my entire computer, it could not find it

Foghorn

also, i tried to disable it in msconfig, it re-enables itself

Foghorn

would uninstalling AIM and then reinstalling it work? i doubt it, otherwise there'd be no need for all those instructions, but i figured i'd ask

TheSmJ

What Directory did you look for the file in? Use HJT in safemode to delete the entry.

And no, reinstalling AIM will not work.

Foghorn

i scanned it in safemod with HJT, the new log is in place of the old one (didn't wanna make this page longer than it needed to be).

Foghorn

okay, it says i have the SVCHOSTA.EXE. i went into safemode, did the cd\, cd %systemroot%\system32, DEL SVCHOSTA.EXE. it says it couldn't find the file. whatsup with that? any ideas?

Foghorn

nvm. i don't know why i didn't think of this before. i simply went into C, to windows, to sytem32, and deleted the file there. problems all fixed now

Foghorn

hmmmmmm idk if this has anything to do w/ that whole situation, but since deleting SVCHOSTA.EXE, my computer has been fine on the internet for the first couple minutes of logon, then its UBERLAGGY. as in like, 800 to 1100 ping laggy.

TheSmJ

I seriously doubt it has anything to do with it.

Foghorn

lol nvm, i simply wiped the whole computer. been meaning to do it for a long time, used this as an excuse to do so

sgeewax

I posted it in the other forum: Here's how to get rid of this thing: end the processes yahoomsg.exe or yahoomsgr.exe with taskkill. search your system or system32 folder for YahooMsg.exe or YahooMsgr.exe and delete them. Then run adaware or spybot. This thing prevents regedit from being open to long as well as you task manager. If that doesn't work, try downloading this: AIMFix

Remember to remove the away message from your list. Just because the virus is gone doesn't mean that it will automatically clean the away message for you.

Or you may want to click the link first if your not comfortable manually editing your system32 folder