TechSpot

Finished the 8 steps after virus

By samsquanch
Mar 12, 2009
  1. Foolishly downloaded some software and got hijacked. Ended up with a virus warning message as my screen background, locked out of changing it. Got a pop up warning in my tool tray with a virus warning, and random opening of Firefox and IE to a "antivirus website" to fix the problem.

    Spybot, Norton 360, and Registry Mechanic did not resolve the problem run in safe mode. I stumbled across this site and the eight steps and followed them. The problem appears to be resolved by following the process however appearances can be deceiving. Attached are my logs.

    Thanks so much for the help.
     

    Attached Files:

  2. rev_olie

    rev_olie TS Maniac Posts: 560

    Hi,
    You have some very strange entries on there. I'm not returning any results for them.
    Download and run Sdfix.
    The user guide and download can be found Here

    Then update and re run SAS and Malwarebytes with a fresh hijack this log.
     
  3. kritius

    kritius TS Guru Posts: 2,084

    Please download ATF Cleaner by Atribune.



    • Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.



    • Open a folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

    Now run HJT again and post the log back along with the SDFix report that Ollie asked for.
     
  4. rev_olie

    rev_olie TS Maniac Posts: 560

    Haha ive been franticly running around for ATF cleaner, i forgot the name :eek: so im glad you said that kritius
     
  5. kritius

    kritius TS Guru Posts: 2,084

    No problem
     
  6. samsquanch

    samsquanch TS Rookie Topic Starter

    Thank you Kritius and Olie,

    Updated again and ran Malawarebytes and SAS again, downloaded ATF Cleaner and ran that followed by HJT. Attached are the new logs.

    I appreciate the assistance.
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Please run the NORTON REMOVAL TOOL

    Please download ONE of the following antivirus programs and install it.


    Once installed, Update it, run full system scan with it and allow it to fix up what it wants.

    Reboot if it fixed anything.

    You should get a firewall as well, either,


    Fix entries using HiJackThis

    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below

    O4 - HKCU\..\Run: [xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\oeruj897r2dm5.exe
    O4 - HKCU\..\Run: [ycdaan0lzzozniru4y8gisetm4tfizi36n1rd1b] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\a6o422nixbw.exe
    O4 - HKCU\..\Run: [tj13zbrf5ogzt8ez0id6b4v30] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\qlx84pv3gqtk0.exe
    O4 - HKCU\..\Run: [jf8fuf1d4o1q7lojbpomqc19zu3xh3n1i21oe7tlifq2p] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ng5p2l.exe
    O4 - HKCU\..\Run: [e6bvbu7bu25gmw55j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\z4g3hvy.exe
    O4 - HKCU\..\Run: [lln7yymhyqig2npkz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\n2d92j50au7.exe
    O4 - HKCU\..\Run: [p5dkkt7vo] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gdpbimlgd11.exe
    O4 - HKCU\..\Run: [ujioc5ber72q] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mqxg0ksdyf.exe
    O4 - HKCU\..\Run: [z5ke7vpm95k0zjphny6] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\v8unhv2v6kc.exe
    O4 - HKCU\..\Run: [fmunm5yi68k7zc3iinyfcpkk1n] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xssxosy.exe
    O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\i6zge37bkyr.exe
    O4 - HKCU\..\Run: [jqv1kh6tu2ufk8zzdhcfaz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\m0eieb47z.exe
    O4 - HKCU\..\Run: [zv4r2ryuq96s7s50evpg] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xmy662p.exe
    O4 - HKCU\..\Run: [q8rvrkciixdm4ypvtwp8ud8y7coymdjek985ff0h41oh] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\nt1v4v1fd.exe
    O4 - HKCU\..\Run: [o186201wldvfv3vd4p49gzn9juvx] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\kzt1wbb1mg.exe
    O4 - HKCU\..\Run: [be2v8ul2j4n9xzyiusu30lwqt9na2ncjav] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\u1vqn5oxf.exe
    O4 - HKCU\..\Run: [xejisrtbnq9ae9qhun45y4wa5vzgecv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\sac1kghzzg8.exe
    O4 - HKCU\..\Run: [gg0zendarviv9e2td93te] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\j6284o89h.exe
    O4 - HKCU\..\Run: [fw954ay9rczdrakm189vysml5enisl98klisowrrdjjfktbjgy] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\jf834q3796ua.exe
    O4 - HKCU\..\Run: [g3y5pwm24pnjtkuv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\uxhfwmx7v4.exe
    O4 - HKCU\..\Run: [rxr9lhzb2e0glc79ef74phceej3xvx5j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ueru6yxe.exe
    O4 - HKCU\..\Run: [pzfiut9hih4l1sme83gkaf] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ud0ns18lzcym.exe
    O4 - HKCU\..\Run: [pgwbgdyu6ns4ia] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mguam1uwoev.exe
    O4 - HKCU\..\Run: [n6clmbnuv4x1glejxotugxi7p27rrwvl] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zn8ztd4.exe
    O4 - HKCU\..\Run: [pbh3fttzyf8ik5] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\iz6cs0j55q.exe
    O4 - HKCU\..\Run: [my2hnhsq2ycjg5019pmfor2i] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zr78nqi.exe
    O4 - HKCU\..\Run: [ef4jt05i7u4367p0pbj] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ogttd95h2.exe
    O4 - HKCU\..\Run: [ku1vtw6a1ysgntpiim2y06qchlw4lp6cf9b82mc1z] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gq3ag2e6own.exe
    O4 - HKCU\..\Run: [vniv32qjug4rsh5kl0x] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\grri6dn4u.exe

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    [​IMG]Download and Run ComboFix

    • Download this file to your desktop from HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply

    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  8. samsquanch

    samsquanch TS Rookie Topic Starter

    I'm curious, why do you recommend not using Norton 360?
     
  9. kritius

    kritius TS Guru Posts: 2,084

    Crap detection rates and bloated system usage.

    If you want to keep it thats grand but it didn't really work very well up to now did it?
     
  10. samsquanch

    samsquanch TS Rookie Topic Starter

    Thanks for the info, not trying to be difficult, I just like to know the why behind things, it's how I'm wired.

    really appreciate your quick help.
     
  11. kritius

    kritius TS Guru Posts: 2,084

    Thats ok.

    Let me know what you decide to do.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    samsquanch, I'd like to make a couple of comments here. Probably the last thing you need is another 'helper' but I want to bring out some points: This is not meant to replace what others have said, but only to give you additional choices:

    1. Many here advise users to replace a Norton security program immediately. My thoughts are different. While I am not a supporter of the Norton security programs, I prefer to delay changing the AV or security suite. A user has enough to deal with than removing a program they paid for and replacing it with a free AV & firewall up front. My preference is to do the cleaning and then suggest it be replaced. This doesn't make any of us wrong or right- it's a preference that should be left up to the user.

    2. Regarding the following:
    Because of the Adware connection, I suggest that you remove this.

    3. I tried to find some common denominator for the temp document files. I can up with one:
    TODDLA~1:
    You can remove the files as mentioned, but you need to locate the source for them. I did notice the following in the SDFix log so it appears that you are downloading music:
    Thu 25 Jan 2007 9,506 A.SH. --- "C:\Documents and Settings\Macy Ashby\My Documents\My Music\License Backup\drmv2key.bak"

    4. The original SAS log showed Tracking Cookie. To prevent them in the future:
    Reset Cookies:
    I won't handle the other entries, but thought this might be a helpful addition for you.
     
  13. samsquanch

    samsquanch TS Rookie Topic Starter

    Kritius,

    Took your advice, more protection, less system usage - seems an easy decision.

    Uninstalled Norton 360, Intalled Avast and Comodo Firewall updated each and ran a scan, some items were detected and fixed. Restarted computer.

    Used Hijack This to remove the listed items, Ran ComboFix, attached is the log from combofix.

    Bobbye,

    Thank you for also offering some insight in to the situation.

    I'll be uninstalling DAP and changing the cookies setting as you suggest.
    As far as I know we only download music via iTunes, though it's possible a house guest may have downloaded from somewhere else.
     
  14. kritius

    kritius TS Guru Posts: 2,084

    To get an Uninstall List from HijackThis:

    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.



    You have BitLord installed, I would get rid of it.

    Can you also post a fresh HJT this log?

    Disable Teatimer

    Please disable Teatimer as it may interfere with the fix.

    First:

    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident

    Second:

    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.

    Once your log is clean you can re-enable those settings in TeaTimer.


    Download random's system information tool (RSIT) by random/random from HERE and save it to your Desktop.

    • Double click on RSIT.exe to run.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt <will be maximized and info.txt <will be minimized
    • Please post the contents of both logs in the next reply.
     
  15. samsquanch

    samsquanch TS Rookie Topic Starter

    All suggestions and steps followed, attached are the logs.
     
  16. kritius

    kritius TS Guru Posts: 2,084

    I'll look over them and post back later. Quite a few things that I want to get rid of.
     
  17. samsquanch

    samsquanch TS Rookie Topic Starter

    I'll likely be off for the rest of the day, I'll get after the actions you recommend in the morning here.
     
  18. kritius

    kritius TS Guru Posts: 2,084

    Part 1

    Go to Add/remove programs and remove the following.

    GearDrvs
    GemMaster Mystic
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    RegCure 1.5.2.7
    Registry Mechanic 8.0



    Fix entries using HiJackThis

    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below

    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKCU\..\Run: [xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\oeruj897r2dm5.exe
    O4 - HKCU\..\Run: [ycdaan0lzzozniru4y8gisetm4tfizi36n1rd1b] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\a6o422nixbw.exe
    O4 - HKCU\..\Run: [tj13zbrf5ogzt8ez0id6b4v30] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\qlx84pv3gqtk0.exe
    O4 - HKCU\..\Run: [jf8fuf1d4o1q7lojbpomqc19zu3xh3n1i21oe7tlifq2p] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ng5p2l.exe
    O4 - HKCU\..\Run: [e6bvbu7bu25gmw55j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\z4g3hvy.exe
    O4 - HKCU\..\Run: [lln7yymhyqig2npkz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\n2d92j50au7.exe
    O4 - HKCU\..\Run: [p5dkkt7vo] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gdpbimlgd11.exe
    O4 - HKCU\..\Run: [ujioc5ber72q] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mqxg0ksdyf.exe
    O4 - HKCU\..\Run: [z5ke7vpm95k0zjphny6] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\v8unhv2v6kc.exe
    O4 - HKCU\..\Run: [fmunm5yi68k7zc3iinyfcpkk1n] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xssxosy.exe
    O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\i6zge37bkyr.exe
    O4 - HKCU\..\Run: [jqv1kh6tu2ufk8zzdhcfaz] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\m0eieb47z.exe
    O4 - HKCU\..\Run: [zv4r2ryuq96s7s50evpg] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\xmy662p.exe
    O4 - HKCU\..\Run: [q8rvrkciixdm4ypvtwp8ud8y7coymdjek985ff0h41oh] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\nt1v4v1fd.exe
    O4 - HKCU\..\Run: [o186201wldvfv3vd4p49gzn9juvx] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\kzt1wbb1mg.exe
    O4 - HKCU\..\Run: [be2v8ul2j4n9xzyiusu30lwqt9na2ncjav] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\u1vqn5oxf.exe
    O4 - HKCU\..\Run: [xejisrtbnq9ae9qhun45y4wa5vzgecv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\sac1kghzzg8.exe
    O4 - HKCU\..\Run: [gg0zendarviv9e2td93te] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\j6284o89h.exe
    O4 - HKCU\..\Run: [fw954ay9rczdrakm189vysml5enisl98klisowrrdjjfktbjgy] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\jf834q3796ua.exe
    O4 - HKCU\..\Run: [g3y5pwm24pnjtkuv] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\uxhfwmx7v4.exe
    O4 - HKCU\..\Run: [rxr9lhzb2e0glc79ef74phceej3xvx5j] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ueru6yxe.exe
    O4 - HKCU\..\Run: [pzfiut9hih4l1sme83gkaf] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ud0ns18lzcym.exe
    O4 - HKCU\..\Run: [pgwbgdyu6ns4ia] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\mguam1uwoev.exe
    O4 - HKCU\..\Run: [n6clmbnuv4x1glejxotugxi7p27rrwvl] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zn8ztd4.exe
    O4 - HKCU\..\Run: [pbh3fttzyf8ik5] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\iz6cs0j55q.exe
    O4 - HKCU\..\Run: [my2hnhsq2ycjg5019pmfor2i] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\zr78nqi.exe
    O4 - HKCU\..\Run: [ef4jt05i7u4367p0pbj] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\ogttd95h2.exe
    O4 - HKCU\..\Run: [ku1vtw6a1ysgntpiim2y06qchlw4lp6cf9b82mc1z] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\gq3ag2e6own.exe
    O4 - HKCU\..\Run: [vniv32qjug4rsh5kl0x] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\grri6dn4u.exe
    O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/se...0000049.000000d2&c=00000082.000000e6.0000026f


    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary


    COMBOFIX-Script



    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      Folder::
      C:\Program Files\RegCure
      C:\Program Files\BitLord
      C:\Documents and Settings\All Users\Application Data\Symantec
      C:\Documents and Settings\Todd Larson\Application Data\Symantec
      C:\Program Files\DAP
      
      
      Registry::
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      "xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb"=
      "ycdaan0lzzozniru4y8gisetm4tfizi36n1rd1b"
      "tj13zbrf5ogzt8ez0id6b4v30"=
      "jf8fuf1d4o1q7lojbpomqc19zu3xh3n1i21oe7tlifq2p"=
      "e6bvbu7bu25gmw55j"=
      "lln7yymhyqig2npkz"=
      "p5dkkt7vo"=
      "ujioc5ber72q"=
      "z5ke7vpm95k0zjphny6"=
      "fmunm5yi68k7zc3iinyfcpkk1n"=
      "axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr"=
      "jqv1kh6tu2ufk8zzdhcfaz"=
      "zv4r2ryuq96s7s50evpg"=
      "q8rvrkciixdm4ypvtwp8ud8y7coymdjek985ff0h41oh"=
      "o186201wldvfv3vd4p49gzn9juvx"=
      "be2v8ul2j4n9xzyiusu30lwqt9na2ncjav"=
      "xejisrtbnq9ae9qhun45y4wa5vzgecv"=
      "gg0zendarviv9e2td93te"=
      "fw954ay9rczdrakm189vysml5enisl98klisowrrdjjfktbjgy"=
      "g3y5pwm24pnjtkuv"=
      "rxr9lhzb2e0glc79ef74phceej3xvx5j"=
      "pzfiut9hih4l1sme83gkaf"=
      "pgwbgdyu6ns4ia"=
      "n6clmbnuv4x1glejxotugxi7p27rrwvl"=
      "pbh3fttzyf8ik5"=
      "my2hnhsq2ycjg5019pmfor2i"=
      "ef4jt05i7u4367p0pbj"=
      "ku1vtw6a1ysgntpiim2y06qchlw4lp6cf9b82mc1z"=
      "vniv32qjug4rsh5kl0x"=
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


      [​IMG]

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
     
  19. kritius

    kritius TS Guru Posts: 2,084

    Part 2

    Please download ATF Cleaner by Atribune.



    • Double-click ATF-Cleaner.exe to run the program.

      Under Main choose: Select All

      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All

      Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.



    • Open a folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

    FindAWF



    Download FindAWF.exe and save it to your desktop.

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach the AWF.txt file in your next reply.

    Post back with the ComboFix log, FindAWF and a fresh HijackThis log

    EDIT////////////

    ComboFix really should have gotten rid of those 04 entries. If they are still there then we'll have to try something else.
     
  20. kritius

    kritius TS Guru Posts: 2,084

    Bobbye,

    I believe that this is the ops name.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kritius, I consider that and it might be the 'guest' that was referred to.

    samsquanch, is this -TODDLA~1he name of the person whose documents have these entries?
    O4 - HKCU\..\Run: [xqln3ce3scxpyimkyd7whtkpqa3m8i135u7aqsb48vcb] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\oeruj897r2dm5.exe\LOCALS~1\Temp\oeruj897r2dm5.exe

    Interestingly, I found another user with similar entries- unless sam also posted in AfterDawn- I didn't go through all of them:
    Troonus Newbie25. February 2009 @ 06:30 _

    This has same 'exe as sam:
    O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TROY~1.TRO\LOCALS~1\Temp\i6zge37bkyr.exe
    http://forums.afterdawn.com/thread_view.cfm/752173

    sam's:
    O4 - HKCU\..\Run: [axtfkmhnfhoimo4skdv38d2ic9x19vmsgmv6gv9hocr] C:\DOCUME~1\TODDLA~1\LOCALS~1\Temp\i6zge37bkyr.exe

    What is puzzling is the word is in all caps and each has the numerical designation:
    TODDLA~1 or TROY~1.TRO... strange! The second 'name' is also from Shakespeare!
     
  22. kritius

    kritius TS Guru Posts: 2,084

    I have seen cases of this where unistalling ComboFix and then downloading and renaming will catch a lot of this.

    It's a bit similar to the Adebot infection a while ago except a lot more stubborn and crafty
     
  23. samsquanch

    samsquanch TS Rookie Topic Starter

    Kritius,

    Attached is the combofix log file from the script. Geardrvs was not in the add/remove programs list, I could not locate it on the hard drive, as such it was not uninstalled. All other programs listed were uninstalled.

    I'll be moving forward with Part 2, ATF cleaner and Find AWF

    Attached are the find awf and fresh HJT log.

    oops, attached are the files.
     
  24. kritius

    kritius TS Guru Posts: 2,084

    That looks a lot better.

    Can I see the ComboFix log?

    How is the computer acting now?
     
  25. samsquanch

    samsquanch TS Rookie Topic Starter

    Kritius,

    Attached is the combo fix log, sorry I thought I had attached it earlier.
    The computer seems to be running fine at this point, not getting any warnings out of Comodo or Avast, and all of the initial symptoms are gone.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...