help with awq trojan removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mischiefdevil89, Feb 5, 2008.

  1. mischiefdevil89

    mischiefdevil89 Private E-2

    Hi guys, this is my first time posting on this forum. I've run into a trojan on my laptop and is very similar to the case posted here. http://forums.majorgeeks.com/showthread.php?t=145549
    The infected file is listed as C:/Program Files/Common Files/Microsoft Shared/Speech/Wab64.dll or so. Mcafee pops up and constantly tells me me that the virus is there but offers no solution. I've tried to delete it manually in safe mode but it just comes back afterwards. I will attach the logs and stuff later as the other guy did in the other thread since I think since we have different computers the solution may be slightly different. Need help asap as this is a laptop for schoolwork :cry

    EDIT: I've put in the logs but they are scanned on the laptop during safe mode. Hope it helps
     

    Attached Files:

    Last edited: Feb 5, 2008
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    Click Start > Run and type in: services.msc
    Click OK
    In the Services window find: Network Connection Manager (NetCM)
    Select/highlight and right click the entry, and choose: Properties
    On the General tab, under Service Status click the Stop button
    Beside: Startup Type, in the drop menu, select: Disabled
    Click Apply, then OK

    Now open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.
    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Tell me how that ran.

    Now go to C:/Program Files/Common Files/Microsoft Shared/Speech and tell me what is there.
     
  3. mischiefdevil89

    mischiefdevil89 Private E-2

    Thanks for the reply. When I tried to stop the NetCM service, it was already stopped. I disabled it and did the fix.bat file thing and it seemed to go smoothly with the 1 second black flash screen. I restarted my computer and checked the Speech folder and found that the wab64.dll file is no longer there. Only sapi.cpl, sapi.dll, sapisvr.exe, and svchost.exe is in there along with a folder named 1033. Mcafee no longer pops up telling me i have a virus as well.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let me know if you have any additional problems....
     
  5. mischiefdevil89

    mischiefdevil89 Private E-2

    From what I've been doing today, it seems the problem is completely solved. Hope it doesn't come back again...Thanks a million
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  7. mischiefdevil89

    mischiefdevil89 Private E-2

    After a while of using it, mcafee pops up with another virus alert. It says
    Name: A0001073.EXE
    In Folder: C:\System Volume Information\_restore{22D8D8C7-06FE-44AB-92FC-F80CFFA2CE3D}\RP1\A0001073.exe
    Detected As: RemAdm-ProcLaunch!171
    Detection Type: Remote Admin Tool
    Status: Deleted (clean failed)
    Application: svchost.exe
    Username:NT AUTHORITY\SYSTEM

    not sure what any of this means.
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You did not flush system restore.
     
  9. mischiefdevil89

    mischiefdevil89 Private E-2

    hi i tried to disable to system restore but have run into some problems. When i click on system in the control panel nothing shows up. I tried to follow the read me but it tells me to click on properties after right clicking on my computer. I am running Windows XP but do not see that option there.
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Right click "My Computer" ...click on properties ...click the tab for system restore and check the box to turn off system restore ...reboot and go back and uncheck that box.

    Are you saying that there is no system restore tab? If so:

     
  11. mischiefdevil89

    mischiefdevil89 Private E-2

    actually i was trying to say that the option "properties" isn't there after right clicking "My Computer". Any other way of opening it?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The reason for this problem was shown in your runkeys.txt log. The below policies were created by someone or something.

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoSharedDocuments"=dword:00000001
    "NoSMConfigurePrograms"=dword:00000001
    "NoPropertiesMyComputer"=dword:00000001

    I assume you did not create these policies. If that is correct then do the below.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
  13. mischiefdevil89

    mischiefdevil89 Private E-2

    Ok, that worked. I flushed system restore and it doesn't seem like theres any problem anymore.
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know ..safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds