Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How does one uninstall AMMYY


  • This topic is locked This topic is locked
12 replies to this topic

#1 phillipl

phillipl

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 01 December 2012 - 09:13 AM

My poet friend has the following potential virus issue concerning the remote desktop software "AMMYY".

Long story, short, in an effort to get back into his yahoo mail account which had been "locked" he called a number off the yahoo mail support site and reached some "support" technicians.

They had him go to the www.ammyy.com site and download and install "aa_v3.exe", which he did. After browsing about his machine, (or at least moving the mouse about, they subsequently informed him that his machine was riddled with viruses. Some $390 later, (credit card - payment stopped), it seems the machine essentially is the same and apparently performing normally. (Yahoo mail still locked). But whatever, he's moved to gmail.

However, I see no way to uninstall the "ammyy" remote desktop software. He has an ancient machine. I don't have the machine in front of me, but as I recall he has the following

HP Pavilion(?)
384mb (i know this)
Intel Celeron 500mhz(?)
Win XP Pro SP3 (i know this).

From the following HijackThis log, does he have an issue?, is "AMMYY" still installed? (it does not appear in Add/Remove software in Control Panel), how does one uninstall "AMMYY". (one side note, System Restore fails to restore to dates earlier to his downloading and installing "AMMYY" (11/20/2012)). Here is a recent HijackThis log.

+++

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:46:28 PM, on 11/30/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by AOL
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343879130909
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DE9AFA4-48E4-4D4F-B2D2-2081FF3F6102}: NameServer = 68.237.161.12 71.250.0.12
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 4674 bytes

+++

As an aside, if anyone saw the movie Putney Swope (my friend was the "poet" in that movie's famous board room scene).

BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 04 December 2012 - 05:32 PM

Hello Phillip :)

This HiJackThis! log looks fine but the tool is quite outdated and we use a different tool nowadays to detect more prevalent types of infections.

Please read and follow the steps here: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Post or attach your logs here once you are finished.

Regards

#3 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 07 December 2012 - 02:40 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

#4 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 09 December 2012 - 04:22 PM

The topic has been reopened per user request.

#5 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 10 December 2012 - 04:24 AM

Post your logs whenever you are ready :)

#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 12 December 2012 - 04:07 PM

If you are having trouble completing the steps here: http://www.bleepingcomputer.com/forums/topic34773.html

Let me know.

#7 phillipl

phillipl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 13 December 2012 - 01:13 AM

I returned to the machine in question (it's about an hour away).

Unfortunately, I have been unable to have DDS.COM produce the logfile DDS.TXT.

***
I backed up his documents.

I downloaded and installed DDS.COM.

I turned off (all) real-time Avast Free anti-virus shields (including script blocker).

I ran DDS.COM (v2012-11-20.1). It runs and appears to complete, however when I press the "CLOSE" button, it flashes (very quickly) a msg

box and then closes - no DDS.TXT is produced. ATTACH.TXT is produced and saved on his desktop. I reran DDS.COM with only the DDS option

selected. Again, upon pressing the "CLOSE" button, it flashes (very quickly) a msg box and then closes - no DDS.TXT is produced. I searched

his hard-drive (SUPERFINDER) and there is none.

Should I post the ATTACH.TXT log file?

Is the minimal system memory on his machine an issue? (384mb), running Win XP Pro SP3.

#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 13 December 2012 - 02:21 AM

Skip DDS for now but go ahead and attach the ATTACH.txt it produced.

Allow me to go over some general rules while we are working together as I forgot to mention them previously.

I do have some basic rules while we are working together so please read and follow them:


  • Be specific!
    • If you come across a problem while performing any of the steps listed here, do not simply state "It did not work." Tell me the exact error you encountered if one was given to you. For example, this is a much better response: "When I ran the ____ tool, an error box appeared on my screen and said 'Illegal operation attempted on a registry key that has been marked for deletion.'. There is only an 'OK' button in the box."
  • Do not run any scans/fixes on your own!
    • If at any time you feel that you can handle the rest of your computer problems on your own without my help, just let me know! I will not be offended and there are other users that need help. However, do not perform scans and/or fixes that I have not asked you to do on your own and then expect me to continue helping you because I will not!
  • I will close the topic if I have not heard a response from you within 72 hours.
    • If you are going to be away, just let me know and I will leave the topic open until you can return.

__

Posted Image Please download RogueKiller to your desktop.
  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run.
  • When it opens, press the Scan button
  • When the scan is finished, press the Delete button.
  • Please post the contents of the latest numbered RKreport.txt from your desktop to your next post.

__

  • Please download and install CCleaner Slim
  • Open CCleaner and click the Options button
  • Now choose Advanced
  • Uncheck everything here except for Skip User Account Control warning
  • Now click the Cleaner button and press the Run Cleaner button at the bottom right of the program.
  • If this is your first time running this program, a prompt may appear asking for confirmation to delete temporary files. Go ahead and proceed.

__

Please download Malwarebytes Anti-Rootkit Posted Image and save it to your desktop.
  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

__

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

__

Posted Image Please download OTL.

  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.

    baseservices
    netsvcs
    
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt

__

Is the minimal system memory on his machine an issue? (384mb), running Win XP Pro SP3.

Yes, somewhat.

I would not even recommend running an antivirus with this amount of memory as it will just slow the system down even more. I would recommend an upgrade in memory but I'm sure you have already considered this :)

Edited by thisisu, 13 December 2012 - 02:29 AM.


#9 phillipl

phillipl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 13 December 2012 - 05:48 PM

Hi.

I will probably not be able to get back to the machine for a few days, so it will be a bit before I have more.

I've attached "ATTACH.TXT"

I've tried to upgrade his ram to (at least) 512mb w/strange rebooting on post. More anon.

Thanks,

Phillip

Attached Files



#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 20 December 2012 - 06:59 PM

Do you have an ETA on when you expect to return to the machine?

#11 phillipl

phillipl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 20 December 2012 - 10:38 PM

I don't. I'm sorry. Pretty hectic here with other stuff. I have the todo list you directed me to - and will when I get there. Perhaps best to close the topic and when I the todo is todone, I'll message you to that effect. How's that?

#12 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 03 January 2013 - 04:41 PM

Sounds good.

#13 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:55 PM

Posted 03 January 2013 - 04:41 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users