Hijackthis log - need help

[Blind Dragon]

We are getting there.

Spybot Search and Destroy

• Download and install the latest version of Spybot - Search & Destroy (currently 1.5.2 (If you already have this version please open it, update, immunize, and Check for problems under search and destroy)
• When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, agreeing to the user agreements, and pressing the Next button until you get to the Select Additional Tasks screen.
• Make sure that the last entry ("Use system settings protection (Tea Timer)") is NOT checked.
• Press the Next button and then the Install button to start the installation process
• Check Run Spybot S&D press Finish. Spybot - S&D will now start
• The first screen asks if you want to backup your registry in order to be able to restore from it in the future. This can cause no harm, so it is a worthwhile task to do. You should click on the Create registry backup button
• Click on the Search for updates button. If updates are available then select the Download all available updates button
• When the updates are installed click on the Next button
• You should now click on the Immunize this system button. When it finishes click on Next button
• Then click on the button labeled Start using this program to begin using Spybot - Search & Destroy
• For help with any problems please see this guide Spybot tutorial

After you have Immunized and run a full system scan and had Spybot fix any problems, Click on the recovery Icon, select all the click the red X to purge

Run me a new scan with Hijackthis and attach here.

 

[chaz123]

Ta Da. Next.

 

[Blind Dragon]

If you need Nero I suggest a fresh download of it. Looks like the trojan may have damaged/moved a few files.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Nero

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

After that, Reboot, and post a new HijackThis log here in a reply also please run Kaspersky one more time and attach the log, then I believe we can clean up

 

[chaz123]

When I tried to remove Nero - Burning Rom it said that it couldn't be accessed. It said that can occur in safe mode or if Windows Installer isn't installed correctly. Should I just go ahead and try to remove it in normal mode?

 

[Blind Dragon]

Give it a shot in normal mode, let me know if it works

 

[chaz123]

Mmm'k. That worked. And those two files werent there. Here's the logs!

 

[Blind Dragon]

something isn't right. Can you run FindAWF again.

FindAWF

Click here to download FindAWF.exe and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• Attach AWF.txt file in your next reply.

 

[chaz123]

Hmmm... nada

 

[chaz123]

Any other ideas, my friend?

 

[Blind Dragon]

Do you have an ATI graphics card?

Sorry for the delay. I think this is some of the collateral damage from the awf infection. Let's remove the rest and then we can clean up and secure what you have done.

Need you to go back to add/remove programs and uninstall:

ATI Control Panel
Yahoo! Messenger

Launch Hijackthis and do a scan only, check the following entry

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

Close all browsers and windows and select fix checked

Navigate to and delete the following folder:
C:\Program Files\Yahoo!\Messenger <-This folder
C:\Program Files\ATI Technologies\ATI Control Panel <-This folder

Run a new scan with Hijackthis and attach the log here

 

[chaz123]

Going to have to wait till Sunday to do that probably. At my other computer (which seems to be pretty infected as well). I'm going to start a new thread about this one but I won't be able to work on it that much (probably only every other weekend or so). So, ya. I'll get back to you in a couple days for this thread but how bout some assisstance on the new one?

 

[Blind Dragon]

Ok, I replied in your other thread. When you get back to this computer let me know how it goes

Regards

BD

 

[chaz123]

Ok. I did not see this file from HjT:

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

Also, I could not find the folder:

C:\Program Files\ATI Technologies\ATI Control Panel

Everything else came out good though!

 

[Blind Dragon]

It was probably removed by uninstalling through add/remove programs

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2


Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

 

[chaz123]

Thank you very much for all the help you have given me. Thanks for you time and everything. I really appreciate it.

Hope to see you around! Everyone once in a while on my other thread maybe?

Sincerely,
Chaz