Major Issues

[SwimChao]

Daniel, I've attached the log.

When I booted my computer, for the first time in ages msconfig didn't start when the desktop loaded (Any reason why?)

 

[xxdanielxx]

did msconfig always startup even when you first got this computer

 

[SwimChao]

No, a long time ago my brother set it up to run at startup. Usually Ill just peek at what's running and then close it and disregard it.

 

[xxdanielxx]

Well it is nothing bad to not have it stratup it could have been detected to be bad so it took it off. Your log looks clean just to make sure I want to run one las online scan it will take time so post back in the morning

TrendMicro™ HouseCall Java Scan

• Please go HERE to run the Trend Micro™ HouseCall Scan.
• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

========================================

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

======================================

Uninstall ComboFix

• Click Start then Run
• Now Type Combofix /u in the runbox
• Make sure there's a space between Combofix & /u
• Then hit Enter

The above procedure will Delete the following:

• ComboFix & it's associated files & folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide system/hidden files, if required.
• Set a new, clean Restore Point.

------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot

 

[SwimChao]

Thanks so much ahead of time, I will follow these instructions throughout the night (If not in the morning, 2:00 AM here now).

Thanks SO much.

I have one last question:

For 5 years I haven't had much online security, etc. I apparently had all these problems, but never noticed. My PC is never really ungodly slow, it was just recently slightly sluggish. Do you have any possible explanation for that? I was just curious is all.

Thanks again, will report back in the morning.

 

[xxdanielxx]

well It must of been something someone let in do you use torrents or p2ps like limewire

 

[SwimChao]

I did for a period of time. I don't see any other actions to take here on trend micro. It says some things couldn't have been deleted.. Im going to try and figure it out and then follow the rest of your orders.

 

[SwimChao]

Daniel, Im encountering some self troubles, Im both tired and can't figure out some of the steps.

Ill wait for you to get online and when Im awake to be able to finish this up.

Talk to you soon

 

[Blind Dragon]

FindAWF

Click here to download FindAWF.exe and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• Attach AWF.txt file in your next reply.

 

[SwimChao]

Daniel and Blind Dragon,

I ran the tool Blind Dragon posted up. Here are the results.
Waiting for your orders on what to do next.

 

[Blind Dragon]

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\bak\MSConfig.exe"

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach AWF.txt file in your next reply

 

[SwimChao]

Dear Blind Dragon,

Am I pasting the list of things underneath of the line
_________________________________________
like this?

 

[Blind Dragon]

that is correct

 

[SwimChao]

Dear Blind Dragon,

Below I have attached the log as directed.
I wait for your next commands.

 

[Blind Dragon]

Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Messenger\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\PCHealth\HelpCtr\Binaries\bak

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Run Fix AWF one more time and press 4, then press Enter.

 

[SwimChao]

I've missed your run fix AWF one more time step, will reply when done.

 

[SwimChao]

I've finished all the steps, the log is posted in the post above.

Waiting for your next orders.

 

[Blind Dragon]

That's it, that should have repaired the damage done by the trojan - have you already followed daniel's thread for cleaning up?

 

[SwimChao]

Well, when I did the.. cleanmgr

I left it and fell asleep for 3 hours, when I got up. It was still on the same spot of "Scanning: Compress Folders".

I hit cancel because I thought there might have been something wrong. 3 hours was vicious (It might have been even more)

 

[Blind Dragon]

yea I would give that another go - also note if msconfig loads at startup next time - because the legit .exe for it was hidden in a bak folder - and it was replaced with a malicious one

 

[SwimChao]

Really? Wow. That's weird.

Also, Daniel gave me somewhat of an explanation.. But as I said when I came here, Im not the most tech-savvy person. But I always thought once a computer had such malicious files in it, it'd most likely be slowed down greatly. But mine really has never been extraordinarily slow.

All I really do is.. once in a lightyear run a virus scan and I run CCleaner often. But that's really it. Any reason why it didn't perform horribly?

Also, Ill be sure to take care of this PC this go around. I really appreciate all you guys have done, this has been an ungodly process for me and I haven't gotten alot of sleep. Now I feel confident that for the time being, as long as I don't screw it up, it should be okay.

I'll go ahead and try the cleaning process again, if I run into trouble I'll post once more thru this thread for some advice.

If the cleanmgr doesn't work, should I skip it for the time being?

 

[Blind Dragon]

you really need to get through it because cleanmgr with run disk cleanup and clear all old restore points - which may have infection in them

 

[SwimChao]

Should I just leave it? Even though it's still doing the same thing. Ill close it or something and do other things I guess.

It does the "Scanning: Compress Old Folders" with three orange squares to the loading bar and just sits there. My activity light on my tower doesn't even blink.

 

[Blind Dragon]

I would leave it just to see - if you haven't run disk cleanup in a while it could take a long time

 

[SwimChao]

Yeah, I've NEVER run it. Should I leave it run over night?