AIM problem after HSA infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Rex Chien, Dec 11, 2004.

  1. Rex Chien

    Rex Chien Private E-2

    I was recently attacked by the HSA spyware that has been going around, but managed to remove it (I think) after following the instructions on the README FIRST (http://forums.majorgeeks.com/printthread.php?t=35407). Running AdAwareSE and SpyBotSD found no more traces of it after the reboot. I wanted to try using about:Buster also, but I got a "Runtime Error 5".

    Now, although my IE works fine, my AIM has a problem. Whenever I try to open an IM window, the program crashes. The details on the error :

    AppName: aim.exe AppVer: 5.9.3690.0 ModName: kernel32.dll
    ModVer: 5.1.2600.153 Offset: 0005d4fb

    The AIM website says this is caused by HSA, but I thought I got rid of that. I have tried uninstalling and reinstalling the program, but the problem continues. Please help me get AIM up and running; I have HijackThis ready to go if needed. I am running Windows XP. Thanks in advance!

    -Rex

    P.S. My problem is similar to another post I found in the forums- (http://forums.majorgeeks.com/showth...hlight=aim+home)
    The Internet Explorer '#' problem also applies to me, so perhaps there is a connection? Thanks again.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HSA infections have been know to cause numerous problems. Please run this first: AIM Fix
    Then if still having a problem and you are sure ALL steps of the READ ME were completed, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.

    What was the complete message that About:Buster gave you.
     
  3. Rex Chien

    Rex Chien Private E-2

    I ran the AIM Fix, but it didn't find any viruses or problems. Also, the exact error I get with About:Buster is "Run Time Error '5': Invalid procedure call or argument". I have looked at the About:Buster help board for possible solutions, but to no avail. I have attached my HijackThis log.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your OS and IE versions are seriously out of date. Your really should get your system updated. See the following link for help on doing that and also getting your protected in the long run:
    How to Protect yourself from malware!

    You have a trojan!

    Process File: conime or conime.exe
    Process Name: BFGhost 1.0

    Description:
    conime.exe is a process which is registered as the BFGhost 1.0 Remote administration backdoor tool. This backdoor application can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial - which it looks like you never ran).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\conime.exe
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\conime.exe

    Now let's reset your web settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Are the below addresses for your ISP?
    216.126.136.250 = [ ns2.starnetusa.net ] & 216.126.128.40 = [ ns0.starnetusa.net ]
    OrgName: Starnet Inc.
    OrgID: STNI
    Address: 579 First Bank Drive
    Address: Suite 100
    City: Palatine
    StateProv: IL
    PostalCode: 60067
    Country: US
    NetRange: 216.126.128.0 - 216.126.191.255
     
  5. Rex Chien

    Rex Chien Private E-2

    Wow, your tips seem to have done the trick. I will get my system updated immediately, and AIM and IE seem to working fine for now. Heres a new HijackThis log. I don't recognize that ISP, but when I ran HijackThis when not dialed up, it did not show up. It could be another name for my ISP, Express56. Thanks for all your help, let me know if something iffy shows up on the log or any other steps to take.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  7. Dunnel

    Dunnel Private E-2

    mind helping me with the same problem?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  9. KidPunkStar101

    KidPunkStar101 Private E-2

    I get the same error with aim

    AppName: aim.exe AppVer: 5.9.3702.0 ModName: kernel32.dll
    ModVer: 5.1.2600.153 Offset: 0005d4fb

    can anyone help me with this ?? I've tried the hotfix, and nothing, is there anything else i can do to fix this problem ??

    THNX

    - Kidd -
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do as message # 8 to Dunne stated and start your own thread? And did you try the AIM Fix? DO not answer here!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds