TechSpot

Too Numerous Trojans, Spyware, ect

By Negotiator
Nov 1, 2007
  1. Hello,

    I was asked to look at a person's computer because they said they had a bunch of viruses on their computer.

    So I went though the 15 steps found at www.techspot.com/vb/topic58138.html

    And I posted the Combofix, HJT, and AVG Antispyware logs.

    Thank You For Your Time

    Oh, I forgot to mention, No Unknown Rootkits found.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post the results of the Panda Antirootkit scan in your next reply.

    Delete all files in AVG Antispyware quarantine.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    I ran that CFScrpit file through the combofix and the computer rebooted, but now when I try to log into one of the user accounts, or the administrator account, I am asked for a password. The thing is, they never had passwords set for any of the accounts, you could just click on any account and log in.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t know why that has happened.

    Boot into safe mode, under THE ADMINISTRATOR ACCOUNT See how HERE.

    If it asks for a password, just try hitting the enter key.

    Once in safe mode, click start/all programs/Accessories/System Tools/System Restore/Restore My Computer to an Earlier Time/Next/ Select the Combofix created restore point and click next etc.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    I restarted the computer in Safe Mode and the Administrator Account required a password, and pressing enter didn't allow me to log in. So I restarted the computer again and brought up the list were you can select to start in Safe Mode and I selected the option to restore to a previous state that worked.

    When the user account options came on the screen I was allowed to just select a user without having to enter a password. When logged in, Combofix finished and generated a report. The thing is though, the keyboard no longer worked.

    I restarted the computer again and when I got to the user account screen, I was once again required to give a password. So again, I restarted and accessed the option to restore to a previous state the worked.

    When the user account screen came back on I was able to choose an account without entering a password, but again, when the I logged on, the keyboard didn't work. This time I went to the User Accounts menu in the Control Panel and turned the guest account on in case I was forced to enter a password if I restarted.

    I again restarted the computer and when I got to the User Account screen I was able to log in without entering a password. So as of now, that problem is fixed. I still need to run HJT to get a fresh log.

    Do you want me to post the new Combofix and HJT in my next log or wait for your comments about the log in problem?

    Thank You For Your Time
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Once you get your system working again, just post a fresh Combofix log, without doing the instructions in my post #2.

    I think there maybe something in those instructions that`s causing the problem.

    Regards Howard :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    Here are the fresh logs, and the Panda Antiroot kit didn't find any thing.

    Thank You For Your Time
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, just a couple of things to get rid of and hopefully that`ll be it.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    Here are the newest batch of logs

    Thank You For You Time
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The main nasty is now gone.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    AWS
    WeatherBug

    Close control panel.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Program Files\AWS
    C:\Qoobox

    Reboot your computer and post a final HJT log.

    Regards Howard :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Negotiator

    Negotiator TS Rookie Topic Starter Posts: 39

    Here is the latest HTJ log. There was no whether bug software on the computer.

    Thank You For Your Time
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s now clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...