TechSpot

Did 8 Steps already, Please Help

By andrew4336
Jun 21, 2009
  1. Hi,

    I am helping clean a friend's laptop which got horribly affected with all kinds of viruses and malware. After doing the 8-step process a few of the viruses/spyware that came up were Win32 : Fasec, and Isass.blaster.keylogger. This friend uses this laptop for business purposes too and has a lot of sensitive info on here (most likely).

    Before I did any of the 8-step process the computer was so bad that it froze up right as soon as you start up. I had to the begginning part of it in safe mode. Now the computer is ALOT better and im able to run windows normally. However I am recommending that she backup whatever files she can that are important and still wipe and reformat her drive. (change passwords etc...) It might take awhile for her to do her reinstall/reformat properly (as she has to wait for a new windows xp pro disc to come in).

    So for the week she has to use this, I am asking to see if someone can look at the logs and see if theres anything else I should do. that way she can still use the computer this week for business until she can reformat.

    something I want to point out is that internet explorer seems to pop up a blank window every now and then. I am going to reinstall firefox for her to use.

    also its a dell laptop. if that makes a difference

    here is the logs:

    Thanks for any help!

    - Andrew Alanis
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Run HJT Scan only select and Fix the below
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O20 - AppInit_DLLs: avgrsstx.dll dimfor.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    Then run SAS again as it had finding so we need to run until we have a clean log.

    ONLY when above is complete do the below!

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  3. andrew4336

    andrew4336 TS Rookie Topic Starter

    Here it is. I did exactly what you said then ran SAS. then did Combo fix. and hijack again.

    Here are the logs
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Good so MBAM and SAS came up with clean logs?

    So now rename ComboFix to 1cfix and run 1cfix post its log.

    Then

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    
    sc config ClipBook start= disabled
    sc stop ClipBook
    
    sc config Dfs start= disabled
    sc stop Dfs
    
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    
    sc config TrkWks start= disabled
    sc stop TrkWks
    
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config ERSvc start= disabled
    sc stop ERSvc
    
    sc config HidServ start= disabled
    sc stop HidServ
    
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    
    sc config CiSvc start= disabled
    sc stop CiSvc
    
    sc config IsmServe start= disabled
    sc stop IsmServ
    
    sc config kdc start= disabled
    sc stop kdc
    
    sc config LicenseService start= disabled
    sc stop LicenseService
    
    sc config Messenger start= disabled
    sc stop Messenger
    
    sc config Netlogon start= disabled
    sc stop Netlogon
    
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    
    sc config NetDDE start= disabled
    sc stop NetDDE
    
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    
    sc config RSVP start= disabled
    sc stop RSVP
    
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    
    sc config upnphost start= disabled
    sc stop upnphost
    
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    
    sc config UPS start= disabled
    sc stop UPS
    
    sc config WebClient start= disabled
    sc stop WebClient
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config JavaQuickStarterService start= disabled
    sc stop JavaQuickStarterService
    sc delete JavaQuickStarterService
    attrib -h -s -r /s c:\jqs.*
    del /f /q /s c:\jqs.*
    
    sc config RpcSs start= Automatic
    sc start RpcSs
    
    sc config RpLocator start= Automatic
    sc start RpcLocator
    
    sc config MSIServer start= Automatic
    sc start MSIServer
    exit
    exit
    Reboot post new HJT log and report how system is running!

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...