MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 12-11-04, 21:44
Rex Chien Rex Chien is offline
Private E-2
 
Join Date: Dec 2004
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Exclamation AIM problem after HSA infection

I was recently attacked by the HSA spyware that has been going around, but managed to remove it (I think) after following the instructions on the README FIRST (http://forums.majorgeeks.com/printthread.php?t=35407). Running AdAwareSE and SpyBotSD found no more traces of it after the reboot. I wanted to try using about:Buster also, but I got a "Runtime Error 5".

Now, although my IE works fine, my AIM has a problem. Whenever I try to open an IM window, the program crashes. The details on the error :

AppName: aim.exe AppVer: 5.9.3690.0 ModName: kernel32.dll
ModVer: 5.1.2600.153 Offset: 0005d4fb

The AIM website says this is caused by HSA, but I thought I got rid of that. I have tried uninstalling and reinstalling the program, but the problem continues. Please help me get AIM up and running; I have HijackThis ready to go if needed. I am running Windows XP. Thanks in advance!

-Rex

P.S. My problem is similar to another post I found in the forums- (http://forums.majorgeeks.com/showth...hlight=aim+home)
The Internet Explorer '#' problem also applies to me, so perhaps there is a connection? Thanks again.
Reply With Quote
Sponsored links
  #2  
Old 12-12-04, 02:08
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,320
Thanks: 61
Thanked 7,639 Times in 4,113 Posts
Default Re: AIM problem after HSA infection

HSA infections have been know to cause numerous problems. Please run this first: AIM Fix
Then if still having a problem and you are sure ALL steps of the READ ME were completed, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.

What was the complete message that About:Buster gave you.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #3  
Old 12-12-04, 20:49
Rex Chien Rex Chien is offline
Private E-2
 
Join Date: Dec 2004
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: AIM problem after HSA infection

I ran the AIM Fix, but it didn't find any viruses or problems. Also, the exact error I get with About:Buster is "Run Time Error '5': Invalid procedure call or argument". I have looked at the About:Buster help board for possible solutions, but to no avail. I have attached my HijackThis log.
Attached Files
File Type: log hijackthis.log (2.8 KB, 3 views)
Reply With Quote
  #4  
Old 12-12-04, 22:26
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,320
Thanks: 61
Thanked 7,639 Times in 4,113 Posts
Default Re: AIM problem after HSA infection

Your OS and IE versions are seriously out of date. Your really should get your system updated. See the following link for help on doing that and also getting your protected in the long run:
How to Protect yourself from malware!

You have a trojan!

Process File: conime or conime.exe
Process Name: BFGhost 1.0

Description:
conime.exe is a process which is registered as the BFGhost 1.0 Remote administration backdoor tool. This backdoor application can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial - which it looks like you never ran).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\System32\conime.exe
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\conime.exe

Now let's reset your web settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Are the below addresses for your ISP?
216.126.136.250 = [ ns2.starnetusa.net ] & 216.126.128.40 = [ ns0.starnetusa.net ]
OrgName: Starnet Inc.
OrgID: STNI
Address: 579 First Bank Drive
Address: Suite 100
City: Palatine
StateProv: IL
PostalCode: 60067
Country: US
NetRange: 216.126.128.0 - 216.126.191.255
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 12-12-04, 23:26
Rex Chien Rex Chien is offline
Private E-2
 
Join Date: Dec 2004
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: AIM problem after HSA infection

Wow, your tips seem to have done the trick. I will get my system updated immediately, and AIM and IE seem to working fine for now. Heres a new HijackThis log. I don't recognize that ISP, but when I ran HijackThis when not dialed up, it did not show up. It could be another name for my ISP, Express56. Thanks for all your help, let me know if something iffy shows up on the log or any other steps to take.
Attached Files
File Type: log hijackthis2.log (2.5 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 12-12-04, 23:37
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,320
Thanks: 61
Thanked 7,639 Times in 4,113 Posts
Default Re: AIM problem after HSA infection

You're welcome. Your log looks okay now. Make sure you get updated and follow the rest of the How to Protect yourself from malware! steps too.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #7  
Old 12-23-04, 15:13
Dunnel Dunnel is offline
Private E-2
 
Join Date: Dec 2004
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: AIM problem after HSA infection

mind helping me with the same problem?
Reply With Quote
  #8  
Old 12-23-04, 15:59
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,320
Thanks: 61
Thanked 7,639 Times in 4,113 Posts
Default Re: AIM problem after HSA infection

Quote:
Originally Posted by Dunnel
mind helping me with the same problem?
Please start your own thread and state your specific problem. Also note the first required steps are always to run all of the sticky READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 02-19-05, 06:21
KidPunkStar101 KidPunkStar101 is offline
Private E-2
 
Join Date: Feb 2005
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: AIM problem after HSA infection

I get the same error with aim

AppName: aim.exe AppVer: 5.9.3702.0 ModName: kernel32.dll
ModVer: 5.1.2600.153 Offset: 0005d4fb

can anyone help me with this ?? I've tried the hotfix, and nothing, is there anything else i can do to fix this problem ??

THNX

- Kidd -
Reply With Quote
  #10  
Old 02-19-05, 11:26
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,320
Thanks: 61
Thanked 7,639 Times in 4,113 Posts
Default Re: AIM problem after HSA infection

Quote:
Originally Posted by KidPunkStar101
I get the same error with aim

AppName: aim.exe AppVer: 5.9.3702.0 ModName: kernel32.dll
ModVer: 5.1.2600.153 Offset: 0005d4fb

can anyone help me with this ?? I've tried the hotfix, and nothing, is there anything else i can do to fix this problem ??

THNX

- Kidd -
Do as message # 8 to Dunne stated and start your own thread? And did you try the AIM Fix? DO not answer here!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:41.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger