That’s the one I thought would be infected, The clean file should be the one in the back up folder. Test it any way.
We can fix this with a batch a batch file or you can do it manually. Either way you will have to stop both files with task manager before hand. I think AWF was unable to do so.
Let me know which you would prefer, I’ll post in structions.
I tested the 2nd file and it came back clean (0/32). Let’s fix the infected file with a batch file (I assume it’s easier). If not let me know. Please post further instructions. Thank you so much.
I thought about it and decided you should attempt it manually. If we hit a system protected file we could risk loosing the good one.
The manual is quite easy. Let me know if you have any problems, or are uncomfortable. We can use a removal tool to take out the bad guy. ;D
Open taskmanger and click on the process tab, find all instances of shwiconem.exe and end process.
in windows explorer, first
At the top of windows explorer, click tools, folder options, click the
view tab
check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protecting operating system files” box
Then navigate to this folder C:\program files\emachine bay reader
find this file shwiconem.exe , right click it and delete it. If it won’t delete, use the alternative method.
Then open this folder C:\program files\emachine bay reader\bak
find this file shwiconem.exe , right click it and drag it to this folder C:\program files\emachine bay reader let go of the mouse button and chose “move here”
delete the bak folder afterwards. Empty the recycle bin. Reboot.
As an alternative method or if you can’t manually delete the file, we can go this route.
Please download
OTMoveIt2 by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\program files\emachine bay reader\shwiconem.exe
Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Open taskmanger and click on the process tab, find all instances of shwiconem.exe and end process.
Then just move the file to it’s proper folder as per previous instructions. Reboot.
Let me know how you make out.
Hi oldman. I did the manual procedure and everything went smooth. I opened task manager a second time after doing the manual delete and now it shows 1 shwiconem.exe file, while before doing the process it showed 2 of these instances. Do you need anymore logs or are there any further steps to do?
Thanks.
Good job. It looks god, but…
These types of infections can leave stray files behind, so the next step would be an online scan at either kaspersky or eset. Both have very good detection rates, the difference KAV will only detect and report in it’s log anything found. Eset will also delete.
After the scan, please post the log.
eset http://www.eset.com/onlinescan/
kav http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Pause the avast standard shield during the scan. Don’t forget to to re-enable it afterwards.
First we’ll have to do a little clean up of the tools we used to get you ready for the online scan. This will help speed up the online scan and prevent the files that where all ready removed from being detected.
combofix /u
*Deltete FindAWF
*Open HJT, click the misc tools button, slide the slide down, click uninstall. You will have to delete the hijackthhis.exe
*Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
*Remove old restore points
*Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.
Click the download button on the right.
If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.
You do not have to install the Java Web Start ActiveX Control
Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.
When the download is complete, Open Control Panel > Add/Remove Programs:
Uninstall anything that says Sun Java, Java JRE, or similar.
Close Add/Remove Programs.
In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.
Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!
Reboot your computer.
Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
*Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.
Please post the results.
Ok. I did everything in your last post. Here’s the last few lines of the cleanup log:
C:\temp\tree_0.txt - deleted
C:\temp\tree_1.txt - deleted
C:\temp\tree_2.txt - deleted
C:\temp\tree_3.txt - deleted
C:\temp\tree_4.txt - deleted
C:\temp\tree_5.txt - deleted
‘Run MRU’ list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet’s MRU list - removed from the registry.
CleanUp! 4.5.2 recovered 42.5 MB of disk space from 8561 files.
CleanUp! finished on 02/22/08 00:49:31.
Let me know if you need the whole clenup log.
I then did the Eset scan and here’s that log:
Files scanned: 299793
Threats found: 4
Details:
A variant of Win 32/KillAV.OE trojan(unable to clean-deleted)
C:\System Volume Information_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP701\A0115988.exe
A variant of Win 32/KillAV.OE trojan(unable to clean-deleted)
C:\System Volume Information_restore{879E598B-020E-408B-AC9B-13ABBD7D02C3}\RP701\A0115988.exe
A variant of Win 32/KillAV.OE trojan(unable to clean-deleted(after the next restart)
C:\Program files\Windows Defender\MSASCui.exe
A variant of Win 32/KillAV.OE trojan(unable to clean-deleted)
C:\Program files\Spybot-Search&Destroy\TeaTimer.exe
Is there anything else left to do? I still have the files in quarintine in superanti spyware. Should these be deleted? Is it ok to run spybot and superanti spyware at the same time or does this slow down my computer?
Thanks a lot.
No,don’t need the cleanup log;
A variant of Win 32/KillAV.OE trojan(unable to clean-deleted(after the next restart) C:\Program files\Windows Defender\MSASCui.exeA variant of Win 32/KillAV.OE trojan(unable to clean-deleted)
C:\Program files\Spybot-Search&Destroy\TeaTimer.exe
It looks like 2 of the files that where replaced by AWF where still infected according to eset. I don’t know if the windows defender file was deleted or not, but teatimer.exe was. If you want to use that feature of Spybot, you will have to uninstall/reinstall Spybot.
Check this file at virustotal
C:\Program files\Windows Defender\MSASCui.exe
If it can’t be found then it was removed. If it’s still present, then you can see if it is infected. If eset did remove it, windows defender will also have to be reinstalled.
No problem using spybot and SAS at the same time, as the free version of SAS is on demand. If both where resident, it may cause some preformance slow down.
So check that file and let me know how you make out.
It looks like Windows Defender\MSASCui.exe can’t be found. Here’s the log:
0 bytes size received / Se ha recibido un archivo vacio
I don’t really want to use Windows Defender anymore so is it ok to not reinstall it?
Also should I do anything about the files in quarantine in SAS?
Thanks.
Uninstall windows defender. then set your folder options to show all folders and unhide system files/folders. Then search for that file. 0 bytes recieved usually means that the file is present but can’t be scanned. Hopefully it will go with the uninstall.
You can empty the SAS quaratine, but pause avast standard shield first as it has a habit of scanning and detecting the SAS files when you empty the quaratine.
Let me know how it goes. Thanks
I unistalled windows defender, then set the folder options as requested and did a search for that file. No file was found so I assume it’s gone.
Also emptied out the SAS quarantine. Everything seems to be working fine.
Thanks for all your help. You are amazing!
I hope it gone. I thinks that’s about as clean as I can get you, but if you want, you can download run AWF again, this time with option 1. We can see if the darned thing jumped or went with the uninstall.
BTW, was the Windows Defender folder removed during the uninstall?
I ran option 1 of AWF and here’s the log:
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Fri 02/22/2008
The current time is: 22:16:15.95
bak folders found
Duplicate files of bak directory contents
end of report
I think windows defender folder was removed during the uninstall. I don’t see it anywhere in windows explorer or when I do a search.
Thanks.
All right thanks. I think you are good to go.
Please delete AWF.
Thanks for all your help oldman. I really appreciate experts like you helping out us less experienced novices. Take care and keep up the good work.