Too Numerous Trojans, Spyware, ect

[Negotiator]

Hello,

I was asked to look at a person's computer because they said they had a bunch of viruses on their computer.

So I went though the 15 steps found at www.techspot.com/vb/topic58138.html

And I posted the Combofix, HJT, and AVG Antispyware logs.

Thank You For Your Time

Oh, I forgot to mention, No Unknown Rootkits found.

 

[howard_hopkinso]

Please post the results of the Panda Antirootkit scan in your next reply.

Delete all files in AVG Antispyware quarantine.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\PROGRA~1\COMMON~1\BESTSE~1\gcw.exe
C:\Documents and Settings\Dan Dorfmeyer\Application Data\M?crosoft\n?tepad.exe"
C:\WINDOWS\system32\drivers\system.exe
C:\Documents and Settings\Dan Dorfmeyer\winmain.exe
C:\WINDOWS\SYSTEM32\jaawuxom.dll.vir
C:\WINDOWS\SYSTEM32\urqroll.dll.vir
C:\WINDOWS\SYSTEM32\rc.dat
C:\WINDOWS\SYSTEM32\ps1.dat
C:\WINDOWS\SYSTEM32\cookie1.dat
C:\WINDOWS\SYSTEM32\winlogon.scr
C:\WINDOWS\SYSTEM32\d3d8caps.dat
C:\Program Files\.autoreg
C:\Program Files\Common Files\hoby77798.exe
C:\PROGRA~1\COMMON~1\BESTSE~1\gcw.exe
C:\WINDOWS\system32\gebcb.dll
Folder::
C:\Documents and Settings\Dan Dorfmeyer\Application Data\M?crosoft
C:\Program Files\AWS
C:\Qoobox
C:\VundoFix Backups
C:\WINDOWS\RGFuIERvcmZtZXllcg
C:\Program Files\WildTangent
C:\PROGRA~1\COMMON~1\BESTSE~1
C:\Program Files\??stem32
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68D5BBF9-EED5-4125-B227-55F81540BF4D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hoby"=-
"gcw"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mpjvba"=-
"Iwcf"=-
"main"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"sysinit"=-
"winmz"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Negotiator]

I ran that CFScrpit file through the combofix and the computer rebooted, but now when I try to log into one of the user accounts, or the administrator account, I am asked for a password. The thing is, they never had passwords set for any of the accounts, you could just click on any account and log in.

 

[howard_hopkinso]

I don`t know why that has happened.

Boot into safe mode, under THE ADMINISTRATOR ACCOUNT See how HERE.

If it asks for a password, just try hitting the enter key.

Once in safe mode, click start/all programs/Accessories/System Tools/System Restore/Restore My Computer to an Earlier Time/Next/ Select the Combofix created restore point and click next etc.

Let me know the results.

Regards Howard

This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Negotiator]

I restarted the computer in Safe Mode and the Administrator Account required a password, and pressing enter didn't allow me to log in. So I restarted the computer again and brought up the list were you can select to start in Safe Mode and I selected the option to restore to a previous state that worked.

When the user account options came on the screen I was allowed to just select a user without having to enter a password. When logged in, Combofix finished and generated a report. The thing is though, the keyboard no longer worked.

I restarted the computer again and when I got to the user account screen, I was once again required to give a password. So again, I restarted and accessed the option to restore to a previous state the worked.

When the user account screen came back on I was able to choose an account without entering a password, but again, when the I logged on, the keyboard didn't work. This time I went to the User Accounts menu in the Control Panel and turned the guest account on in case I was forced to enter a password if I restarted.

I again restarted the computer and when I got to the User Account screen I was able to log in without entering a password. So as of now, that problem is fixed. I still need to run HJT to get a fresh log.

Do you want me to post the new Combofix and HJT in my next log or wait for your comments about the log in problem?

Thank You For Your Time

 

[howard_hopkinso]

Once you get your system working again, just post a fresh Combofix log, without doing the instructions in my post #2.

I think there maybe something in those instructions that`s causing the problem.

Regards Howard

This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Negotiator]

Here are the fresh logs, and the Panda Antiroot kit didn't find any thing.

Thank You For Your Time

 

[howard_hopkinso]

Ok, just a couple of things to get rid of and hopefully that`ll be it.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

Folder::
C:\Qoobox
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"default"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Negotiator]

Here are the newest batch of logs

Thank You For You Time

 

[howard_hopkinso]

The main nasty is now gone.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

AWS
WeatherBug

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\AWS
C:\Qoobox

Reboot your computer and post a final HJT log.

Regards Howard

This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Negotiator]

Here is the latest HTJ log. There was no whether bug software on the computer.

Thank You For Your Time

 

[howard_hopkinso]

That`s now clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Negotiator only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.