Spyware Removal Instructions Thread

[plasma dragon00]

wow... i cant believe howard would delete a few threads before he left.

anyway, a virtual moment of silence for one of the most technically adept people i have ever met, whether it be in real life or online. he will be missed, as will his help and technical expertise. but i'd like to wish him a good life, and hope maybe someday he will come back

~plasma

edit: wait, wtf then... https://www.techspot.com/vb/topic92535.html if he left, how is he still posting, or did i miss something?

 

[SNGX1275]

You are missing something, his last post in that thread was on Nov 22nd. When he left, he apparently just took the threads he created with him. His posts in others threads are still left.

 

[M0ntG0M3rY]

well, can we repost the Howard's instructions and get them pinned?

 

[SNGX1275]

Rik is working on it. Unfortunately since he only has the google cache to go off of it isn't an easy task to get all the formatting and the links set up properly.

By all means though, if you want to take on the task of resurrecting it into a proper post I will sticky it for you (that isn't meant to sound sarcastic, it does need to be done, so if anyone wants to take the initiative then go for it).

 

[M0ntG0M3rY]

By all means though, if you want to take on the task of resurrecting it into a proper post I will sticky it for you (that isn't meant to sound sarcastic, it does need to be done, so if anyone wants to take the initiative then go for it).

No problem, I will do that by tomorrow.

OK, did that using a WYSIWYG editor, it was pretty simple and not time-consuming. See it here: https://www.techspot.com/vb/topic93355.html

 

[plasma dragon00]

You are missing something, his last post in that thread was on Nov 22nd. When he left, he apparently just took the threads he created with him. His posts in others threads are still left.

aah didnt notice that lol

 

[ambushedbaby]

Thanks M0ntG0M3rY,

I'd have done it, but you beat me to it. ;-) I go back to there often and refer other people there, too. Very well done, helpful post that was.

All the best, Howard, wherever you are. And thank you.

Shari

 

[M0ntG0M3rY]

I see Julio got Instructions I formatted pinned.

I also noticed that Whataboutadog/rabbit etc. Removal instructions are gone. HERE is a Google cached version (with no attached file available). The formatted version will follow.

 

[M0ntG0M3rY]

Whataboutadog/rabbit etc. Removal instructions by howard_hopkinso

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.


Please Note: The attached files are for example only. Your own files will have different entries.

Please follow these instructions exactly. A copy of these instructions is available as a downloadable .txt file in the attachments.

Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.

STEP1:

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad.

See attached example 1:

STEP2:

You would then need to do the following with Example1. Scroll down the file, until you come to the main body marked as START HERE. It`s the entries below where it says "Duplicate files of bak directory contents" that we`re interested in.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text into the text file.

These are the entries from Example1 you would need to copy and paste into the above. Please note: You must include the quotes.

You would only copy and paste the entries that have a bak folder in the file path.


"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\DISC\bak\DiscUpdateMgr.exe"
"C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
"C:\Program Files\PCPal\bak\PalAgnt.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Logitech\QuickCam10\bak\QuickCam10.exe"
"C:\Program Files\Comcast\Desktop Doctor\bin\bak\sprtcmd.exe"
"C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad.

STEP3:

Please double-click the FindAWF icon once again.

Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed: See attached Example2: Again scroll down the file to where it says START HERE. Again, it`s the entries below where the file says "Duplicate files of bak directory contents" that we`re interested in.

Note: This time only copy and paste up to where the actual bak folder is and we don`t need the quotes this time.

C:\hp\KBD\bak
C:\Program Files\DISC\bak
C:\Program Files\DISC\bak<This is a duplicate of the above entry. These often crop up in a awf.txt file.
C:\Program Files\Lexmark X1100 Series\bak
C:\Program Files\PCPal\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Logitech\QuickCam10\bak
C:\Program Files\Comcast\Desktop Doctor\bin\bak
C:\Program Files\Common Files\LogiShrd\LComMgr\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak

PLease Note: The bold entry above, is simply a duplicate and is there for example only. For instance, you could find several bak folders in Windows/system32/bak or elsewhere. You would only need to enter one of these as in effect it`s exactly the same bak folder, so we can`t remove it twice etc.

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log. See the attached Example3, which is clean.

STEP4

If you receive a clean log after running option3 as in the attached Example3, then the infection is gone and you need to do the following.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT




Very Important


However, that`s not always the case and some times you`ll still see some bak files left under where it says "Duplicate files of bak directory contents" after running option3. See the attached Example4.


In all cases, it is recommended you start a new thread in this forum(if you don`t already have one), even if your awf.txt is clean. That`s because your system may be infected with other malware.

You would need to attach a fresh awf.txt from running Option1 of the FindAWF.exe tool, as well as a fresh HJT log. See HERE for instructions.

If you have any questions, pertaining to these instructions, please don`t hesitate to ask.

Regards Howard

 

[Daveskater]

would somebody be as kind as to sticky these for me https://www.techspot.com/vb/topic93387.html, https://www.techspot.com/vb/topic93388.html

 

[evilfantasy]

I hope you guys can instruct on all of the programs mentioned in the threads/posts that you are resurrecting.

Combofix is not a normal tool and needs supervision while being used.

 

[Daveskater]

i only help in threads that i think i can help in, i have no experience with combofix so can't instruct people on how to use it and thusly won't tell people to use it

Everyone says they respect Howard, then why not respect his decision to remove the threads? Reposting them isn't respecting him at all. It's just the opposite.

i do agree with this a bit but we need instructions for people to use and howard's are the best we could possibly need so if we were to write our own ones then it would just be the same but in slightly different words


yes, i'm signed up to email alerts

i noticed that my thread (Do not post your problems here one) in the Introduce yourself forum was stickied D) but the message for newcomers one (https://www.techspot.com/vb/topic93387.html) hasn't been yet and wondered if it was because of the "by howard" bit, if so then i could post it again, or could a mod could change it for me, if you can do that sort of thing, i don't know

 

[evilfantasy]

My point is (and I am not trying to start anything here) directing people to the preliminary removal thread is telling them to use combofix.

What if they run into problems with it. Who is going to bail them out? Maybe it should be removed from the instructions. I normally only use it if it is needed and only after all other normal/safe tools have been used to disinfect.

It really is a powerful tool that can do irreversible damage with just one click.

 

[Daveskater]

good point, although it is only telling people to post the log that it makes so it shouldn't be that bad

if it comes to it then untrained people can ask for help or we could offer some kind of lessons or instructions for advanced users on how to use it?

 

[evilfantasy]

There are no instructions for combofix.

From sUBs the owner of combofix, you either attend an online academy/bootcamp and learn about it. Or you don't use it. (that is what is said in a nut shell)

 

[Daveskater]

fair enough, do we know who on here knows how to use it? if only howard knew then someone's gonna have to start learning :blackeye:

 

[Spleenharvester]

There is a later post than that. 24th Nov.https://www.techspot.com/vb/topic92604.html Are you sure he 'left' on the 22nd?

 

[Daveskater]

nice one, Spleenharvester, but the point really is that he gave no warning and nobody's heard a word since

we will miss you howard, for you truly were a TS legend

 

[ambushedbaby]

and, thanks, evilfantasy, for the head's up on combofix. I for one, only know enough to be dangerous, but can follow directions. It matters that those directions are good and the folks giving them know what they're doing.

Yanno, maybe Howard just needed a break. He was spending a lot of time and effort. Because he was so good, he ended up doing a lot of the newbie helping. Maybe now that he's gone, others will step up to the plate.

 

[Rik]

nobody's heard a word since

Not entirely true. I have heard from him but I will not repeat anything as that would be betraying his confidence.

 

[Daveskater]

it's going to be tricky replacing howard, even with multiple people

i've been doing a lot of posting in the Introduce Yourself forum with the new members and whatnot and a few bits here and there, some in security and the web, but howard was truly good at what he did so it might take a few people to put the knowledge together to replace him

i can understand if howard got fed up with doing malware stuff because he tried giving up doing hjt logs but had to come back because we couldn't cope on our own

i do think that he wouldn't be able to just stop helping people's malware problems while he was still a member. he tried it before, even giving us a warning, but it didn't work

when you think of it, the only way out for him was suddenly leaving, which is what he did. i respect him for all he's done for the forums and its members and all the help dished out over the years, he was even the first reply i ever got to my first post here

basically, to sum up, i don't blame you mate

edit: @ Rik: fair enough mate, i'm sure if he had a message for us he'd want us to know so no worries

 

[Rik]

I agree with you there about him being hard to replace.

Perhaps one day he will come back. I am certainly keeping my fingers crossed.

 

[Daveskater]

i'm keeping my fingers crossed too that he'll return one day to say hi, but i do think we relied on him a bit much, and of course we wouldn't let that happen again

i like to think he's keeping an eye on us, whether i'm right or not i don't know

 

[ejames82]

i've read hundreds of threads here at "security and the web" where howard was helping someone with their computer. it never got boring. somehow he would just go right down the list of people helping them, from the top of the page to the bottom. he helped me with my dad's, my sister's, and my own computer. he is a consumate professional with awesome expertise. why do you think i came to him for help?
let's just hope that he is taking a well deserved break, and that he'll be back.
thank you so much for your help howard, you are truly great!

 

[momok]

fair enough, do we know who on here knows how to use it? if only howard knew then someone's gonna have to start learning

Actually I used to few months back when I was more active in the forums, but I've been away from malware fixing for so long I'm sort of a "noob" now hehe. I do have access to a restricted forum where there's a thread which extensively teaches the use of ComboFix as well as provides updates by the creator sUBs himself.

EvilFantasy is right, you need to sign up to learn at this forum; its called Malware Removal University.

Regards,
momok