hopefully someone will have howard's email, it would be on store somewhere at least but i expect Julio wouldn't be allowed to give it us because of Data Protection

rofl lol. i had no idea there was a "hacker language" setting

yeah, if you go on Preferences and Language there should be one called Hacker, but you only get links to normal search, images and groups as opposed to maps and all the google search type things

well, this is what I was initially thinking.

Thanks Howard for all your hard work here.

wow... i cant believe howard would delete a few threads before he left.

anyway, a virtual moment of silence for one of the most technically adept people i have ever met, whether it be in real life or online. he will be missed, as will his help and technical expertise. but i'd like to wish him a good life, and hope maybe someday he will come back

~plasma

edit: wait, wtf then... http://www.techspot.com/vb/topic92535.html if he left, how is he still posting, or did i miss something?

well, can we repost the Howard's instructions and get them pinned?

No problem, I will do that by tomorrow.

OK, did that using a WYSIWYG editor, it was pretty simple and not time-consuming. See it here: http://www.techspot.com/vb/topic93355.html

aah didnt notice that lol

Thanks M0ntG0M3rY,

I'd have done it, but you beat me to it. ;-) I go back to there often and refer other people there, too. Very well done, helpful post that was.

All the best, Howard, wherever you are. And thank you.

Shari

I see Julio got Instructions I formatted pinned.

I also noticed that Whataboutadog/rabbit etc. Removal instructions are gone. HERE is a Google cached version (with no attached file available). The formatted version will follow.

Whataboutadog/rabbit etc. Removal instructions by howard_hopkinso

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.


Please Note: The attached files are for example only. Your own files will have different entries.

Please follow these instructions exactly. A copy of these instructions is available as a downloadable .txt file in the attachments.

Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.

STEP1:

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad.

See attached example 1:

STEP2:

You would then need to do the following with Example1. Scroll down the file, until you come to the main body marked as START HERE. It`s the entries below where it says "Duplicate files of bak directory contents" that we`re interested in.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text into the text file.

These are the entries from Example1 you would need to copy and paste into the above. Please note: You must include the quotes.

You would only copy and paste the entries that have a bak folder in the file path.


"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\DISC\bak\DiscUpdateMgr.exe"
"C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
"C:\Program Files\PCPal\bak\PalAgnt.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Logitech\QuickCam10\bak\QuickCam10.exe"
"C:\Program Files\Comcast\Desktop Doctor\bin\bak\sprtcmd.exe"
"C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad.

STEP3:

Please double-click the FindAWF icon once again.

Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed: See attached Example2: Again scroll down the file to where it says START HERE. Again, it`s the entries below where the file says "Duplicate files of bak directory contents" that we`re interested in.

Note: This time only copy and paste up to where the actual bak folder is and we don`t need the quotes this time.

C:\hp\KBD\bak
C:\Program Files\DISC\bak
C:\Program Files\DISC\bak<This is a duplicate of the above entry. These often crop up in a awf.txt file.
C:\Program Files\Lexmark X1100 Series\bak
C:\Program Files\PCPal\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Logitech\QuickCam10\bak
C:\Program Files\Comcast\Desktop Doctor\bin\bak
C:\Program Files\Common Files\LogiShrd\LComMgr\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak

PLease Note: The bold entry above, is simply a duplicate and is there for example only. For instance, you could find several bak folders in Windows/system32/bak or elsewhere. You would only need to enter one of these as in effect it`s exactly the same bak folder, so we can`t remove it twice etc.

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log. See the attached Example3, which is clean.

STEP4

If you receive a clean log after running option3 as in the attached Example3, then the infection is gone and you need to do the following.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT




Very Important


However, that`s not always the case and some times you`ll still see some bak files left under where it says "Duplicate files of bak directory contents" after running option3. See the attached Example4.


In all cases, it is recommended you start a new thread in this forum(if you don`t already have one), even if your awf.txt is clean. That`s because your system may be infected with other malware.

You would need to attach a fresh awf.txt from running Option1 of the FindAWF.exe tool, as well as a fresh HJT log. See HERE for instructions.

If you have any questions, pertaining to these instructions, please don`t hesitate to ask.

Regards Howard

would somebody be as kind as to sticky these for me http://www.techspot.com/vb/topic93387.html, http://www.techspot.com/vb/topic93388.html

I hope you guys can instruct on all of the programs mentioned in the threads/posts that you are resurrecting.

Combofix is not a normal tool and needs supervision while being used.

i only help in threads that i think i can help in, i have no experience with combofix so can't instruct people on how to use it and thusly won't tell people to use it

i do agree with this a bit but we need instructions for people to use and howard's are the best we could possibly need so if we were to write our own ones then it would just be the same but in slightly different words


yes, i'm signed up to email alerts

i noticed that my thread (Do not post your problems here one) in the Introduce yourself forum was stickied D) but the message for newcomers one (http://www.techspot.com/vb/topic93387.html) hasn't been yet and wondered if it was because of the "by howard" bit, if so then i could post it again, or could a mod could change it for me, if you can do that sort of thing, i don't know

My point is (and I am not trying to start anything here) directing people to the preliminary removal thread is telling them to use combofix.

What if they run into problems with it. Who is going to bail them out? Maybe it should be removed from the instructions. I normally only use it if it is needed and only after all other normal/safe tools have been used to disinfect.

It really is a powerful tool that can do irreversible damage with just one click.

good point, although it is only telling people to post the log that it makes so it shouldn't be that bad

if it comes to it then untrained people can ask for help or we could offer some kind of lessons or instructions for advanced users on how to use it?

There are no instructions for combofix.

From sUBs the owner of combofix, you either attend an online academy/bootcamp and learn about it. Or you don't use it. (that is what is said in a nut shell)