TechSpot

Dog in his pen

By gnedic
Mar 26, 2008
  1. Hi Techspot,

    I've been here before. Just few weeks back Kritius was kind enough to help me with this virus http://www.techspot.com/vb/topic101217.html. It was my laptop. Now I was hoping to clean up my desktop as well.

    All the files are attached.

    Great work...

    Best regards

    George
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Hi george, id like you to do a fresh FindAWF scan for me,

    FindAWF

    Download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Copy and paste the contents of the AWF.txt file in your next reply.
     
  3. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    AWF log attached

    Thanks.

    George
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Fix AWF Infection Step 2
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.
     
  5. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Updated AWF

    Thanks.

    George
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Fix AWF Infection Step 3

    Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Select Option 3 from the menu and press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the folders and will perform another scan for bak folders.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.
    Before you close FindAWF, Select Option 4 from the menu and press Enter.
    When it's finished the tool will return to the main menu.
    Press E to close FindAWF.


    This thread is for the use of gnedic only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Updated AWF

    GREAT.

    Thanks.

    George
     
  8. kritius

    kritius TS Guru Posts: 2,084

    Ok then.

    How is the computer running?

    Any appearances of the nasties?

    Post a HijackThis log and ill look over it for you.
     
  9. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Attached

    Hi Kritius,

    Thanks for your help. I truly appreciate your assistance.

    Best Regards

    George
     
  10. kritius

    kritius TS Guru Posts: 2,084

    It'll take me a while to go through the log, plus im in work so I wont be able to respond for several hours,

    its 2.30pm my time, ill get back to you at about 8.30pm my time.
     
  11. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Great. Thanks

    Great. Thanks.

    George
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Sorry it took so long to get back,

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entrieslisted below
      O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
      O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.

    Run HJT again for me as well


    This thread is for the use of gnedic only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Finally

    Files are attached...
    Thanks.

    George
     
  14. kritius

    kritius TS Guru Posts: 2,084

    ill get back to you when I have a chance to write out a fix.
     
  15. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    that bad. Hm.

    Great. Thanks.

    George
     
  16. kritius

    kritius TS Guru Posts: 2,084

    Ok , from the kaspersky scan these folders have infected items in them,
    E:\20070820KUCA_VESNA_C_DRIVE.gbp/MF/L/KUCA/LIBRARY/ScreenSaver
    H:\A_FROM OTHER DRIVE\DJORDJE_POSAO\Dzo\archive.pst
    H:\A_FROM OTHER DRIVE\DJORDJE_POSAO\Dzo\LicnoDzoLap.zip
    H:\KUCA\LIBRARY\ScreenSaver
    O:\old pc\Local Disk (F)\WINDOWS\Application Data\Identities\{898FCB67-05B8-11D3-BD01-E2D22B4EBD56}\Microsoft\Outlook Express


    You will have to decide if you want to empty the contents of them, this would probably be your best bet.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entrieslisted below
      O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    it wasnt too bad, all the infections came back to those folders if you get rid of them then that should be all good.

    Let me know what you decide.
     
  17. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    All deleted

    Hi Kritius,

    I didnt' want to risk it. I've deleted all. Let me know if there is anything else that I can do. Desktop runs a bit slow but this may be totally unrelated.

    Again, my sincere thanks for your help.

    George
     
  18. kritius

    kritius TS Guru Posts: 2,084

    I would need to a fresh Kaspersky scan.
     
  19. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Kaspersky

    Hi Kritius,

    If you feel this is required I will run it. It took 3 days last time around.

    I will run it and let you know.

    Thanks.

    George
     
  20. kritius

    kritius TS Guru Posts: 2,084

    It probably isnt necessary, if you got all of those then we should be all good. Let me know if you want to proceed to the final clean up.
     
  21. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Yes. cLEAN UP TIME

    Great. THANKS.

    gEORGE
     
  22. kritius

    kritius TS Guru Posts: 2,084

    I take it, the aboutadog problem has not returned?

    Delete the three tools from step 10 and all references to them.

    Empty all quarantine folders, such as Housecall etc,

    Time for some housekeeping
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"

    Here are some simple steps to help you keep your computer clean and secure:

    Now we can remove all the tools that we used.

    Please download OTMoveIt2 and save it to desktop.
    • Double-click OTMoveIt2.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide

      or

      Windows Vista System Restore Guide

    Re-enable system restore with instructions from tutorial above

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

      This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

      Instructions for Spybot S & D

    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

    Happy surfing and stay clean!

    If you have any more problems then you knwo where we are.
     
  23. gnedic

    gnedic TS Rookie Topic Starter Posts: 22

    Much obliged

    Thanks again

    George
     
  24. kritius

    kritius TS Guru Posts: 2,084

    Any time George.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...