Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot Remove Malware Popups From Laptop


  • Please log in to reply

#16
jamielaw

jamielaw

    Member

  • Member
  • PipPipPip
  • 350 posts
Hey whizzer38

I've modified the batch slightly - it should work this time ( cross your fingers :whistling: )

Downloader.Agent.awf:

Please launch Notepad (Start > Run, type in: notepad)
Copy/paste all the text below to it:

if exist "C:\PROGRA~1\APOINT\Apoint.exe" 
move "C:\PROGRA~1\APOINT\BAK\Apoint.exe" "C:\PROGRA~1\APOINT"
rmdir "C:\PROGRA~1\APOINT\BAK" /S /Q 

if exist "C:\PROGRA~1\QUICKT~1\qttask.exe" 
move "C:\PROGRA~1\QUICKT~1\BAK\qttask.exe" "C:\PROGRA~1\QUICKT~1"
rmdir "C:\PROGRA~1\QUICKT~1\BAK" /S /Q 

if exist "C:\PROGRA~1\REGSHAVE\REGSHAVE.EXE" 
move "C:\PROGRA~1\REGSHAVE\BAK\REGSHAVE.EXE" "C:\PROGRA~1\REGSHAVE"
rmdir "C:\PROGRA~1\REGSHAVE\BAK" /S /Q 

if exist "C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe" 
move "C:\PROGRA~1\ATITEC~1\ATICON~1\BAK\atiptaxx.exe" "C:\PROGRA~1\ATITEC~1\ATICON~1"
rmdir "C:\PROGRA~1\ATITEC~1\ATICON~1\BAK" /S /Q 

rmdir "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK" /S /Q 

if exist "C:\PROGRA~1\DELL\ACCESS~1\dadapp.exe" 
move "C:\PROGRA~1\DELL\ACCESS~1\BAK\dadapp.exe" "C:\PROGRA~1\DELL\ACCESS~1"
rmdir "C:\PROGRA~1\DELL\ACCESS~1\BAK" /S /Q 

if exist "C:\PROGRA~1\SYNAPT~1\SYNTP\SynTPEnh.exe" 
move "C:\PROGRA~1\SYNAPT~1\SYNTP\BAK\SynTPEnh.exe" "C:\PROGRA~1\SYNAPT~1\SYNTP"
rmdir "C:\PROGRA~1\SYNAPT~1\SYNTP\BAK" /S /Q 

if exist "C:\PROGRA~1\SYNAPT~1\SYNTP\SynTPLpr.exe" 
move "C:\PROGRA~1\SYNAPT~1\SYNTP\BAK\SynTPLpr.exe" "C:\PROGRA~1\SYNAPT~1\SYNTP"
rmdir "C:\PROGRA~1\SYNAPT~1\SYNTP\BAK" /S /Q 

if exist "C:\WINDOWS\SYSTEM32\DLA\tfswctrl.exe" 
move "C:\WINDOWS\SYSTEM32\DLA\BAK\tfswctrl.exe" "C:\WINDOWS\SYSTEM32\DLA"
rmdir "C:\WINDOWS\SYSTEM32\DLA\BAK" /S /Q 

if exist "C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\realsched.exe" 
move "C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK\realsched.exe" "C:\PROGRA~1\COMMON~1\REAL\UPDATE~1"
rmdir "C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK" /S /Q 

del 123.bat

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: "123.bat"
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on bakfile.bat


====
Also, please run the following:

1. DelDomains
http://www.mvps.org/.../DelDomains.inf
To delete all entries in the Restricted & Trusted Zone list, right click DelDomains.inf
Select: Install

2. ResetProtocolDefaults
http://www.mvps.org/...colDefaults.reg
Right click the link, save target as or save link as, and save to the Desktop.

Locate ResetProtocolDefaults.reg on the Desktop
Right-click and select: Merge
OK the prompt

Please can you then run the Downloader.Agent.awf tool again (see post 11). Post the log back here.
  • 0

Advertisements


#17
whizzer38

whizzer38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Again, thanks for your help. Batch file still did not appear to run. Here are the results of the scan:


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

06/10/2003 10:07 PM 147,456 Apoint.exe
1 File(s) 147,456 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/01/2006 02:57 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002 09:32 PM 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/07/2002 08:00 PM 294,912 atiptaxx.exe
1 File(s) 294,912 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELL\ACCESS~1\BAK

03/07/2003 11:36 AM 209,800 dadapp.exe
1 File(s) 209,800 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/02/2003 04:15 PM 610,304 SynTPEnh.exe
05/02/2003 04:21 PM 110,592 SynTPLpr.exe
2 File(s) 720,896 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 12:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/20/2006 05:30 PM 180,269 realsched.exe
1 File(s) 180,269 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

147456 Jun 10 2003 "C:\DELL\drivers\R64287\Apoint.exe"
147456 Jun 10 2003 "C:\Program Files\Apoint\bak\Apoint.exe"
147456 Jun 10 2003 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\Apoint.exe"
28672 Oct 15 2005 "C:\WINDOWS\system32\qttask.exe"
282624 Sep 1 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
294912 Nov 7 2002 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
209800 Mar 7 2003 "C:\Program Files\Dell\AccessDirect\bak\dadapp.exe"
610304 May 2 2003 "C:\DELL\drivers\R61162\SynTPEnh.exe"
610304 May 2 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
610304 May 2 2003 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
110592 May 2 2003 "C:\DELL\drivers\R61162\SynTPLpr.exe"
110592 May 2 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
110592 May 2 2003 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
122939 Aug 13 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\Sonic Solutions Product CD\DLA\install\tfswctrl.exe"
180269 Aug 20 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report
  • 0

#18
jamielaw

jamielaw

    Member

  • Member
  • PipPipPip
  • 350 posts
Please could you now post a fresh Hijackthis log.
  • 0

#19
whizzer38

whizzer38

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thanks. Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:06 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\DELL\drivers\R61162\SynTPLpr.exe
C:\DELL\drivers\R61162\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Citrix\ICA Client\pn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Citrix\ICA Client\wfica32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis_199[1]\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\DELL\drivers\R64287\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\DELL\drivers\R61162\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\DELL\drivers\R61162\SynTPEnh.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Fix-It Task Manager - Unknown owner - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP