Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aim Virus - Can't Remove....


  • This topic is locked This topic is locked
3 replies to this topic

#1 ESR

ESR

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 14 October 2007 - 08:13 AM

Hi All,
My son was nice enough to infect my laptop with a virus that apparently comes from the AIM community. It installs something on the computer that tries to broadcast to his buddy list. B/C my AV scans every outgoing message, my screen fills up with symantec warnings.

I have run my virus scans (full) and have deleted or cleaned all the files. When I run the scan again, Symantec states that I am clean - however - the window pop ups start appearing all over again. This does not happen when I am in safe mode with Network connectivity - only in standard running mode.

I know I have some form of Backdoor.Rankey and W32.allim, and have followed all of Symantec's instructions for removing it, but I can't find the hidden file(s) that keeps running these pop ups.

How do I find which are the bad files and remove them?

I have installed and run "autoruns" - but honestly don't know what to look for! When I use the start up database, many of the EXE that I look up don't seem to be in the database (or I am doing something wrong).

There must be an easy fix to this popular AIM infection???

Thanks from the newbie!!
ESR

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:14 AM

Posted 14 October 2007 - 09:15 AM

Download and run AIMFix to remove all known AOL Instant Messenger-related viruses.


Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Please download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file (sysclean.log) generated in the same folder where the scan is completed - C:\Sysclean.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can also Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

Then download and scan with SUPERAntiSpyware Free.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ESR

ESR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 14 October 2007 - 11:04 AM

Thanks.....
Out of curiosity - are the following two files VALID windows files???
1) AH.EXE (windows\system32\)
2) AMEJPJP.EXE (windows\system32\)

Thanks
ESR

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:14 AM

Posted 14 October 2007 - 02:01 PM

I have moved your Hijackthis log to the Misplaced HJT Logs forum. You posted your log in a forum not intended for these logs analysis and probably missed the directions we provide to those who require assistance.

Your log can be found here.

Please follow all directions that I posted as a reply to your log. Following these instructions will ensure that your hijackthis log is properly posted so it can be reviewed in a timely manner.

If you have any questions please respond in that thread. To avoid confusing, I am closing this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users