AIM: Best Friends / Away Message AIM Virus, Trojan, and Backdoor

Contributor Icon Contributed by MickeyMouse Date Icon August 16, 2004  
Tag Icon Tagged: Instant messaging

msnguyen.exe, aolmsngr.exe, and msginav.exe are examples of process names used in this new AIM trojan. Here’s what it does.


You went to a web page and downloaded what appeared to be a screensaver file that ends in *.scr

Windows warned you, but you downloaded it anyway.

Now your AIM client is acting crazy. You have installed a trojan and here’s how to get rid of it.

This program may do it automatically for you. Even if the program works, you should go through the manual steps below to remove any traces.
http://elon.edu/student/jaleman/BestFriends.htm

Here is the manual way:

Hit CTRL-ALT-DEL to open the task manager
Select the processes tab
select aolmsngr.exe by left clicking on it
hit the end process button at the bottom of the task manager
say Yes to the warning
This should turn it off.

The bugger hides in c:\windows\system32\aolmsngr.exe.
You should be able to delete it from there.

You’ll also want to remove aolmsngr.exe from following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

You should also do a search for hilarious.scr and delete it whenever you find it.

Why is this bad? aolmsngr.exe opens a backdoor into your system and allows other people to gain access at will.

You had to accept several warnings in order to download this. Don’t do this again. I hope this helps.

SP2 would have automatically blocked the download, by the way.

Once you are done, update and run your antivirus and an antispam program like spybot. Hopefully, these will clean up any additional programs that the backdoor might have installed on your system.

For other spyware related problems, try this recipe too…

Posted:

-->
Previous recipe | Next recipe |
 
  • Anonymous
    I have this virus and i tried to follow what you say to do. The only problem is when i click for task manager, it only comes up for a second and then it disappears. It just won't stay up no matter how i pull it up! And the website you gave doesn't work. I've done a search and "run" for all the files that you say to look for and it can't find it... but i know you're talking about the same virus because it is exactly what i have! So please, Help me more! Email me at Asher689@hotmail.com PLEASE! This virus is really stressing me out and i've had it for about a month now. I've done tons of virus scans and i just can't get rid of it!
  • Anonymous
    I am having the exact same problem. REgedit and task manager will not open.
  • guest
    help me this virus is screwing my comp. i have the same problems of all of u
  • MickeyMouse
    The virus above has been edited and renamed by multiple different people. There is no way that I know to list all the potential names of files that you should be looking for. Examples:

    <ul>tgbot_pecompact.exe
    tgbot_upx_packed.exe
    tgbot_upx_unpacked.exe
    yahoomsgr.exe
    7a938e2392b773c3f11b0952732b244a.exe
    backdoor.spyboter.as.exe
    backdoor.spyboter.gen[2].exe
    aolmsngr.exe
    zopytlrs.exe
    msginav.exe
    netdll.exe
    netstatt.exe</ul>
    If you can't use the task manager, then you won't be able to gain access to them to delete them anyway.

    I am not going to reinstall this virus again to figure it out for you, so you guys are going to have to help me.

    Has anybody tried rebooting into safe mode and using the recipe above?
    Try one of these to get a working copy of taskmanager:
    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
    http://www.dougknox.com/xp/utils/xp_emerutils.htm

    Let us know if you get your system fixed.
  • davak
    Great idea, Mickey. As many people probably do not know what is happening to their system, I am going to post a related recipe on this new advice. Those little freeware progies rock.

    The new recipe is here:
    http://www.tech-recipes.com/windows_tips648.html
  • blonde5224
    i give up.. i did everything you guys said and i get all the way to the system32 file and there is no aolmsngr.exe fiel at all.. i dont know why but its not fair and my computer is driving me crazy!!! :cry:
  • Yo
    OKOK DONT CRY!
    Just download aimfix
    http://www.jayloden.com/VirusClean.htm
  • dafluffyjoe@yahoo.com
    Last night and early into this morning a couple friends of mine had the same virus problem. My friend Chelsea got infected somehow and people clicked the link in her away message (hijacked away message) and it installed the virus on there computer. Its posing as a screen saver from the show friends. After seeing the file type and knowing it was an AIM virus I tried to warn people not to download, but there sheep :-/ . For me I installed it 3 times to figure it out. First off I have a firewall, and by blocking it from getting internet access it stops it. Ex. If you have a firewall, install the program, it asks for access to the internet and you deny. That will stop it overall. In XP I found that it went into several of my drivers containing Friends in the name. I run on Windows XP. Now, I manually searched it out and deleted several versions.
    So far other than the recipe for deleting already I have found this works SOME of the time on 2000 pro and XP's.

    First, find the original file and delete it... Or better yet, rename it to a txt. type of file.

    Secondly, do several computer searches through the start menu, search for all files and folders; search for every word in the original file name individually, dont be lazy and search for the whole thing!

    Thirdly, delete all those files and after all have been deleted and you double checked they stayed deleted, empty the recycle been if you already havent and pull your comps plug, or hold down power so they dont come back when saving your settings in Windows.

    Boot up and dont access the internet right away. Search for all the files again and make sure they havent come back. Now go onto the internet and download the Zone Alarms firewall. Log off of the internet and install. Do a virus scan with as many virus programs as you can find... Free ones usually work, search for the files again and delete if necessary. Then log onto the internet. Make sure Zone alarms security is as high as possible, and dont let anything default access! If anything like aimsrg.exe or something that says AIM that you know isnt the AIM program trys to access then dont let it access :)

    Goodluck!
  • YO
    OK
    http://www.jayloden.com/VirusClean.htm
    IT KILLS aLL AIM VIRUSES
  • Guest
    <ul id="quote"><h6>YO wrote:</h6>OK
    http://www.jayloden.com/VirusClean.htm
    IT KILLS aLL AIM VIRUSES</ul>

    THANKS!!
    U saved me alot of time.
    i didnt want to follow the manual ways..
    kinda long
  • Anonymous
    *Crying* people i tthink i really give up.. i was so excited i worked for hours with what you guys told me.. and i thought for sure i was in the clear bcus i hadnt seen the away message in days... i even helped all my friends get rid of theirs by sending them your guys link.. but somehow the virus had just been "in hiding" or something bcus it returned today.. pop up away note and all.. i even tried that AIMFIX thing that worked for everyone.. just not me =*(
  • davak
    <ul id="quote"><h6>Anonymous wrote:</h6>*Crying* people i tthink i really give up.. i was so excited i worked for hours with what you guys told me.. and i thought for sure i was in the clear bcus i hadnt seen the away message in days... i even helped all my friends get rid of theirs by sending them your guys link.. but somehow the virus had just been "in hiding" or something bcus it returned today.. pop up away note and all.. i even tried that AIMFIX thing that worked for everyone.. just not me =*(</ul>

    Download hijack this...
    http://www.richardthelionhearted.com/~merijn/downloads.html

    Create a new thread and post your log file in our spyware forum.

    Log files posted to this thread will be deleted. These clean outs get too confusing with multiple people posting log files...

    Maybe one of us can help you.
  • Anonymous
    ok i downloaded hijackthis.. now where do i go from here?
  • Anonymous
    :x it wont let me do ctrl alt delete so ur effin rong
  • AirLamps
    I am trying to do that Alt+Ctrl+Del to get rid of the trojan virus, but everytime i do it, the window goes away. If the virus is making the indow disapear, how can i get rid of it?
  • davak
    <ul id="quote"><h6>AirLamps wrote:</h6>I am trying to do that Alt+Ctrl+Del to get rid of the trojan virus, but everytime i do it, the window goes away. If the virus is making the indow disapear, how can i get rid of it?</ul>

    Read this:
    http://www.tech-recipes.com/windows_tips648.html
  • guest
    I HAVE THE SAME DAMN PROBLEM AND NOTHIN WORKS SOMEONE HELP
  • allie
    i also have the Best Friends virus :cry: and I ran the HijackThis program and I was wondering if someone could take a look at my results and tell me what to delete....thanks! :D

    Logfile of HijackThis v1.97.7
    Scan saved at 9:20:23 PM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSSystem32Ati2evxx.exe
    C:WINDOWSsystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
    C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
    C:WINDOWSsystem32spoolsv.exe
    C:WINDOWSSystem32gearsec.exe
    C:WINDOWSsystem32HPConfig.exe
    C:Program FilesHPQNotebook UtilitiesHPWirelessMgr.exe
    C:Program FilesNorton AntiVirusnavapsvc.exe
    C:Program FilesNorton AntiVirusSAVScan.exe
    C:WINDOWSSystem32MsPMSPSv.exe
    C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
    C:Program FilesiTunesiTunesHelper.exe
    C:Program FilesiPodbiniPodService.exe
    C:Program FilesHPQOne-TouchOneTouch.EXE
    C:Program FilesSynapticsSynTPSynTPLpr.exe
    C:Program FilesSynapticsSynTPSynTPEnh.exe
    C:Program FilesHPHP Software UpdateHPWuSchd.exe
    C:WINDOWSSystem32hphmon05.exe
    C:Program FilesCommon FilesSymantec SharedccApp.exe
    C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe
    C:WINDOWSSystem32carpserv.exe
    C:Program FilesRealRealPlayerRealPlay.exe
    C:WINDOWSSystem32spooldriversw32x863hpztsb08.exe
    C:Program FilesUlead SystemsUlead Photo Explorer 8.0 SE BasicMonitor.exe
    C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    C:WINDOWSSystem32ELIMIEXPLORER.EXE
    C:WINDOWSSystem32dp-him.exe
    C:documents and settingsallisonlocal settingstempNb.exe
    C:Program FilesWinad ClientWinad.exe
    C:Program FilesMessengermsmsgs.exe
    C:Program FilesWinad ClientWinClt.exe
    C:PROGRA~1AWSWEATHE~1Weather.exe
    C:Documents and SettingsAllisonApplication Dataamee.exe
    C:PROGRA~1Web Offerwo.exe
    C:Program FilesHPDigital Imagingbinhpqtra08.exe
    C:WINDOWSSystem32RUNDLL32.exe
    C:Documents and SettingsAllisonLocal SettingsTempTemporary Directory 1 for hjt.zipHijackThis.exe
    C:WINDOWSexplorer.exe
    C:WINDOWSsystem32notepad.exe
    C:Program FilesAIMaim.exe
    C:Program FilesInternet Exploreriexplore.exe

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://yahoo.com/
    R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={S...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
    R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,Shellnext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: BrowserAngel Sidepanel - {D6CA5D91-5EA2-4654-9B75-499267012611} - C:Program FilesSearchLocatesidebar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
    O2 - BHO: (no name) - {49A83909-9A32-04C4-8605-645504A0733E} - C:WINDOWSSystem32wccetxz.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:WINDOWS2_0_1browserhelper2.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:PROGRA~1COMMON~1WinToolsWToolsB.dll (file missing)
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:WINDOWSSystem32nvms.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:Program FilesSEPsep.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:WINDOWSSystem32mscb.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:Documents and SettingsAllisonLocal SettingsTempK5.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINDOWSSystem32msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:Program FilesSEPsep.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:Program FilesAIM ToolbarAIMBar.dll
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O3 - Toolbar: BA Toolbar - {952EC978-4920-4F18-8237-91D69B54C580} - C:Program FilesSearchLocatesidebar.dll
    O4 - HKLM..Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
    O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe
    O4 - HKLM..Run: [TV Now] C:Program FilesHPQNotebook UtilitiesTvNow.exe /RK
    O4 - HKLM..Run: [Display Settings] C:Program FilesHPQNotebook Utilitieshptasks.exe /s
    O4 - HKLM..Run: [QT4HPOT] C:Program FilesHPQOne-TouchOneTouch.EXE
    O4 - HKLM..Run: [SynTPLpr] C:Program FilesSynapticsSynTPSynTPLpr.exe
    O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
    O4 - HKLM..Run: [HP Software Update] "C:Program FilesHPHP Software UpdateHPWuSchd.exe"
    O4 - HKLM..Run: [HPHUPD05] c:Program FilesHP{45B6180B-DCAB-4093-8EE8-6164457517F0}hphupd05.exe
    O4 - HKLM..Run: [HPHmon05] C:WINDOWSSystem32hphmon05.exe
    O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
    O4 - HKLM..Run: [NAV CfgWiz] C:Program FilesCommon FilesSymantec SharedCfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe"
    O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
    O4 - HKLM..Run: [Cpqset] C:Program FilesHPQDefault Settingscpqset.exe
    O4 - HKLM..Run: [CARPService] carpserv.exe
    O4 - HKLM..Run: [WildTangent CDA] RUNDLL32.exe "C:Program FilesWildTangentAppsCDAcdaEngine0400.dll",cdaEngineMain
    O4 - HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSSystem32spooldriversw32x863hpztsb08.exe
    O4 - HKLM..Run: [Ulead AutoDetector] C:Program FilesUlead SystemsUlead Photo Explorer 8.0 SE BasicMonitor.exe
    O4 - HKLM..Run: [4S2NSLA3QS#366] C:WINDOWSSystem32Uah05H5X.exe
    O4 - HKLM..Run: [STOPzilla] "C:Program FilesSTOPzilla!Stopzilla.exe" /autorun
    O4 - HKLM..Run: [ViewMgr] C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    O4 - HKLM..Run: [WinTools] C:Program FilesCommon FilesWinToolsWToolsA.exe
    O4 - HKLM..Run: [MS Decryption Software] C:active.exe
    O4 - HKLM..Run: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - HKLM..Run: [Bakra] C:WINDOWSSystem32IEHost.exe
    O4 - HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkbinbargains.exe
    O4 - HKLM..Run: [Nb] C:documents and settingsallisonlocal settingstempNb.exe
    O4 - HKLM..Run: [rbklopt] C:WINDOWSSystem32oefwal.exe
    O4 - HKLM..Run: [tE7h34e] webwvdrv.exe
    O4 - HKLM..Run: [v9e9LQ] C:documents and settingsallisonlocal settingstempv9e9LQ.exe
    O4 - HKLM..Run: [Wast] C:WINDOWSwast2.exe 2
    O4 - HKLM..Run: [WebRebates0] C:Program FilesWeb_RebatesWebRebates0.exe
    O4 - HKLM..Run: [WhenUSearch] "C:Program FilesWhenUSearchSearch.exe"
    O4 - HKLM..Run: [Winad Client] C:Program FilesWinad ClientWinad.exe
    O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
    O4 - HKCU..Run: [Weather] C:PROGRA~1AWSWEATHE~1Weather.exe 1
    O4 - HKCU..Run: [Aaou] C:Documents and SettingsAllisonApplication Dataamee.exe
    O4 - HKCU..Run: [cponRQK2h] wldppcmp.exe
    O4 - HKCU..Run: [eZWO] C:PROGRA~1Web Offerwo.exe
    O4 - HKCU..Run: [Xapfwum] C:WINDOWSSystem32zpnq.exe
    O4 - HKCU..Run: [AIM] C:Program FilesAIMaim.exe -cnetwait.odl
    O4 - HKCU..RunOnce: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
    O8 - Extra context menu item: &AIM Search - res://C:Program FilesAIM ToolbarAIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US& c=Q304&bd=pavilion&pf=laptop
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=i... 907e4148fd1d29fad859e525ad8568bdc3764094eb7f91045542a37d088d79e68c7 12ee227e98860cf4b1e32:120063 d13f3d84912076874f6c66d459
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/trickle...
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6...
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://141.165.32.35/activex/AxisCamControl.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstalle...
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/...
  • lisa
    I downloaded Hijack this and this is my log. My daughter admitted to clicking on the IM away link and now every 2 minutes AIM attempts to load and it is driving me crazy. CTRL Alt Delete is not working, I also downloaded procexpnt and tried to manually get rid of it. Help, does anyone know anything about this log?
    ogfile of HijackThis v1.98.2
    Scan saved at 10:26:31 PM, on 9/9/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:WINNTSystem32smss.exe
    C:WINNTsystem32winlogon.exe
    C:WINNTsystem32services.exe
    C:WINNTsystem32lsass.exe
    C:WINNTsystem32svchost.exe
    C:WINNTsystem32spoolsv.exe
    C:WINNTCpqdiagCpqdfwag.exe
    C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe
    C:WINNTSystem32svchost.exe
    C:WINNTSystem32NMSSvc.exe
    C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe
    C:WINNTsystem32regsvc.exe
    C:WINNTsystem32MSTask.exe
    C:WINNTSYSTEM32ZoneLabsvsmon.exe
    C:WINNTSystem32WBEMWinMgmt.exe
    C:WINNTsystem32svchost.exe
    C:WINNTExplorer.EXE
    C:WINNTsystem32hkcmd.exe
    C:Program FilesAnalog DevicesSoundMAXSmtray.exe
    C:Program FilesCOMPAQEasy Access Button SupportStartEAK.exe
    C:PROGRA~1SYMANT~1SYMANT~1vptray.exe
    C:Program FilesZone LabsZoneAlarmzlclient.exe
    C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    C:Program FilesWinad ClientWinad.exe
    C:WINNTsystem32MSCRON.EXE
    C:Program FilesWinad ClientWinClt.exe
    C:WINNTsystem32nbzkrw.exe
    C:active.exe
    C:Program FilesCompaqEasy Access Button SupportCPQEADM.EXE
    C:CompaqEAKDRVEAUSBKBD.EXE
    C:PROGRA~1CompaqEASYAC~1BttnServ.exe
    C:Program FilesWeb_RebatesWebRebates1.exe
    C:WINNTSYSTEM32ElimiExplorer.exe
    C:WINNTSystem32svchost.exe
    C:PROGRA~1MICROS~2Office10WINWORD.EXE
    C:Program FilesWeb_RebatesWebRebates0.exe
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:Program FilesAIMaim.exe
    C:Documents and SettingsAdministratorMy DocumentsHijackThis.exe

    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://aimhome.netscape.com/aimhome.adp
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:WINNTsystem32nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:WINNTsystem32mscb.dll
    O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:Program FilesNavExcel Search ToolbarNavExcelBar.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINNTsystem32msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTsystem32msdxm.ocx
    O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:Program FilesNavExcel Search ToolbarNavExcelBar.dll
    O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM..Run: [IgfxTray] C:WINNTsystem32igfxtray.exe
    O4 - HKLM..Run: [HotKeysCmds] C:WINNTsystem32hkcmd.exe
    O4 - HKLM..Run: [Smapp] C:Program FilesAnalog DevicesSoundMAXSmtray.exe
    O4 - HKLM..Run: [CPQEASYACC] C:Program FilesCOMPAQEasy Access Button SupportStartEAK.exe
    O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1SYMANT~1vptray.exe
    O4 - HKLM..Run: [Zone Labs Client] "C:Program FilesZone LabsZoneAlarmzlclient.exe"
    O4 - HKLM..Run: [ViewMgr] C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    O4 - HKLM..Run: [Winad Client] C:Program FilesWinad ClientWinad.exe
    O4 - HKLM..Run: [Microsoft CronD Service] MSCRON.EXE
    O4 - HKLM..Run: [WebRebates0] "C:Program FilesWeb_RebatesWebRebates0.exe"
    O4 - HKLM..Run: [nzjebgren] C:WINNTsystem32nbzkrw.exe
    O4 - HKLM..Run: [MS Decryption Software] C:active.exe
    O4 - HKLM..Run: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - HKLM..RunServices: [CPQDFWAG] C:WINNTCpqdiagCpqDfwAg.exe
    O4 - HKCU..Run: [areslite] "C:Program FilesAres Lite EditionAresLite.exe" -h
    O4 - HKCU..RunOnce: [Microsoft CronD Service] MSCRON.EXE
    O4 - HKCU..RunOnce: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
    O8 - Extra context menu item: Web Rebates - file://C:Program FilesWeb_RebatesSy1150Tp1150scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINNTsystem32msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINNTsystem32msjava.dll
  • davak
    Allie!
    C:documents and settingsallisonlocal settingstempNb.exe

    Known backdoor.

    C:Program FilesWinad ClientWinad.exe
    C:Program FilesWinad ClientWinClt.exe

    Spyware

    C:PROGRA~1Web Offerwo.exe

    Spyware

    ------------------------------

    You obviously have a very sick computer. I just highlighted the ones that jumped out at me. I would tackle/delete NB.exe first.

    Download spybot at http://www.safer-networking.org/en/index.html

    Let us know if that helps! Try to keep us updated.
  • davak
    C:Program FilesWinad ClientWinad.exe

    SPY

    C:WINNTsystem32MSCRON.EXE

    ?

    C:Program FilesWinad ClientWinClt.exe

    Spy

    C:WINNTsystem32nbzkrw.exe

    Likely spy, spy, trojan...

    C:active.exe

    Backdoor.Hornet
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hornet.html

    ---------------------

    Lisa... here are the files that are jumping out at me. Read the urls noted above, delete the evil ones noted above, and run some spyware removal.
    http://www.safer-networking.org/en/index.html

    Let us know how you are doing...
  • davak
    Please start a new forum thread when posting hijack this files.

    Cleaning a system like this requires a lot of work... by starting a new forum post we can keep it straight.

    Also, before posting your file, please run an updated anti-virus and at least one or two anti spyware programs. This will help reduce that amount of junk that you have in your system... and make our jobs easier.

    spybot - http://www.safer-networking.org/en/index.html
    adaware - http://www.lavasoftusa.com/software/adaware/
    avg free antivirus - http://free.grisoft.com/freeweb.php

    Thanks!
  • Anonymous
    <ul id="quote"><h6>davak wrote:</h6>Allie!
    C:documents and settingsallisonlocal settingstempNb.exe

    Known backdoor.

    C:Program FilesWinad ClientWinad.exe
    C:Program FilesWinad ClientWinClt.exe

    Spyware

    C:PROGRA~1Web Offerwo.exe

    Spyware

    ------------------------------

    You obviously have a very sick computer. I just highlighted the ones that jumped out at me. I would tackle/delete NB.exe first.

    Download spybot at http://www.safer-networking.org/en/index.html

    Let us know if that helps! Try to keep us updated.</ul>

    Thanks so much...it seems to be doing better now. I was losing hope because I dowloaded AimFix and SpyBot and niether of them caught what it was....so thank you soooo much for helping me out! I'll let you know if there are any other problems. :D --Allie
  • fitz
    oh my god, this virus won't go away. i've tried aim fix (it closes each time it tries to run), checked system 32, done about 4 virus scans in the last 12 hours, downloaded that program to replace task manager, etc etc etc. helppppp.
  • guest - lisa
    Thanks for looking at the log I posted and alerting me to some problems. I have been able to delete active.exe, winnt/system32/nbzkrw.exe, and winnt/system32/MSCRON.exe; however, winad.exe will not allow me to delete. I went to grisoft and downloaded AVG free, but I am having problems installing it. I get an error that says "The system file is not suitable for running MS-DOS and Microsoft Windows applications" "Choose close to terminate the application" My computer is a Compaq EVO running Windows XP. I also uninstalled AIM, was this necessary? Thanks for all your help!!!
    smiles,
    lisa
  • fitz
    <ul id="quote">here's my hijack this log...please help !</ul>
    log file removed


    Please start a new forum thread when posting hijack this files.

    Cleaning a system like this requires a lot of work... by starting a new forum post we can keep it straight.

    Also, before posting your file, please run an updated anti-virus and at least one or two anti spyware programs. This will help reduce that amount of junk that you have in your system... and make our jobs easier.

    spybot - http://www.safer-networking.org/en/index.html
    adaware - http://www.lavasoftusa.com/software/adaware/
    avg free antivirus - http://free.grisoft.com/freeweb.php

    Thanks!
  • guest
    i downloaded AIM fix and it didnt help.
  • Anonymous
    :( :( :( ...I'm back again. Things seemed to be fixed after I deleted the stuff you told me to delete but only a few hours later, the problem was back again. I don't know what to do now - I can't get rid of this thing! A couple of my friends have picked it up from me, also, because my AIM automatically signs itself online and puts up the away message without me knowing. I have uninstalled AIM for now but I'm in college and I need my computer to work for my papers and right now its basically inoperable. Please help! Thanks so much!! :D

    PS - I'll post my HijackThis results again if it would help...
  • Calientay314
    Hey guys. I know and understnad all of your problems. I only had the virus for two days before realizing how to get rid of it...you need to download AIM fix...from http://www.jayloden.com/VirusClean.htm its soo easy...just download it and it will fix it in like 4 seconds. I was a little hestitant to download it..but its well worth it because now im back to using aim. Even though my Norton Anti Virus did not at first pick up the virus...after downloading AIMFIX it gave me a notice and deleted it right away. If this doesnt work for u...i dont know what will. Have a good day. :
  • Anonymous
    <ul id="quote"><h6>Calientay314 wrote:</h6>Hey guys. I know and understnad all of your problems. I only had the virus for two days before realizing how to get rid of it...you need to download AIM fix...from http://www.jayloden.com/VirusClean.htm its soo easy...just download it and it will fix it in like 4 seconds. I was a little hestitant to download it..but its well worth it because now im back to using aim. Even though my Norton Anti Virus did not at first pick up the virus...after downloading AIMFIX it gave me a notice and deleted it right away. If this doesnt work for u...i dont know what will. Have a good day. :</ul>

    Doesn't work....tried it long ago :cry:
  • davak
    <ul id="quote"><h6>guest - lisa wrote:</h6>Thanks for looking at the log I posted and alerting me to some problems. I have been able to delete active.exe, winnt/system32/nbzkrw.exe, and winnt/system32/MSCRON.exe; however, winad.exe will not allow me to delete. I went to grisoft and downloaded AVG free, but I am having problems installing it. I get an error that says "The system file is not suitable for running MS-DOS and Microsoft Windows applications" "Choose close to terminate the application" My computer is a Compaq EVO running Windows XP. I also uninstalled AIM, was this necessary? Thanks for all your help!!!
    smiles,
    lisa</ul>

    The new version of hijack this contains a process killer. Do this...
    1. Open Hijack this
    2. Click the Config button
    3. Click Open Process Manager
    4. Click on the following one by one and then press the Kill Process button
    <ul>C:Program FilesWinad ClientWinad.exe
    C:WINNTsystem32MSCRON.EXE
    C:Program FilesWinad ClientWinClt.exe
    C:WINNTsystem32nbzkrw.exe
    C:active.exe </ul>

    Likely you have already removed some of these. Once you do this, go and delete the files. Then install your antivirus and spy removal programs. Let us know if it works.
  • davak
    <ul id="quote"><h6>Anonymous wrote:</h6>:( :( :( ...I'm back again. Things seemed to be fixed after I deleted the stuff you told me to delete but only a few hours later, the problem was back again. I don't know what to do now - I can't get rid of this thing! A couple of my friends have picked it up from me, also, because my AIM automatically signs itself online and puts up the away message without me knowing. I have uninstalled AIM for now but I'm in college and I need my computer to work for my papers and right now its basically inoperable. Please help! Thanks so much!! :D

    PS - I'll post my HijackThis results again if it would help...</ul>

    Who is this? We have about a million guests! :)
  • Allie
    <ul id="quote"><h6>davak wrote:</h6></ul><ul id="quote"><h6>Anonymous wrote:</h6>:( :( :( ...I'm back again. Things seemed to be fixed after I deleted the stuff you told me to delete but only a few hours later, the problem was back again. I don't know what to do now - I can't get rid of this thing! A couple of my friends have picked it up from me, also, because my AIM automatically signs itself online and puts up the away message without me knowing. I have uninstalled AIM for now but I'm in college and I need my computer to work for my papers and right now its basically inoperable. Please help! Thanks so much!! :D

    PS - I'll post my HijackThis results again if it would help...</ul>

    Who is this? We have about a million guests! :)

    Oh...sorry...this is Allie. I forgot to type my name... :oops: I'm using Trillian instead of AIM at the moment but the virus is still messing with my AIM and other parts of the computer....help!
    Thanks, Allie :D
  • davak
    These are the things you need to use hijack this to fix.

    First install hijack this into a real folder... and get the latest version. You are running an older version. You don't need it in a temp folder so it can make backups for you.

    Boot into safe mode first.

    Run hijack this and use the process killer to stop these processes. You can find the process killer in the configuration portion of the latest hijack this.

    Kill these Running processes:
    C:documents and settingsallisonlocal settingstempNb.exe
    C:Program FilesWinad ClientWinad.exe
    C:Program FilesWinad ClientWinClt.exe
    C:Documents and SettingsAllisonApplication Dataamee.exe
    C:PROGRA~1Web Offerwo.exe


    Then go to your add/remove software section and remove winad if it shows up. Uninstall "WEB OFFER" as well.

    Open explorer and show hidden files and folders
    (Tools |Folder Options | View).

    Now go and delete the files listed in the processes above.

    Use Hijack this to "fix" these entries

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:WINDOWS2_0_1browserhelper2.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:PROGRA~1COMMON~1WinToolsWToolsB.dll (file missing)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:Program FilesSEPsep.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:Documents and SettingsAllisonLocal SettingsTempK5.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:Program FilesSEPsep.dll
    O4 - HKLM..Run: [WildTangent CDA] RUNDLL32.exe "C:Program FilesWildTangentAppsCDAcdaEngine0400.dll",cdaEngineMain
    O4 - HKLM..Run: [4S2NSLA3QS#366] C:WINDOWSSystem32Uah05H5X.exe
    O4 - HKLM..Run: [WinTools] C:Program FilesCommon FilesWinToolsWToolsA.exe
    O4 - HKLM..Run: [MS Decryption Software] C:active.exe
    O4 - HKLM..Run: [Bakra] C:WINDOWSSystem32IEHost.exe
    O4 - HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkbinbargains.exe
    O4 - HKLM..Run: [Nb] C:documents and settingsallisonlocal settingstempNb.exe
    O4 - HKLM..Run: [rbklopt] C:WINDOWSSystem32oefwal.exe
    O4 - HKLM..Run: [tE7h34e] webwvdrv.exe
    O4 - HKLM..Run: [v9e9LQ] C:documents and settingsallisonlocal settingstempv9e9LQ.exe
    O4 - HKLM..Run: [Wast] C:WINDOWSwast2.exe 2
    O4 - HKLM..Run: [WebRebates0] C:Program FilesWeb_RebatesWebRebates0.exe
    O4 - HKLM..Run: [WhenUSearch] "C:Program FilesWhenUSearchSearch.exe"
    O4 - HKLM..Run: [Winad Client] C:Program FilesWinad ClientWinad.exe
    O4 - HKCU..Run: [Aaou] C:Documents and SettingsAllisonApplication Dataamee.exe
    O4 - HKCU..Run: [cponRQK2h] wldppcmp.exe
    O4 - HKCU..Run: [eZWO] C:PROGRA~1Web Offerwo.exe
    O4 - HKCU..Run: [Xapfwum] C:WINDOWSSystem32zpnq.exe
    O2 - BHO: (no name) - {49A83909-9A32-04C4-8605-645504A0733E} - C:WINDOWSSystem32wccetxz.dll

    As you can see, you have more spyware than real software. The odds of getting everything off without killing your system is getting smaller and smaller.

    Delete these files next:

    C:WINDOWSSystem32zpnq.exe
    C:PROGRA~1Web Offerwo.exe
    C:Documents and SettingsAllisonApplication Dataamee.exe
    C:Program FilesWinad ClientWinad.exe
    C:Program FilesWhenUSearchSearch.exe
    C:documents and settingsallisonlocal settingstempv9e9LQ.exe
    C:WINDOWSSystem32Uah05H5X.exe
    C:Program FilesCommon FilesWinToolsWToolsA.exe
    C:active.exe
    C:WINDOWSSystem32IEHost.exe
    C:Program FilesBullsEye Networkbinbargains.exe
    C:documents and settingsallisonlocal settingstempNb.exe

    Now run spybot and adaware... and anything else you got that might help.
    http://www.tech-recipes.com/windows_tips674.html

    Let us know how you are doing!
  • amber
    this virus is driving me f'n crazyy ! i tried everythinggg.. the jay loden thingg.. a virus scann.. nd the crtl alt dlt thing.. it wont f'n workk ! helpp me outt heree !!!! :x :x :x :x :evil: :evil: :evil: :evil:
  • Anonymous
    <ul id="quote"><h6>Guest wrote:</h6></ul><ul id="quote"><h6>YO wrote:</h6>OK
    http://www.jayloden.com/VirusClean.htm
    IT KILLS aLL AIM VIRUSES</ul>

    THANKS!!
    U saved me alot of time.
    i didnt want to follow the manual ways..
    kinda long

    The message I received was "Unable to open processes to terminate"

    what next?
  • davak
    <ul id="quote"><h6>Anonymous wrote:</h6></ul><ul id="quote"><h6>Guest wrote:</h6></ul><ul id="quote"><h6>YO wrote:</h6>OK
    http://www.jayloden.com/VirusClean.htm
    IT KILLS aLL AIM VIRUSES</ul>

    THANKS!!
    U saved me alot of time.
    i didnt want to follow the manual ways..
    kinda long

    The message I received was "Unable to open processes to terminate"

    what next?

    First... have you tried to boot to safe mode and then try the above steps?

    Second... have you tried installing this program?
    http://www.sysinternals.com/ntw2k/freeware/proc...

    You can use it instead of ctrl-alt-del to kill processes.

    You can even install hijack this and paste the log into a new forum thread.

    Whining without giving us any information will not help.
  • Anonymous
    there is only one solution
    u must use "system restore" in contol panel
  • Anonymous
    I DID IT!!!

    u should not do this if u have done something very important on ur computer lately.


    go into contol panel
    pick performance and matinance
    on the top left, it should say system restore
    this program lets you set back your computer exactly as it was at a differerent time
    choose a couple days before u got the virus
  • MickeyMouse
    <ul id="quote"><h6>Anonymous wrote:</h6>I DID IT!!!

    u should not do this if u have done something very important on ur computer lately.


    go into contol panel
    pick performance and matinance
    on the top left, it should say system restore
    this program lets you set back your computer exactly as it was at a differerent time
    choose a couple days before u got the virus</ul>

    Sweet! This is one of the recommendations in Davak's general spyware removal hint sheet:

    http://www.tech-recipes.com/windows_tips674.html
  • Anonymous
    <ul id="quote"><h6>Anonymous wrote:</h6>I am having the exact same problem. REgedit and task manager will not open.</ul>
  • Anonymous
    if your rededit / taskmgr aren't working, here is a little tip that I learned to get it to work temoporarily.

    go into the c:/windows/system32 folder and find the filename for the program you want to run that isn't working correctly. copy the file to the same location and rename it with a .com extention instead of a .exe . Some viruses out there are killing the .exe processes, but aren't accounting for a .com extention.
  • Anonymous
    <ul id="quote"><h6>Anonymous wrote:</h6>I am having the exact same problem. REgedit and task manager will not open.</ul>
  • Anonymous
    http://geocities.com/cumquat18/elimiexplorer.html

    getting the virus off of your computer
  • Anonymous
    I had the same virus, so I wrote a little "self help", i'll copy + paste it here, instead of the link b/c i'm sure people are wary of clicking links

    (my AIM is fsck you trebek if you need more help)

    So, you or someone that uses your computer clicked on the Aol Instant Messenger profile that had "OMFG my best friends are soo good looking" or "i never knew myself untill...." or whatever!
    your task manager disappears? you can't run regedit (get into your registry)? you can't run msconfig (to reboot into safemode) ?
    you've got a virus!
    Norton's, McAfee, anti-virus scans, etc won't help you here (yet).
    What you need to do is go and download what's called "Process Explorer" here http://www.sysinternals.com/ntw2k/freeware/proc...
    Run it, and terminate the process called "ElimiExplorer.exe"
    Than, go into your System32 Folder C:/Windows/System32 (make sure you can view your hidden folders, to do that: go into System32, click on TOOLS, than FOLDER OPTIONS, than click on the tab VIEW, than go to where it says "SHOW HIDDEN FILES/FOLDERS" and make sure the bullet next to it is highlited"
    than, look for a program called "ElimiExplorer.exe" DELETE IT. than, also look for a file called keylog.exe DELETE IT. than, on your taskbar go to START---->RUN---->regedit than EDIT (at the top) ---->FIND---> than type in ElimiExplorer.exe when it finds it, next to ElimiExplorer.exe it will say "Popup Killer" IT LIED. it's just a ploy to get you to not delete it. DELETE IT. than empty your recycle bin. than, to be safe, go to START (on your taskbar)--->SEARCH ...files/folders....than type in ElimiExplorer.exe (after you've emptied your recycle bin) to make sure it's not on your computer anymore WALAH you're done! :-D

    (begging snipped)

    Mod Edit: Great advice... but no begging for donations.
  • davak
    Good advice... there are several problems with this bug. First of all, it is usually packaged with multiple other bugs... so just cleaning off elimiexplorer will not clear the problem.

    Here is how I would handle it on an xp machine:

    <ul>1. click start
    2. click run
    3. in textbox type cmd and click ok
    4. in the command window enter tskill ElimiExplorer.exe
    5. in the command window enter attrib c:windowssystem32elimiexplorer.exe -r -s -h
    6. in the command window enter del c:windowssystem32elimiexplorer.exe
    7. in the command window enter exit
    8. Then I would run several of the spyware removal systems described here:
    Spyware and Malware Removal - Links and Hints</ul>
    The goal should always be to do enough manually to be able to get your spyware programs where they can work.

    Booting into safe mode before running a spyware cleaner in a known infected system is a good way of increasing your chances it will work as well.
  • Anonymous
    please if anyone has any new methods or reformed old ones please help me out.. i just dont want to give up on my aim quite yet.. but im goin psycho!!! :(
  • Anonymous
    <ul id="quote"><h6>YO wrote:</h6>OK
    http://www.jayloden.com/VirusClean.htm
    IT KILLS aLL AIM VIRUSES</ul>
  • Anonymous
    <ul id="quote"><h6>Anonymous wrote:</h6>please if anyone has any new methods or reformed old ones please help me out.. i just dont want to give up on my aim quite yet.. but im goin psycho!!! :(</ul>

    http://www.geocities.com/cumquat18/elimiexplore...

    FOLLOW THE DIRECTIONS EXACTLY

    if that doesn't work, IM me fsck you trebek
  • Anonymous
    everyone i would like to deeply thank each and every one of you for your time and effort in trying to help me fix my computer.. after 2 weeks of strenuous battle i have finally won the war!! thats right i am officially rid of my virus and oh so proud although i would not have been able to do it without all your help.. i tried all the methods listed (basically) and can tell you that in the end the system restore method is the best way to go.. its not too complicated or confusing.. you can undo it if youd like.. and it takes you back to that wonderful time in youur life without the virus... LADIES AND GENTS.. its as simple as 1. control panel 2. performance and maintence 3. left corner it says SEE ALSO.. click system restore 4. follow the instructions and pick a date in which your computer and you were still friends 5. the computer takes over and you are in anti virus haven

    NO ONE CLICK ANY LINKS EVER AGAIN!! lol from my new found experience i would just like to say to eveyone dont click any links that are a SMIDGE suspcious and dont lead to a direct site that you are familiar of.. be careful of the internet world its DANGEROUS!! any problems feel free to email me at babybluedreamz@aol.com bcus i want to help anyone with the problem i had.. dont commit suicide over this guys.. i got ur back.. and thanks to the host of the website you ROCK my SOCKS!!
  • Anonymous
    i had the virus i got rid of it heres how download process explorer http://www.sysinternals.com/ntw2k/freeware/proc... there and that will stop ur windows task manger to disapper nd then u can get rid of the virus :D
  • Anonymous
    can sum one plz list for me all the things tat i should get rid of
  • Anonymous
    this virus is apparantly also naming itself 'icqlite.exe' in the system32 folder ..

    i had it running and i knew it was BS because i don't use icq .
    if people can't find the other filenames, try that .
  • Natalie
    I think I got rid of the virus through AIMfix, because my aol instant messenger is fine. However, for some reason I can't access my gmail or school account. This has to be related to the virus, because it started happening right after I got it. Anyway, when I try to log-in to my e-mail it just keeps saying, "redirecting"... then a yellow caution triangle shows up and says something about a cookie. (this is happening to my friends who have the virus as well...) Any thoughts?
  • Anonymous
    hey "yo" u are the man thank you very much! :D
  • guest
    go to

    START
    SEARCH
    FOR FILES OR FOLDERS
    'type in "friends" and depet anything you dont recognize!!

    its that easy!!
  • Anonymous
    Someone recently IMed me while I had an away message... Didn't know who it was. Screen name was like sweetbutfunchic.. I don't remember... Anyways I looked at their profile and it was a regular profile. So i wasn't suspicious of anything. 10 minutes later my computer restarted itself. When it reloaded it was running really slow and when I looked at the process tree aim.exe was making my processor run at 100% continiously. I ran ad-aware and Norton 2004 and it detected nothing. Also when I would end the aim.exe process tree my computer would automatically turn off. So what I did when I restarted my comp was end the aim.exe process tree as soon as it came up and I am able to use my comp but I havn't tried to open aim back up yet... Sorry for the long story...
  • TR250
    thanks for the aim virus killer. worked great!
  • guest
    <ul id="quote"><h6>Yo wrote:</h6>OKOK DONT CRY!
    Just download aimfix
    http://www.jayloden.com/VirusClean.htm</ul>

    thank you so much i had the pop up away message that read http://www.shade tree service.com/best frien ds.scr the jayloden virus clean cleared it you dont know how appreciative i am

    Editor:
    added spaces in the url so that it wouldn't be a link.
  • Constance
    <ul id="quote"><h6>Natalie wrote:</h6>I think I got rid of the virus through AIMfix, because my aol instant messenger is fine. However, for some reason I can't access my gmail or school account. This has to be related to the virus, because it started happening right after I got it. Anyway, when I try to log-in to my e-mail it just keeps saying, "redirecting"... then a yellow caution triangle shows up and says something about a cookie. (this is happening to my friends who have the virus as well...) Any thoughts?</ul>

    THAT IS EXACTLY WHAT IS HAPPENING TO ME, I CANT CHECK MY EMAIL AT ALL! please, i would be so grateful if someone helps me!!! my IM is ilovedeedzy32
  • scnwoo16
    the link and control panel won't work/stay open for me to try to remove these files...what do i do now?
  • Anonymous
    is nvsvc32.exe bad?
  • MickeyMouse
    <ul id="quote"><h6>Anonymous wrote:</h6>is nvsvc32.exe bad?</ul>

    No. It's part of your NVIDIA drivers.
  • pinkbubblez44
    When i got the Best Friend Virus, I quickly got annoyed by it. Then all my friends started to get and we all just wanted it to die. Message after message for hours and hours.... we lived thru a day of that. After a day we found this website. It makes it go away!!!! It really works. So thank you whoever came up with it!!!!! Its a life saver!! http://www.jayloden.com/VirusClean.htm
    :lol:
    Always and Forever, *Amber*
  • Anonymous
    aimfix is saying there is no virus found on my computer!! what do i do?? I have the same problem as everyone else on this site!
  • Matt
    <ul id="quote"><h6>Constance wrote:</h6></ul><ul id="quote"><h6>Natalie wrote:</h6>I think I got rid of the virus through AIMfix, because my aol instant messenger is fine. However, for some reason I can't access my gmail or school account. This has to be related to the virus, because it started happening right after I got it. Anyway, when I try to log-in to my e-mail it just keeps saying, "redirecting"... then a yellow caution triangle shows up and says something about a cookie. (this is happening to my friends who have the virus as well...) Any thoughts?</ul>

    THAT IS EXACTLY WHAT IS HAPPENING TO ME, I CANT CHECK MY EMAIL AT ALL! please, i would be so grateful if someone helps me!!! my IM is ilovedeedzy32

    I'm having the same exact problem...Someone please help me I need to access my email account for school........
  • Beth
    You probably want to do a full SpyWare scan now.... i.e. run AdAware and SpyBot since these AIM viruses have a history of installing a lot of SpyWare, too. (http://www.tech-recipes.com/windows_tips674.html)

    If that doesn't work, does a different browser work? Like FireFox? (http://www.mozilla.org/)

    Try the steps in the following Microsoft solution: http://support.microsoft.com/default.aspx?scid=kb;en-us;813444

    Finally, if you're on Windows XP, can you do a system restore back to before you clicked on that link? Start > (All) Programs > Accessories > System Tools > System Restore
  • foster
    That AIM fix isnt working for me, even in safe mode.

    How do i know? The away message is still popping up and the task manager and regedit has yet to work.

    So i am using copies of task manager and regedit, but i dont see any of the *.exe's that have been mentioned here. And i don't know what is harmful and what is not. Would rather not go deleting random things.


    =(
  • foster
    w/e... its system restore time
  • Songbird284
    <font color="red">I USED HIJACK THIS</font>
    Can I e-mail my log to anyone who could look it over and tell me what to delete? I don't want to post it on this forum.
  • islandjen55
    well, not only does the elon link not work, but my end task window won't even stay up for me to do anything else. someone smart please figure this thing out :cry: !
  • davak
    <ul id="quote"><h6>islandjen55 wrote:</h6>well, not only does the elon link not work, but my end task window won't even stay up for me to do anything else. someone smart please figure this thing out :cry: !</ul>

    Disappearing or Closing Task Manager from AIM Virus/Trojan/Worm
    http://www.tech-recipes.com/windows_tips648.html
  • islandjen55
    ok so i got rid of the away message thing, but now my hotmail page comes up as a blank page. help!
  • Songbird284
    I have the same hotmail problem.
  • joshua_dawg
    hey everyone!

    I am no expert, but I manually figured it out and deleted this virus from my computer, so maybe I can help.

    Here is what I did: (for XP, other OS can follow along too!)

    If you can't Cntr-Alt-Del, then you get to have some REAL fun.

    Go to Start>Run and type in cmd

    This wil open a black window known as Command Prompt.

    In this window, type TASKLIST. This is going to print a long list of all the applications that are running on your computer. Now here is the hard part. If you know your coputer pretty well, you should be able to figure this part out. You need to figure out which of the processes is the virus. Unfortunately, it has MANY different names. Mine was wmediaplayer.exe (which i knew was a fake because we all know the real executable for that it wmplayer.exe!!!!)

    The BEST way to figure out which one it is is this:

    In another window, go to your C Drive (or whatever your main drive where windows is installed). Then go to the Windows folder. Then go to System32. Now, to do this, you MUST know EXACTLY when you ran this program. If you do, sort the entire folder by date, and go find the program that corresponds to that exact time. BE VERY CAREFUL THOUGH!! You must make SURE that this is the EXACT time, otherwise you may delete something you need. It should look like the name of some other program, like aolmsngr.exe, or wmediaplayer.exe. Once you are positive that you have found the executable, go back to command prompt and you should see this program running. Next to it is a number labeled PID. Once you find that, type TASKKILL <insert the number you found>. This should stop the program. Then, go back to the C:/Windows/SYstem32 folder and DELETE that .exe file that you found. This should take care of that virus.

    Well, sorry this is so long and confusing, but good luck and I will try to help you more if this is completely worthless! :-P
  • Anonymous
    What should I delete or uninstall, if anything?
    Logfile of HijackThis v1.97.7
    Scan saved at 11:51:46 AM, on 10/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


    Running processes:

    Edit -- See below
  • davak
    <ul id="quote"><h6>songbird284 wrote:</h6>What should I delete or uninstall, if anything?
    Logfile of HijackThis v1.97.7
    Scan saved at 11:51:46 AM, on 10/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    </ul>

    I moved your hijack log into another forum to keep your problem seperate from this thread. You can follow it here:

    http://www.tech-recipes.com/modules.php?name=Forums&file=viewtopic&t=519
  • Anonymous
    When I follow that link, I am asked for a username and password...I tried to use my tech-recipies username (songbird284) and my password, but I was not allowed to follow the link. Is there a specific username and password that I should put in when I am prompted for them?
  • davak
    <ul id="quote"><h6>songbird284 wrote:</h6>When I follow that link, I am asked for a username and password...I tried to use my tech-recipies username (songbird284) and my password, but I was not allowed to follow the link. Is there a specific username and password that I should put in when I am prompted for them?</ul>

    Sorry. My mistake was in the url. It is corrected now.
  • tshaud
    when i went to remove it..my task manager wont stay up..it keeps closing..it wont let me delete it...is there any other way to do it or how should i fix my task manager
  • davak
    <ul id="quote"><h6>tshaud wrote:</h6>when i went to remove it..my task manager wont stay up..it keeps closing..it wont let me delete it...is there any other way to do it or how should i fix my task manager</ul>

    Please read the entire thread before asking questions... this has been answered before.

    http://www.tech-recipes.com/windows_tips648.html
  • Anonymous
    new link is http://jayloden.com/BestFriends.htm

    just an fyi :)

    -Jay
  • Guest
    ok if you have that stupid away message virus in your profile go to http://www.jayloden.com/VirusClean.htm and then click on removal tool then follow through with the directions..make sure you save your profile in someway because it is going to get rid of it.....GOOD LUCK!! HAHA
  • Alexa
    -first make sure you save your profile because when this procedure is done it will ge trid of your profile..

    -then go to http://www.jayloden.com/VirusClean.htm and click on <span style="text-decoration:underline">remove tools</span>

    -follow through the directions and the virus will be gone..

    -to make sure it worked..press control, alt, delete and if the window stays that means the virus is gone..

    GOOD LUCK!
  • Petey dude
    well im just a 11 year old kid, but all u have to do to remove it is search your computer for a file named ' bestfriends ' delete it and your set.
  • ewalker
    It doesn't work!!!! :x help!!!!
  • Anonymous
    Guys...enter in the website that it says when you click on the link in the posted solution. Then go to "Virus Symptoms" and scrool down to AIMGFix and click it. THat should work.
  • tjh
    i used that automatic way(jayloden) to get rid of the virus and now i can actually open up the task manager but idk if i got rid of it or not or if i have any problems with my comp can some1 tell me how i can check for other viruses besides from running norton antivirus
    thanks
  • anonomous
    please help i downloaded the program bc my tast manager wont open but now i can not follow your instuructions bc i can not find aolmsg.exe i am not realli good with computers and i know this might be a stupid question but please help i need to get rid of this virus. I also tryed clicking on the sight that will remove it automatically but it says that the page no longer exists. if you have any sugestions please help! thanks alot
  • Anonymous
    PLEASE HELP ME! I have the same problem and it's got me so stressed!
  • Guest
    AIMFix seemed to fix my computer...and it is quick and easy! I found it on a website, and it took like a minute and I haven't had the problem since.
  • Anonymous
    :evil: i have tried everything i ran the AimFix downloaded the spyware remove have done everything that this post has suggested???????????????????????????????? what am i doing wrong
  • NotTechSavy
    I've apparently gotten this nasty strain of virus that attacks the task manager. (I also have a problem with a disappearing windows arrow/cursor that I suspect came from a virus as well).

    Anyway, I've followed the instructions, but can't seem to find the specific .exe program named, so I am at a loss as to how to delete.

    Process Explorer does note 5 separate svchost.exe programs running, which strikes me as odd. There is also something called VetTray.exe which sounds odd - and VetMsgNt.exe

    Can you help?
  • Anonymous
    I have done a search in windows and found a new file. It's under BESTFRIENDS[1].SCR-01693871.pf in the C:windowsprefetch
  • Anonymous
    i have tryied everything and i mean everything
    who ever started this gay thing is so0o stupid i mean what are you getting out of messing up computer i mean no $$ nothing just seeing thousnads of innocent ppl stressed out lik i am this is really depressing
    if anyone has anything to help please let me no
  • Anonymous
    Everyone Just go to Help and support in your startup menu
    and search for System Restore.
    Run System Restore to a day that your computer was working before.
    Easy As that
  • blaah
    thanks buddy, i system restored to an earlier day now my computer doesn't turn on, im on a different one. helllppppppppp 8O
  • sickofbestfriendsvirus
    I'm having major trouble with the best friends aim virus. it's driving me insane. i downloaded aimfix and it worked for about a couple hour or so, i wasn't getting the away message anymore and my task manager was even working, but now it's come back, and i can't figure out how to rerun the aimfix program. does anyone have any alternative solutions??? i would greatly appreciate your help.
  • Alix
    omgosh...please help me. i also have the best friends virus and nothing has worked. i tried the AIMfix and i also tried the system restore. i think that bc of the virus now my norton anti virus wont work. when i try and open norton it says "your current security settins prohibit running ActiveX controls on this page. As a result the page may not display corectly." it never used to do that til i click that dumb beach pics link. please help me, i just got this comp like 4 months ago and my mom will hate me forever if i mess up this computer. :(
  • Anonymous
    OK so i do this and it says "yourre security setting dont aloow you to download this file? now what do i do?
  • sickofbestfriendsnomore
    If any of you have McAffee Virus Scan Program, it can get rid of this virus, It took mine a couple of days to find it, but when it did, everything went back to normal and has been so for a few days now. I would strongly suggest that program to anyone who has similar virus problems to get this program, it really works! :D
  • Guest
    I'm ready to jump off a bridge! I've done everything I've seen here (everywhere else) for the last 4 1/2 hours. I've resolved everything, I think, except the ability to change my security settings in IE. "my computer" is set to High. When I manually go in and change it to low or medium it appears to take the reset, but then immediately reverts back to High. Incidentally, no default selection is available. I have no idea what to do next.... Please, please help!
  • guest
    boot in safe mode
    go to regedit, find local machine, software, microsoft, windows, current version, run
    look at all the virus programs booting at startup
    search your computer for those obscure program names
    delete every program you find
    delete all virus program entires in regedit
    optional: run adaware/spybot, altho the viruses you talk about may not yet be in their definitions file
    finally reboot machine
  • Anonymous
    start your computer in safe mode...then run a search for 'SVCHOSTA' (make sure the 'search hidden folders' box is checked) delete the file 'SVCHOSTA' (its the file causing the problem) delete all (if there is more than one)...then simply restart your computer and it should be fixed...this happened to me too, its a pain in the ass and took me FOREVER to find someone who knew how to fix it

    <ul id="quote"><h6>Anonymous wrote:</h6>I have this virus and i tried to follow what you say to do. The only problem is when i click for task manager, it only comes up for a second and then it disappears. It just won't stay up no matter how i pull it up! And the website you gave doesn't work. I've done a search and "run" for all the files that you say to look for and it can't find it... but i know you're talking about the same virus because it is exactly what i have! So please, Help me more! Email me at Asher689@hotmail.com PLEASE! This virus is really stressing me out and i've had it for about a month now. I've done tons of virus scans and i just can't get rid of it!</ul>
  • Anonymous
    Hi, Is there any way to make sure the virus is gone?
  • Anonymous
    ^^ Sorry about that last post being so incomplete.

    I used AIMFix once before but the virus wasn't gone. I tried it again and AIM seems to be fine...for now. Is there any way I can be sure that the virus is gone?
  • a guest
    :) Thank you to the person who recommended the AIMFIX! It worked! THANK YOU!!!!
  • Anonymous
    http://www.jayloden.com/VirusClean.htm worked hella goooooooood. haha thanx whoever made that
  • Anonymous
    When I try to run AimFIX it says "A required .DLL file, PSAPI.DLL, was not found."...I'm lost...
  • Anonymous
    yah i think i have a virus to on here...it keeps on popping up and away message that says...like pics from the beach last night and it give you a link. so how can i fix it please email me Junior__Ortiz_92@hotmail.com
    thanx,
    Junior
  • Anonymous
    hey i fixed it thanx!!!
  • shikatano
    the file name doesn' thave to be "aolmsngr.exe" mine was named winhost.exe, so maybe that could be what yours is named....um definately close it by using the process explorer program that was given in the recipe
  • 55
    88
blog comments powered by Disqus