Did 8 Steps already, Please Help

[andrew4336]

Hi,

I am helping clean a friend's laptop which got horribly affected with all kinds of viruses and malware. After doing the 8-step process a few of the viruses/spyware that came up were Win32 : Fasec, and Isass.blaster.keylogger. This friend uses this laptop for business purposes too and has a lot of sensitive info on here (most likely).

Before I did any of the 8-step process the computer was so bad that it froze up right as soon as you start up. I had to the begginning part of it in safe mode. Now the computer is ALOT better and im able to run windows normally. However I am recommending that she backup whatever files she can that are important and still wipe and reformat her drive. (change passwords etc...) It might take awhile for her to do her reinstall/reformat properly (as she has to wait for a new windows xp pro disc to come in).

So for the week she has to use this, I am asking to see if someone can look at the logs and see if theres anything else I should do. that way she can still use the computer this week for business until she can reformat.

something I want to point out is that internet explorer seems to pop up a blank window every now and then. I am going to reinstall firefox for her to use.

also its a dell laptop. if that makes a difference

here is the logs:

Thanks for any help!

- Andrew Alanis

 

[mflynn]

Run HJT Scan only select and Fix the below
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll dimfor.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

Then run SAS again as it had finding so we need to run until we have a clean log.

ONLY when above is complete do the below!

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[andrew4336]

Here it is. I did exactly what you said then ran SAS. then did Combo fix. and hijack again.

Here are the logs

 

[mflynn]

Good so MBAM and SAS came up with clean logs?

So now rename ComboFix to 1cfix and run 1cfix post its log.

Then

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
sc config Alerter start= disabled
sc stop Alerter

sc config AeLookupSvc start= disabled
sc stop AeLookupSvc

sc config ClipBook start= disabled
sc stop ClipBook

sc config Dfs start= disabled
sc stop Dfs

sc config FastUserSwitchingCompatability start= disabled
sc stop FastUserSwitchingCompatability

sc config TrkWks start= disabled
sc stop TrkWks

sc config TrkSvr start= disabled
sc stop TrkSvr

sc config DNSCache start= disabled
sc stop DNSCache

sc config ERSvc start= disabled
sc stop ERSvc

sc config HidServ start= disabled
sc stop HidServ

sc config PolicyAgent start= disabled
sc stop PolicyAgent

sc config CiSvc start= disabled
sc stop CiSvc

sc config IsmServe start= disabled
sc stop IsmServ

sc config kdc start= disabled
sc stop kdc

sc config LicenseService start= disabled
sc stop LicenseService

sc config Messenger start= disabled
sc stop Messenger

sc config Netlogon start= disabled
sc stop Netlogon

sc config NetTcpPortSharing start= disabled
sc stop NetTcpPortSharing

sc config mnmsrvc start= disabled
sc stop mnmsrvc

sc config NetDDE start= disabled
sc stop NetDDE

sc config NetDDEdsdm start= disabled
sc stop NetDDEdsdm

sc config NtLmSsp start= disabled
sc stop NtLmSsp

sc config SysmonLog start= disabled
sc stop SysmonLog

sc config RSVP start= disabled
sc stop RSVP

sc config SSDPSRV start= disabled
sc stop SSDPSRV

sc config upnphost start= disabled
sc stop upnphost

sc config WMPNetworkSvc start= disabled
sc stop WMPNetworkSvc

sc config WmiApSrv start= disabled
sc stop WmiApSrv

sc config WmdmPmSN start= disabled
sc stop WmdmPmSN

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

sc config RemoteAccess start= disabled
sc stop RemoteAccess

sc config SCardSvr start= disabled
sc stop SCardSvr

sc config TlnSvr start= disabled
sc stop TlnSvr

sc config UPS start= disabled
sc stop UPS

sc config WebClient start= disabled
sc stop WebClient

sc config DNSCache start= disabled
sc stop DNSCache

sc config JavaQuickStarterService start= disabled
sc stop JavaQuickStarterService
sc delete JavaQuickStarterService
attrib -h -s -r /s c:\jqs.*
del /f /q /s c:\jqs.*

sc config RpcSs start= Automatic
sc start RpcSs

sc config RpLocator start= Automatic
sc start RpcLocator

sc config MSIServer start= Automatic
sc start MSIServer
exit
exit

Reboot post new HJT log and report how system is running!

Mike