Help with Trojan Backdoor-AWQ removal

Please help!I have a nasty back door Trojan that locks up my system and does not even allow me to access the internet. I even had to borrow a friends laptop to be able to try and research a solution. I am trying to get together the necessary reports to see if maybe someone can steer me in the right direction but my system keeps locking up because of infection,

 

Hi dngrsdv1!
Welcome to Major Geeks

See if you can get Combofix and AVG Antispyware to run and CCleaner. You may be able to transfer Combofix and CCleaner from another computer with a cd or flashdrive and run them in SafeMode.. If you can do any of these, try then to install the MGTools.exe file (also possible by downloading to another computer) onto your computer (in the root drive) and run it so we can see your logs.

abri

 

I was at my wits end and after doing a little research I took a chance and deleted file that was in question which was C:/program files/common files/microsoft shared/speech/wap64.dll. I'm not sure I'm out of the woods yet but I have regained the ability to access the web and not lock up. I have run all the cleaning procedures you recommend. I will attach my log files to see if maybe there is something detectable

 

Hi dngrsdv!

1)You need to uninstall the below:

- Viewpoint Media Player
- Java 2 Runtime Environment, SE v1.4.2


2) Reboot after uninstalling the above.

3) Now install the current version of Sun Java from: Sun Java Runtime Environment


4) Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


5) Run HijackThis and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\V0330Cvw.dll] C:\WINDOWS\system32\RegSvr32.exe /s C:\WINDOWS\system32\V0330Cvw.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe (file missing)


Do you know what this is? If not, please fix it as well. (do not click on the link)

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe


After clicking Fix, exit HJT.

6) Now run CCleaner. Run the MGtools.exe file under C:\ and attach a fresh set of logs called MGlogs.zip with your next post.

abri

 

Abri,

I appreciate all the help and prompt responses to my posts. I did as you instructed. I went ahead and deleted that strange line as well for I had no idea what it was. Here is my new MGlogs.zip file for you to inspect.

 

Hi dngrsdv1

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Network Connection Manager
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste NetCMinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now!!

O23 - Service: Network Connection Manager (NetCM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe (file missing)

After clicking Fix, exit HJT.

Please run CCleaner and then rerun MGTools.exe (located directly under C:\ ) and attach a fresh set of Mglogs.zip (located in the MGTools folder) to your next post. I hope this will be everything.

abri

 

I went ahead and disabled that particular service though when I went to its properties it was already stopped. when I ran the system scan I didn't see that line in the list. here the logfile. Thanks again for the help!

 

Did as you requested. I'm not sure if this is a problem but I keep getting an error message as if I don't have administrator privileges when I change the startup. It does work but I don't remember getting this message before. I will attach it as well along with my log.

 

Ok here goes. I can see that my systems is running so much better. You don't know how much I appreciate all you've been helping me with!:major

 

I tried it once again with adwatch turned off but after I scanned again it was back. Oh well, its not that big a deal. My computer has come such a long way thanks to you guys. I'm sure we'll be in touch again the next time I kill my computer again. Your help was greatly appreciated.