Whataboutadog has got me too

Status
Not open for further replies.
I have read a few posts and tried to do what they said but fear i need individual attention. I attached the log as instructed. Thanks in advance for your help
 
Hi ysrman and welcome to techspot. =)

I suggest you do the following before doing anything else

Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system

Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
Do not copy and paste your logs if not they will be removed.

Our experts here will tend to your queries thereafter.

Also, please provide the results of the Antirootkit scan


Regards,
momok =)

This thread is for the use of ysrman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
 
I posted the results here. I could not find the rootkit log file but it said it was clean. I appreciate your help here.
i posted it after rerunning awf

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
 
Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

  1. Boot into safe mode under your normal user name. See how HERE
  2. Next turn on "Show all files and folders, including hidden and system". See how HERE

  3. Go to start > run and type msconfig. Press the enter key.
    Search for the following entries. Uncheck them to stop them from starting up. Click Ok but do not restart your system yet.

    QuickTime Task
    Microsoft Update


  4. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] winsys32.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] winsys32.exe (User 'Default user')
    O15 - Trusted Zone: *.doginhispen.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

    Close HJT.

  5. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    File::
    C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
    C:\WINDOWS\SmF5IGN1cnRpcw\mAIcK3hYwBlDwT.vbs
    C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
    Folder::
    C:\WINDOWS\SmF5IGN1cnRpcw
    C:\WINDOWS\0
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-
  6. Save this as CFScript on the desktop.
  7. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
    CFScript.gif

  8. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

  9. Reboot into normal mode and rehide your protected OS files.

Run FindAWF again.

  1. Press 2 then Enter. A text file named files.txt will open:

  2. Copy and paste the following text from the quote box below into the text file.
    C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe
    C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
    C:\Program Files\iTunes\bak\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\bak\jusched.exe
    C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe
    C:\Program Files\QuickTime\bak\qttask.exe
    C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
    C:\WINDOWS\SMINST\bak\RECGUARD.EXE
    C:\WINDOWS\system\bak\hpsysdrv.DAT
    C:\WINDOWS\system\bak\hpsysdrv.exe
    Next, close and click Yes to save the changes.

  3. Once files.txt is saved, FindAWF does the following:
    -It attempts to terminate the process represented by each filename on the list, if running
    -Deletes the rogue file from the parent folder, if present
    -Copies the original file to the parent folder

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach this new FindAWF log in your reply.


Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. Do not copy and paste the logs.


Regards,
momok =)

This thread is for the use of ysrman only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I have done everything you asked

Attached are the logs requested. I think it is fixed but could you please confirm this by looking at the logs?

Thanks so much for your help

Jay
 
Status
Not open for further replies.
Back