Also, the computer is performing better, and is audibly much quieter than over the past few days.
Also, the computer is performing better, and is audibly much quieter than over the past few days.
Fix AWF Infection Step 3
Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\Apoint\bak
C:\Program Files\iTunes\bak
C:\Program Files\Lexmark 1200 Series\bak
C:\Program Files\Messenger\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Winamp\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\Adobe\Photoshop Elements 4.0\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Dell\QuickSet\bak
C:\Program Files\Hewlett-Packard\HP Software Update\bak
C:\Program Files\HP\hpcoretech\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Intel\Wireless\Bin\bak
C:\Program Files\Java\j2re1.4.2_03\bin\bak
C:\Program Files\Maxtor\OneTouch\Utils\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- Select Option 3 from the menu and press Enter.
- Press any key to continue.
- A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
- Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
- The program will proceed to remove the folders and will perform another scan for bak folders.
- It may take a few minutes to complete so be patient.
- When it is complete, it will open a text file in Notepad called AWF.txt.
- Please copy and paste the contents of the AWF.txt file in your next reply.
Before you close FindAWF, Seclect Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Originally Posted by katana
FindAWF closed immediately after generating awf.txt. I was unable to follow the quoted instructions.
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Fri 11/02/2007
The current time is: 19:27:35.51
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
AWF Option 4
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- Select Option 4 from the menu and press Enter.
- Press "1" and then enter
- Press "e" and then enter
We've shifted a lot of garbage now, so lets have one last HJT log to check up on things
Are you happy with the results ?
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
I'm uncertain about the results. Webroot Spy Sweeper with Antivirus finds that "Troj/Virtum-Gen", is present still, while failing to effectively quarantine. Upon restart after attempted quarantine Spy Sweeper historically finds other malware presumably related to the presence of this particular Troj/Virtum-Gen. Whether this will continue to be true I am unsure; I am concerned, however, that the remaining virus will cause a recrudescence of problems, although my computer is presently much improved.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:28 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 6212 bytes
Have you turned off your Norton AntiVirus ?
Can you post the SpySweeper log ?
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
- Close ALL open windows (especially Internet Explorer!)-O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
Now click Fix checked
Click yes to any prompts
Close HijackThis
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available.
- Please go to this link Adobe Acrobat Reader Download Link
- On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
- Click the Continue button
- Click Run, and click Run again
- Next click the Install Now button and follow the on screen prompts
When the installation is complete go to Add/Remove Programs and uninstall all previous versions.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
I do not have Norton Antivirus. The steps above have been completed. Attached and zipped is the most recent Spysweeper log.
All the SpySweeper results are in quarantine folders.
They will be deleted before we finish
Re Norton, do you use any Norton/Symantec software ?
Did you used to use any, and have uninstalled it ?
I take it that you are using Spysweeper as your antivirus ?
Do you have the full paid for version ?
It seems to have let a lot of nasties on your machine.
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Well, about the quarantine, that is good news!I once had Norton Antivirus but have long since uninstalled it. I have the full paid version of SpySweeper with Antivirus, though I added the antivirus portion when I began to suspect trouble. Apparently antivirus software is not to be used retroactively!
It is far easier to stop the malware from installing, than trying to remove it afterwards
There are some remains of Norton left, if you no longer use any Norton/Symantec products please do the following
Remove Norton
Please click HERE and follow the instructions to download and run the norton removal tool
Show All Files And Folders
Now you need to show all files and folders
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck Hide file extensions for known file types
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Delete Files and Folders
Find and delete the following Files and Folders if still present.
Congratulations your logs look clean :DC:\Windows\absolute key logger.lnk << This file
C:\Windows\aconti.ini << This file
C:\Windows\aconti.log << This file
C:\Windows\aconti.sdb << This file
C:\Windows\acontidialer.txt << This file
C:\Windows\default.htm << This file
C:\Windows\System32\sznf.ascii << This file
C:\!KillBox << This Folder
Let's see if I can help you keep it that way
First lets tidy up :D
You can delete FindAWF.exe and any reports that we have made.
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.
Firewall
You do not appear to have a firewall.
You may be using Windows firewall, however this only stops incoming traffic.
A third party firewall is much safer, as it stops malware that does get on your PC from contacting "home"
Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
There are many free ones to choose from if cost is a problem. Visit here to choose one.
Also PLEASE read this article, it has some very good tips on staying safe online.
So How Did I Get Infected In The First Place
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Microsoft MVP Consumer Security 2009 -2010
If we have helped, please consider a donation
THESE INSTRUCTIONS ARE FOR THIS USER ONLY
Posting Permissions
