whataboutadog.com

Status
Not open for further replies.
B

bubuwubu

Posts: 12   +0
Hello:
During a hijackthis scan I discovered that I have the above "trusted sites" on my computer.
I have since found out they are trojans and would like to know how to remove them .
I have also done an awf bak. I will paste the results here.
Any help will be greatly appreciated.
Thanks

Can I copy and paste the results of the Hijack this and the awf?
I tried to in my previous post but was not allowed.
Thanks,
bubuwubu
 
Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, please post a HJT log as per these instructions.

If you post the log files as attachments as per the instructions, you shouldn`t have any problems.

Regards Howard :wave: :wave:

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\America Online 9.0\bak\AOL.EXE"
"C:\Program Files\Napster\bak\napster.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIAIA.EXE"
Click to expand...

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
C:\hp\KBD\bak
C:\Program Files\America Online 9.0\bak
C:\Program Files\Napster\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\hp\drivers\hplsbwatcher\bak
C:\Program Files\ATI Technologies\ATI.ACE\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
Click to expand...


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That`s now clean.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Now, in order to make sure your system is clean, please do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hello:

Thanks for your help.I am now on step 4 of the remove spyware etc.
I will post results as soon as possible.
Thanks
Bubu
 
Good evening:

I finished step 11, and the Panda antiroot kit says" No rootkits have been found".
Regards,
Bubuwubu
 
That`s good news. Post the 3 requested log files and I`ll advise you further.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
This is the Hijack This from today.
Will post the other 2 soon.

Thanks,
Bubu

ooops I think I jumped the gun.
I was supposed to do the combo fix first.
I am downloading that now and will post soon.
Sorry about that.
Bubu
 
If you follow the instructions properly, you`ll see that you only run HJT after you`ve completed the other steps.

I have therefore removed your last HJT log.

Please do so and post all 3 log files and the results of the Panda Antirootkit scan into your next reply.

EDIT: Obviously our posts crossed lol.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi Howard,

The panda antiroot said that no rootkits had been found (it did not give me a logfile so I assume that this is sufficient). I am attaching my combofix logfile and the hijackthis done afterwards, but I don't know what the third file you want is. Is it from step 10? Because I have only gotten to the end of step 12.

thanks

bubuwubu
 
That`s because there`s 15 steps and you need to complete them all.

You`re not making this very easy are you?

All you have to do is follow the instructions properly.

I have yet again, removed your log files and await the correct log files when you`ve completed the instructions.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Good evening Howard:

I am keeping my fingers crossed hoping I finally got it right.
I am attaching the 3 log files.
Thanks
Bubuwuu
 
Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\excotsec.dll
C:\WINDOWS\system32\bthos4.dll
C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
Folder::
C:\VundoFix Backups
C:\Qoobox
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {15565fce-361e-4b0e-b47d-d9f2d5c4c0b3} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)

O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk.disabled

O4 - Startup: Epson scanner Registration.lnk = F:\COMMON\EpsonReg\EPSONREG.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk.disabled

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} -

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} -

O20 - Winlogon Notify: bthos4 - C:\WINDOWS\

O21 - SSODL: Uriviav - {717705FE-5EE7-4089-97AC-CB38B8464E4B} - C:\WINDOWS\system32\excotsec.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\system32\excotsec.dll
C:\WINDOWS\system32\bthos4.dll
C:\Qoobox

Reboot into normal mode and rehide your protected OS files.

post fresh HJT and Combofix logs.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That all looks fine.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of bubuwubu only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

Shawn Knight
Malicious Android apps totaling millions of downloads discovered on Google Play
Replies
7
Views
310
PEnnn
PEnnn
midian182
Massive leak exposes 26 billion records in mother of all breaches
Replies
11
Views
361
RudyBob
RudyBob
E
There's a possibility FTX customers get repaid in full after all
Replies
16
Views
466
Karlos95
Karlos95

Latest posts

Back