AIM Away message, virus/spyware?

Krypto44Krypto44 westport
edited February 2005 in Spyware & Virus Removal
This seems to happening to alot of people, but i clicked a friends away message " PICS FROM THE BEACH http://www.abcbirds.org/photos.pif" Now its on my comp. I ran ad-aware, avg, and microsoft anti spyware (beta); with no succes.

My log file:

Logfile of HijackThis v1.99.0
Scan saved at 7:54:47 PM, on 2/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\WINAMP6.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\you\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.nl/0SENLNL/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R3 - Default URLSearchHook is missing
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A547670B-F7B0-4413-9479-10DFB4F5E6FB} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {A88129A8-762F-4D2F-ADBB-470CB9312BFE} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {A9052A40-0BBA-4B68-8458-260287210BD2} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: (no name) - {AE2C4AA7-851A-47B8-81B3-375840777E6D} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {BBBBD901-0028-4E99-B876-6C431F5788AA} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {CFFEC057-02E1-4154-8CF6-D7F310D9DCC9} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {D0B29351-1C89-4637-AD3C-73C52DD9279B} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {EBBE2158-C8A4-4CA9-B773-007CC0A3AE0A} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {F9F89AB1-E0CB-4F79-8F4F-2F444910104B} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {FFA3089A-A5F1-415E-B5A4-64C6C1A6D9DA} - C:\Program Files\CSBB\CSBB.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NitroBOOT] C:\Program Files\NitroBOOT\NitroBOOT.exe -b
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Winamp Player 6] WINAMP6.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Comments

  • Krypto44Krypto44 westport
    edited February 2005
    for a while, it hasnt been doing it; however, im still pretty concerned because i didn't to anything to try to fix it. All i did was run the hijacker thing.
  • NosferatuNosferatu Arizona
    edited February 2005
    To be safe, i'd format. Kaspersky AV detects some of the files as sdbot varients. SDbot is a pretty powerful open source IRC bot/trojan. My younger sister infected her computer a couple days ago. I ran the same file she clicked in an controled environment with a registry monitor running. it made so many changes to the registry I decided to be safe and format. Killing the bot isn't very hard, use a different task manage (like prcview) and just kill the files you don't recognize. The varient that I was observing used msngmsngr32.exe, lshosts32.exe, and some random exe file names. Go into your windows and system32 directories and sort by date. Make sure you have configured explorer to show all files, even hidden and protected operating system files. The infected files should appear at the end of the list.
  • Krypto44Krypto44 westport
    edited February 2005
    The only file that is on the day i got it is "winamp6" I tried to delete it but it wont let me; saying " Make sure the disk in not full or write-protected and that the file is not currently in use."
  • SpywareShooterSpywareShooter 127.0.0.1
    edited February 2005
    winamp6.exe is the problem. Boot into Safe Mode (press F8 at the BIOS screen when booting) and then delete it and you should be able to.
Sign In or Register to comment.