Hjtlog-aim Virus

nickmart · September 21, 2005

I recevied a strange message from a friend with a link that was supposedly to a picture file. I clicked the link and it turns out to be a suspcious .exe. I requested that Windows Firewall continue blocking the program, but soon after, my internet connection was no longer receiving packets. The connection is still connected and firewalled, but there is no data transferring. I can no longer browse the internet, nor log onto AIM.

I am running Windows XP Pro-SP2. I've tried using Ewido, McAfee Virus Scan Enterprise 8.0i, AdAware, Spybot Search & Destroy, and the only that only things that turned up were tracking cookies. WinSockFix did not correct the problem either. I also tried deleting my Temp files. Trojan Hunter did turn up this scan, though:

Registry scan

No suspicious entries found

Inifile scan

No suspicious entries found

Port scan

Port 5180/TCP is open (matches Peeper.120)

Memory scan

No trojans found in memory

File scan

No trojan files found

I ran Hijack This finally. Here is my log. PLEASE help.

Thanks!

Logfile of HijackThis v1.99.1

Scan saved at 9:26:14 PM, on 9/20/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.mit.edu/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125359996914

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

I really do not wish to format. That is a last resort. So if anyone could help with an alternative, I'd really appreciate it.

Edited September 21, 2005 by nickmart

Besttechie · September 22, 2005

Hi and Welcome,

Ok, please download and run the following program:

http://www.jayloden.com/aimfix.htm

Since you can't connect to the internet, you can burn the program to a data cd or put it on a flash drive, then just transfer it to the other pc and run it.

That should clean up your AIM Virus. Let us know how it works.

Your HJT looks fine.

Good luck! :thumbsup:

B

nickmart · September 24, 2005

Hi and Welcome,
Ok, please download and run the following program:
http://www.jayloden.com/aimfix.htm
Since you can't connect to the internet, you can burn the program to a data cd or put it on a flash drive, then just transfer it to the other pc and run it.
That should clean up your AIM Virus. Let us know how it works.
Your HJT looks fine.
Good luck!
B
<{POST_SNAPBACK}>

Thanks Besttechie for your response.

I ran AIMFix in normal mode and safe mode, and it found nothing. However I do know why I have no internet connection. My school cut off my internet connection after noticing "this system was sending TCP SYN packets on port 445 to the IP addresses of thousands of computers." My first thought was that there was a trojan on my computer, but none of the scans caught anything. My school said they will reopen my internet connection when I have reformatted my computer, but I would rather try to clean and solve the problem. I am not sure how my school can even tell if I reformat my computer or not. Any suggestions?

Thanks Again.

Besttechie · September 24, 2005

Just curious, why do you think you're infected with something? Your log looks clean, nothing is catching anything, I'm not sure why you think you have some kind of virus.

B

nickmart · September 26, 2005

Just curious, why do you think you're infected with something? Your log looks clean, nothing is catching anything, I'm not sure why you think you have some kind of virus.
B
<{POST_SNAPBACK}>

Thanks again BestTechie for your response.

I thought my computer was infected since this all started after clicking on that strange link someone IM'ed me through AIM. I am not sure how else someone could invade my computer and start port scanning computers on the network. In any case, I think I will probably have to format the computer. It shouldn't take me long, but I usually like to learn as much as possible from my computer problems.

Besttechie · September 26, 2005

Do you have a firewall? Maybe a router of some sort or some kind of software firewall, that was telling you you're being port scanned? Also, as a note, before you format, you're constantly being pinged/port scanned to some degree. People do ping sweeps to see if a computer will respond to it, if it does they will probably look to get into that machine (at least see if they can), now a good firewall will stay silent and not respond making the person who's doing the scan think there is nothing there and will keep going. But you will always be scanned, just have a good firewall (router that is properly configured or a software one like sygate)

Don't run two software firewalls as they will conflict, what you can do is run a software and hardware (router) and that will be fine. I might also mention if someone wants to get into a network/machine bad enough they will. No matter what firewall hardware/software you have running. Thing is they will probably not waste their time if you are somewhat secured. :thumbsup:

B

nickmart · September 27, 2005

Do you have a firewall? Maybe a router of some sort or some kind of software firewall, that was telling you you're being port scanned? Also, as a note, before you format, you're constantly being pinged/port scanned to some degree. People do ping sweeps to see if a computer will respond to it, if it does they will probably look to get into that machine (at least see if they can), now a good firewall will stay silent and not respond making the person who's doing the scan think there is nothing there and will keep going. But you will always be scanned, just have a good firewall (router that is properly configured or a software one like sygate)
B
<{POST_SNAPBACK}>

While I run Sygate on my first system, I stupidly decided to only run the Windows Firewall for this computer. That will definitely change when I reformat. However, when I did click on the link, it sent me to site that tried to install something. A Windows box came up asking if I was sure I wanted to install something. I blocked it, closed the site, and went to sleep. I awoke in the morning to find I didn't have internet access. The reason I know someone was port scanning with my computer is because my school sent me an email saying exactly that (they tracked it back to my IP and MAC addresses). I am confident that my school knows what they are doing. So, I think the solution is just to reformat. I take back my initial thought of this being the work of a trojan and now say this was probably the work of some hacker. Reformating should fix everything and ensure that all back doors and registery changes are set back to normal.

Besttechie · September 27, 2005

Ok, well, I have some advice for you to follow after the reformat.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

B

Sign In

Hjtlog-aim Virus

Recommended Posts

nickmart

Link to post

Share on other sites

Besttechie

Link to post

Share on other sites

nickmart

Link to post

Share on other sites

Besttechie

Link to post

Share on other sites

nickmart

Link to post

Share on other sites

Besttechie

Link to post

Share on other sites

nickmart

Link to post

Share on other sites

Besttechie

Link to post

Share on other sites

Browse

Activity