Can anyone help?

**graemejaxx** · July 17th, 2004, 12:11 PM

Hi

I've started receiving messages from my Norton Firewall telling me that amee.exe is trying to contact the internet.

I've run Ad-aware & Pest Patrol & cleaned out my temp folders etc but it's still there.

I've also tried google but had no luck.

Does anyone know if this is a virus or spyware and if so, how i can get rid of it?

Can post a hijackthis log if that helps?

Regards
G

***The Grunt*** · July 17th, 2004, 12:53 PM

Hmm... From googlin in looks to be some sort of hijacker, maybe when you googled there wasn't anything there, cuz I only got about 10 results TOTAL... I am GUESSING this is new, and you got screwed into being one of the first to get it... Hit Ctrl Alt Del and end the process... Now navigate to C:\Documents and Settings\username\Application Data\amee.exe and you should be able to delete it... Make sure you can see hidden files and folders, cuz it might be hidden...

BTW this is the BEST first post I have seen by anyone in about a month, good job on not being a total idiot and having SOME MEANING to your post!

***Cybr1d*** · July 17th, 2004, 01:04 PM

graemejaxx,

Welcome to AO, and indeed, your first post is the best we've all seen in a while here. We've had quite a few trolls lately.

Back to the subject, please post your hijackthis log so we can take a look. Run Ad-aware, pestpatrol and spybot in safe mode. Let us know how it goes.

Also, check where the file is located, Norton might tell you or just search for it, reboot in safe mode and manually delete the file.

**nihil** · July 17th, 2004, 01:08 PM

Please forgive me for being ignorant..................

Have you tried updating all your scanners, your Windows, your IE, and then re-booting into SAFE MODE and running your scanners/AV?

Whilst you are there (in safe mode) you might just run scandisk with autorepair on, and then defrag.

That will defrag files that would normally be in use, such as your AV pattern file, so you might get a slight performance improvement.

Cheers

**TidaLphasE23** · July 17th, 2004, 01:09 PM

Does anyone know if this is a virus or spyware

I think it is a trojan.....

**therenegade** · July 17th, 2004, 05:49 PM

Here's a link with amee.exe required to be removed..I'm afraid I havent too much time on so at an educated guess,I'm thinking on the lines of trojan too,try a HT log just to make really sure,I'm sure a few guys'd love to have a go..have you been getting popups or anything unusual of the kind btw?

http://help.lockergnome.com/index.php?showtopic=20726

**graemejaxx** · July 17th, 2004, 06:02 PM

Thanks for the welcome guys

Ok, i don't have spybot as everytime i install it on my machine it causes problems?? Just tried again & it crashed the machine when i tried to update so it's gone.

I've cleared everything and ran PP/AA/Norton etc and removed everything they've shown.

The amee file is showing up in Application Data, i've tried to remove it manually but it says 'Access denied'

I'm relatively new to this so i'm unsure of how to get the pc to run into safemode and what to do once i'm in etc?

Here's my latest Hijackthis log, there's a few things on there i'm sure i've read about as being trojans & spyware but i may be wrong:

Logfile of HijackThis v1.97.7
Scan saved at 17:56:50, on 17/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\Promon.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\Documents and Settings\Graeme\Application Data\amee.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\Graeme\Local Settings\Temporary Internet Files\Content.IE5\RACRBDO5\HijackThis[1].exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/...c02&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...c02&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/r...search&ap=b204
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Graeme\Application Data\amee.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Do&wnload by ReGet Jr. - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Jr. - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...145ae90fecae62
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...023.2589236111
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CD5A636-FC20-4AA7-BAAF-4034BAAC0FD6}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF61C9AD-B940-450A-ACE9-C406C56FA4EC}: NameServer = 205.188.146.146

Look forward to your help
G

**graemejaxx** · July 17th, 2004, 06:07 PM

Sorry, i've also started getting an error message that says there is a problem with IAMAPP.EXE??

***The Grunt*** · July 18th, 2004, 04:18 AM

Hit F8 right after your BIOS pops up on the screen when you boot to select safemode.

While in safe mode try uninstalling NIS (norton internet security) and NAV (norton antivirus) as iamapp.exe is part of those, install a different firewall RIGHT AFTER you do that though, have it downloaded and ready to go. Also, have you patched lately?

Windows Update Also, do you use IE, and have not patched lately? IE has been having TONS of holes lately, like 15 in the last 3 weeks, no lie.

After patching, see if the problem goes away... That might be it... Also, do you think it's possible you could attach the amee.exe file onto a post so someone with a *nix machine can run strings on this sucker so we can find out WTF it is/does/wants to do?

If you think this thing is doing something on the internet, download Fport from Foundstone. Go to resources then free tools, then intrusion detection, and download it. It is a Command line based program so you will have to spawn a cmd shell (start/run/cmd) and type the location of fport. Copy and paste or paste a screenie on here if you can't figure out what it all means and see if amee.exe is using the net.

Good luck man. This seems to be one tough, unknown, cookie.

**therenegade** · July 18th, 2004, 06:40 PM

IAMEE.exe's a Norton's file...Norton's screwing up or it's a trojan..also,tried deleting amee.exe in safe mode?does it run on your task manager?

Thread: Can anyone help?

Thread Tools

Display

Can anyone help?

Posting Permissions