Options

AIM Virus

Unknown
edited February 2005 in Spyware & Virus Removal
Unfortunately, i let my g/f get ahold of my comp and she managed to get a virus off of someone off of AIM. the symptoms are the same as other AIM viruses that have been posted on here, but all of the files that old threads tell me to delete can't be found on my cop. so now i must plead to u great ladies and gentlemen to help me out. I GOTTA GWET RID OF THIS THING!! thanks a lot all :D:);):D below is my log file, thanx

Logfile of HijackThis v1.99.0
Scan saved at 10:44:17 PM, on 2/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\System32\inetsrv\inetinfo.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Norton AntiVirus\SAVScan.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\wanmpsvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
F:\Program Files\WinPortrait\wpctrl.exe
F:\PROGRA~1\iTunes\iTunesHelper.exe
F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\WinPortrait\floater.exe
F:\WINDOWS\system32\devldr32.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\iTunes\iTunes.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\SYSTEM32\AOLClient.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\hijackthis2\HijackThis.exe
F:\Program Files\AIM95\aim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PivotSoftware] "F:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] F:\PROGRA~1\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOL 9.0 Optimized] AOLCLIENT.EXE
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [AOL 9.0 Optimized] AOLCLIENT.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80529C5E-848E-4C71-8F73-0A72FF1D5525}: NameServer = 167.206.112.3,167.206.112.4
O23 - Service: Symantec Event Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - F:\WINDOWS\wanmpsvc.exe

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Download and run this tool.
    http://www.jayloden.com/AIMFix.exe



    Please run these two online scans.
    Make sure they are set to clean automatically:

    http://housecall.trendmicro.com/

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    If there are files that can not be removed by the scans please include that information in your next post.



    Reboot and post a new hijackthis log.
  • D Piddy
    edited February 2005
    ran the AIM fix, did the first scan, the second scan didn't work for some reason. here's my most recent Hijack this log

    Logfile of HijackThis v1.99.0
    Scan saved at 11:41:18 PM, on 2/17/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    F:\WINDOWS\System32\inetsrv\inetinfo.exe
    F:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\WINDOWS\System32\nvsvc32.exe
    F:\Program Files\Norton AntiVirus\SAVScan.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\Explorer.EXE
    F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    F:\Program Files\WinPortrait\wpctrl.exe
    F:\Program Files\Common Files\Real\Update_OB\realsched.exe
    F:\PROGRA~1\iTunes\iTunesHelper.exe
    F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    F:\Program Files\AIM\aim.exe
    F:\Program Files\WinPortrait\floater.exe
    F:\WINDOWS\system32\devldr32.exe
    F:\Program Files\iPod\bin\iPodService.exe
    F:\Program Files\iTunes\iTunes.exe
    F:\WINDOWS\system32\wscntfy.exe
    F:\Program Files\Mozilla Firefox\firefox.exe
    F:\hijackthis2\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;;localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PivotSoftware] "F:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] F:\PROGRA~1\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\inetrepl.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{80529C5E-848E-4C71-8F73-0A72FF1D5525}: NameServer = 167.206.112.3,167.206.112.4
    O23 - Service: Symantec Event Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - F:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    You didn't mention if any of the scans found anything, but your log looks clean to me. Are you having any problems?
  • D Piddy
    edited February 2005
    the first scan found one file, not associated with the AIM thing, deleted it. as i said earlier, the second scan didn't work for osme reason. but i'm still having that active-x security problem. my security settings won't go back to normal. whenerv i reset them to low, they go back to medium. i', using firefox, so it's nto a huge deal, but i still wanna get rid of this thign completely
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    my security settings won't go back to normal. whenerv i reset them to low, they go back to medium.
    That's not really something that a virus or spyware would do. They'd try to change it the other way. Take a look at Norton. There's probably a setting in there somewhere.
  • D Piddy
    edited February 2005
    no, yu're wrong, i nthe already published fix for this in the virus section of the forum, it said the virus raises yur settings so it's impossible to d/l some stuff or see active-x stuff, lemme try and find the link
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Maybe so, but the setting of medium would not prevent you from downloading files or prevent your active-x controls from working.

    Aimfix was updated today. You might try downloading the latest version and running it in Safe Mode.

    http://www.jayloden.com/AIMFix.exe
  • D Piddy
    edited February 2005
    nm, i must have imagined it, oh well, it seems to be completely gone, should i still search for all the files listed in this section ? it would be a pain and it would save me quite some time to not have to do this
  • D Piddy
    edited February 2005
    should i run the new AIMFix whether or not i still have any symptoms? it appears to be gone but it can't hurt, right?
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    The filenames change so frequently...I wouldn't bother, especially since you are no longer having problems.


    But yes, I would run Aimfix again, just to be sure.
Sign In or Register to comment.