*HELP* AIM Best Friends Virus

ok, ive searched and done all the stuff mentioned in other threads about this virus (including the whole READ ME FIRST) i also tried to do the first optional one but could not complete it because several steps asked me to do things with files which my Hijack This scan wasnt even showing (you'll see if you ask me to post it) I'm pretty sure that I'm at the point where i need to post it but i read the rules and it told me not to do so until asked, so im asking. I thought i had gotten rid of the virus as it did not pop up all night (after doing the READ ME steps) but it popped up again ~1 hour ago so i turn to you guys for help. TIA

standing by...

 

have you turned off or restarted your computer since it went away?
did you disable your system restore?
what exactly pops up?
what is your Operating System?win98 XP?

go ahead an attach a HJT log(as a .txt file)
make sure HJT is in its own folder not on the desktop
and all windows and programs are closed (in your system tray , background etc. . .)

 

yea i restarted, it puts up an away message randomly or even signs me on when im signed off and puts it up its says something along the linse of OMFG LOOK and then theres a link that ends in .src (or something like that, i forget, sorry). i have disabled it and im running XP.

 

your HJT is not up to date
get that here
http://majorgeeks.com/download3155.html

you also need to stop ie explorer before you scan again
just hit
ctrl>alt>del
and open your task manager
and see if it is still running by owner
(iexplore.exe)

if it is still running with all windows closed
highlight it and click end process

then run your updated HJT again
and repost

 

Hi liqvidfire,

Use Task Manager to try to end this running process – NOTE the “E” at the end of SVCHOST. Those without the “E” are legitimate and should be left alone. Be careful.

C:\WINDOWS\system32\SVCHOSTE.EXE

Have HijackThis fix the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTE.EXE

O4 - HKCU\..\RunOnce: [Windows Logon Procedure] SVCHOSTE.EXE

Now, boot to safe mode, with the viewing of hidden files enabled and DELETE C:\WINDOWS\system32\SVCHOSTE.EXE

Boot normal and attach a new HJT log. I’m going to dinner, but will try to check back later.

Best luck,

PP

 

ok i couldnt use task manager cause part of the virus disables that form happening (itll pop up for a second but then disapear) but i do have taskill, so i used that and did what you said...task manager works now so i *hope* its all clear anyway i attacked the new HJT log.

 

I should add that Jarcher is correct - You should download the current version of HijackThis via the link he gave. Place it in C:\Program Files\HJT as before.

I see that Chaslang has worked through a similar thread. It finds SVCHOSTE to be a difficult process to end. You should take a look if you have similar problems ending the running process:
http://forums.majorgeeks.com/showthread.php?t=44507

I should also note that I find all of those 010 Panda entries in your log to be odd. It is an odd place for them. However, LEAVE THEM ALONE. DO NOT ATTEMPT TO FIX THEM. I doubt that they are malicious - just in a weird place. With any luck, Chaslang will take a look. He'll know better how to proceed with them, if at all.


***Looks like we posted at the same time Get a new HJT (if you haven't already) and take a look at Chaslang's instructions in the thread I linked. Let me know how that works out.

***And, I didn't see the TASKKILL part- Hold on while I check your log!

Best,

PP

 

Hi liqvidfire,

Your log looks better. I don't see the 010 Panda entries either.

This bothers me: O20 - AppInit_DLLs: PAVWAIT.DLL
I'll PM Chaslang to have a look. Don't mess with it until you hear from him!

PP

 

Hi liqvidfire,

Regarding O20 - AppInit_DLLs: PAVWAIT.DLL

We suspect it is Panda - Again in a weird place. If you would, please track down PAVWAIT.DLL and take a look at its properties (Rightclick it) and see if it is indeed Panda related.

I'll try to check back later.

PP

 

yea i did get teh new verson and thats what i used for the last log. i checked and it is part of the panda software but im deleting that anyway, my friend gave it to me in the hopes of it getting rid of the virus that i got, which appears gone now. thanks a lot guys.

 

We're happy to help! If you get a chance, take a look at Chaslang's malware safeguards:
How to Protect yourself from malware!

Good luck & safe surfing

PP

 

PP,
is this a panda thing?

O20 - AppInit_DLLs: PAVWAIT.DLL

 

That's what Chas & I thought. liqvidfire said they checked and that it was related to the Panda software that they were given. This entry is an odd one in a really odd place in the log. Kind of like those 010 Panda entries in the previous log. But, liqvidfire said they were deleting it anyway, so it's a moot point now

PP

 

then its not needed

 

Most of the time, the 020 entries are items that need to be "fixed." You don't see a lot of them, though. This one seemed harmless given all of the other Panda entries - But I wanted to check with Chas just the same. Better safe than sorry! Plus, its a good learning opportunity.

PP

 

to true

 

HELP ME! I don't know what I'm doing so sorry if this is in the wrong place or something. But, I got the best friends AIM virus and (think) I successfully got rid of it. The link no longer comes up. However, my IM signs on and off frequently, i get a TON of pop-ups since I got the virus, and I when I try to email (on several accounts) the pages for outgoing mail come up saying "error on page" and don't allow me to type in the body of the email, attach documents or send. I have updated and run my Norton, have uninstalled and redownloaded AIM and don;t know what else to do! Someone, please help! Thank you!

 

I'm having the same problem liq was having, with the bestfriends virus. I used NOD32 to scan and clean my machine at first, and it detected and removed a trojan virus. Now I'm trying to follow your instructions regarding Hijack This, but I'm guessing that somebody should take a look at my log file first to help me out. If there's anything screwy, please let me know so I can get this fixed ASAP!

 

Hi Oblivvion & Susankb,

Please start your own NEW threads for your specific problems - There is less confusion that way! Use the thread starter in the upper left of the board.

Before you do, however, please run through this Tutorial. Note the steps that you can and cannot complete!

http://forums.majorgeeks.com/showthread.php?t=35407

HijackThis is the last step. The tutorial will remove a lot of crap that would otherwise show up in a HJT log and make our lives more difficult!

Post back in new threads with the results of the tutorial & we'll fix you up!

Best luck,
PP