AIM Link Virus - Free Antivirus Forum

AIM Link Virus

BullGuard Antivirus Forum > Virus Removal > Removal Help > AIM Link Virus

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

jsiegz
New Member

Date Joined Mar 2005
Total Posts : 6

Posted 10-5-2005 10:26 (GMT +1)

I too have gotten the AIM link virus. I tried everything I know (which sadly, isn't too much) but it's still there. Any help would be greatly appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 5:25:45 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\etb\pokapoka73.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jer\My Documents\My Deliveries\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [strtas] lockx.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\\\etb\\pokapoka70.exe
O4 - HKLM\..\Run: [System service72] C:\WINDOWS\\\etb\\pokapoka72.exe
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\etb\pokapoka73.exe
O4 - HKLM\..\RunServices: [strtas] lockx.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-62-602-0000156.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Once again, thank you in advance.

Emilio (SVK)
Gold Member

Date Joined Jan 2005
Total Posts : 1876

Posted 10-6-2005 7:00 (GMT +1)

Hi Jsiegz

>Download AIMFix.exe<

>Download Ad-AwareSE<

>Download SpyBot 1.4<

>Download Ewido Security Suite<
(compatible with your current AV soft)

>Download CCleaner<

>Download LSPFix<

install and check for updates....

PROCEDURE:
1.Turn off System restore(just click if you don´t know how)

2.Reboot to the "Safe mode"(just click if you don´t know how)

3.Show hidden files(just click if you don´t know how)

4.Run Hijackthis:
Check:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\\\etb\\pokapoka70.exe
O4 - HKLM\..\Run: [System service72] C:\WINDOWS\\\etb\\pokapoka72.exe
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\etb\pokapoka73.exe
O4 - HKLM\..\RunServices: [strtas] lockx.exe
O4 - HKCU\..\Run: [strtas] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-62-602-0000156.exe
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll (file missing)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing

Non-essential items:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
Fix checked...........

5.Run Task Manager(CTRL+ALT+DELETE):
lockx.exe
C:\WINDOWS\\\etb\\pokapoka70.exe
C:\WINDOWS\\\etb\\pokapoka72.exe
C:\WINDOWS\etb\pokapoka73.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe
End these processes....

6.Find and delete these files:
C:\WINDOWS\\\etb\\pokapoka70.exe
C:\WINDOWS\\\etb\\pokapoka72.exe
C:\WINDOWS\etb\pokapoka73.exe (also folder etb)
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe (also folder Windows)
C:\Program Files\Common Files\mc-62-602-0000156.exe
C:\Program Files\DNS\Catcher.dll (also oflder DNS)
lockx.exe

try to find files with tmp extension , they looks something like 56.tmp,6E.tmp,68.tmp,73.tmp.....select them and delete them all

Run LSPFix
check - I know what I´m doing

xfire_lsp_10650.dll replace this file to the right side and press Finish.

7.Scans:
run AIMFix.exe
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot (press Imunize an dthen scan)
run scan with Ewido (Complete scan)

8.Cleaning TEMP folders
run CCleaner (Run cleaner)

9.Reboot

post new log after that...thx

Emilio²⁵

>Hijackthis<>FireFox<

Post Edited (Emilio (SVK)) : 10/6/2005 6:53:26 AM GMT

jsiegz
New Member

Date Joined Mar 2005
Total Posts : 6

Posted 10-7-2005 3:42 (GMT +1)

Wow, thanks for replying so quickly.

Here's my new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:12 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jer\My Documents\My Deliveries\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.the818search-co.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.the818search-co.com/sp2.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

I just want to thank you once again for all your help.

Unfortunately I wont be able to respond until after this weekend, so I apologize in advanced for not replying speedily.

Emilio (SVK)
Gold Member

Date Joined Jan 2005
Total Posts : 1876

Posted 10-7-2005 6:04 (GMT +1)

OK looks clean

Do you have still some problem with virus or it is ok?

I suggest 4 U:
FireFox(more secure and stable than IE)
www.mozilla.org/products/firefox/all.html

CCleaner - periodicly use this utility

Rgrds
Emilio

Emilio²⁵

>Hijackthis<>FireFox<

jsiegz
New Member

Date Joined Mar 2005
Total Posts : 6

Posted 10-9-2005 9:30 (GMT +1)

Well, it seems the virus is gone.

And yah, I use firefox, i dont know why it came up that I use IE, I deleted IE off my computer at least a month ago.....

But, anyway, thanks for the tips, and thank you very much for your help, your a miracle worker!

Emilio (SVK)
Gold Member

Date Joined Jan 2005
Total Posts : 1876

Posted 10-9-2005 10:53 (GMT +1)

Enable System restore (reverse progress of disabling)

Re-hide system files(reverse progress of Show hidden files)

Thread has been solved and closed.If you have similar problem,try to follow advices in this topic.
If doesn´t worked in your case create new topic >click here<.
Please post finally result of disinfection.It´s good to know.

GLAD WE COULD HELP

Starter of this topic - If you need reopen this thread,please contact Forum Moderator via PM and with adress of thread.

DO NOT POST LOG TO THE TOPIC STARTED BY SOMEONE ELSE!!!

>>READ FORUM RULEZ BEFORE YOU CREATE TOPIC<<

Regards
Emilio

Emilio²⁵

>Hijackthis<>FireFox<

Post Edited (Emilio (SVK)) : 10/25/2005 4:24:23 AM GMT

Forum Information

Currently it is Saturday, November 21, 2009 6:28 AM (GMT +1)
There are a total of 73.023 posts in 17.111 threads.
In the last 3 days there were 9 new threads and 75 reply posts. View Active Threads