Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whataboutadog.com And The Other


  • Please log in to reply
16 replies to this topic

#1 RosarioM

RosarioM

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 07 November 2007 - 08:40 AM

Noticed some problems with certain applications. Did a stare and compare with another pc and noticed 2 mystery files in
my trusted website. Not familiar with these sites and did some online research and was made aware this is a virus /
hijack.
Running etrust as a virus - Windows XP- Internet Explorer. I cleaned up and removed via various spyware however once I reboot and search the web, it lowers my default setting and is right back there.
Followed the preliminary steps and starting with the hijack message

IMPORTANT NOTE: I HAVE REPLACED SOME ITEMS WITH X for personal reasons. Can anyone help with finding the culprit?

Edited by RosarioM, 07 November 2007 - 08:42 AM.


BC AdBot (Login to Remove)

 


m

#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 07 November 2007 - 09:32 PM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 08 November 2007 - 08:46 AM

Hello RosarioM,

Step 1
Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Double click on the HJTInstall.exe icon on your desktop.
  • A window will pop up, and simply click Install.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • When it is completed installing HijackThis, it will automatically launch and you will be presented with the License Agreement. Click on the I Accept button.
  • Once the license agreement is gone, click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Step 2
Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to Press any key to continue.
Press a key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically be saved to your desktop or whatever location you ran the file from.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply along with the HJT log.


Posted Image


#4 RosarioM

RosarioM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 09 November 2007 - 10:47 AM

Can the hijack info be supplied other than this forum? Business reasons

Wonder if you could help with these listed suspicious items and can direct me with them:
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe"
msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab

below is the AWF report.
Find AWF report by noahdfear 2006
Version 1.40

The current date is: Fri 11/09/2007
The current time is: 10:54:53.46


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

08/21/2004 05:04 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\CYBERG~1\BAK

06/16/2004 04:12 PM 90,174 cgahelp.exe
06/16/2004 04:12 PM 73,784 cgav.exe
2 File(s) 163,958 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
10/08/2004 04:27 PM 126,976 hkcmd.exe
10/08/2004 04:31 PM 155,648 igfxtray.exe
3 File(s) 297,984 bytes

Directory of C:\EM\BIN\TIVOLI~1\BAK

08/08/2005 08:25 AM 151,552 hwinv2k.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

07/07/2004 04:58 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/03/2004 10:32 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\CA\ETRUST\ANTIVI~1\BAK

08/18/2003 03:15 PM 282,624 realmon.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

04/14/2006 11:52 AM 602,182 ifrmewrk.exe
04/14/2006 11:51 AM 667,718 ZCfgSvc.exe
2 File(s) 1,269,900 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/28/2002 11:39 PM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/28/2002 11:39 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 5 2007 "C:\Program Files\Apoint\Apoint.exe"
155648 Aug 21 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
28172 Oct 5 2007 "C:\Program Files\CyberGatekeeper Agent\cgahelp.exe"
90174 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgahelp.exe"
28172 Oct 5 2007 "C:\Program Files\CyberGatekeeper Agent\cgav.exe"
73784 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgav.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Feb 20 2001 "C:\coeesd\proj2k2\FILES\SYSTEM\CTFMON.EXE"
28172 Oct 5 2007 "C:\WINDOWS\system32\hkcmd.exe"
126976 Oct 8 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
28172 Oct 5 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
28172 Oct 5 2007 "C:\em\bin\Tivoli_EM\hwinv2k.exe"
151552 Aug 8 2005 "C:\em\bin\Tivoli_EM\bak\hwinv2k.exe"
28172 Oct 5 2007 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Jul 7 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\imjpmig.exe"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
28172 Oct 5 2007 "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
282624 Aug 18 2003 "C:\Program Files\CA\eTrust\Antivirus\bak\realmon.exe"
970752 Feb 21 2007 "C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe"
602182 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
819200 Feb 21 2007 "C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe"
667718 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"


end of report

Edited by RosarioM, 09 November 2007 - 01:20 PM.


#5 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 11 November 2007 - 03:20 AM

Hello again,

Can the hijack info be supplied other than this forum? Business reasons

I am not exactly sure what you mean by this, can you please explain.

We dont do PM support here, so in order for you to receive help here, you need to post the logs.
Private info can be edited by placing a xxx in its place.

Step 1
Please download and save the following attachment to you desktop.

Attached File  fix_for_RosarioM_1.bat   2.68KB   11 downloads

Please doubleclick fix for RosarioM 1.bat you created previously.
The data needed then should be merged.

Step 2
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-secure.com/enu/home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient


Step 3
Now please post a fresh AWF log, fresh HJT Log, and the F Secure log.


Posted Image


#6 RosarioM

RosarioM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 11 November 2007 - 08:49 AM

Can I ask what is the download "fix for RosarioM 1.bat?" Which data will be merged?

#7 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 11 November 2007 - 01:05 PM

Hi, it is to fix the downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy that has infected your PC. This trojan replaces legitimate files that are common on most computers with an infected file.


Posted Image


#8 RosarioM

RosarioM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 11 November 2007 - 01:36 PM

1. AWF


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 11/11/2007
The current time is: 13:11:48.23


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

08/21/2004 05:04 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\CYBERG~1\BAK

06/16/2004 04:12 PM 90,174 cgahelp.exe
06/16/2004 04:12 PM 73,784 cgav.exe
2 File(s) 163,958 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
10/08/2004 04:27 PM 126,976 hkcmd.exe
10/08/2004 04:31 PM 155,648 igfxtray.exe
3 File(s) 297,984 bytes

Directory of C:\EM\BIN\TIVOLI~1\BAK

08/08/2005 08:25 AM 151,552 hwinv2k.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

07/07/2004 04:58 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/03/2004 10:32 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\CA\ETRUST\ANTIVI~1\BAK

08/18/2003 03:15 PM 282,624 realmon.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

04/14/2006 11:52 AM 602,182 ifrmewrk.exe
04/14/2006 11:51 AM 667,718 ZCfgSvc.exe
2 File(s) 1,269,900 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/28/2002 11:39 PM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/28/2002 11:39 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Aug 21 2004 "C:\Program Files\Apoint\Apoint.exe"
155648 Aug 21 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
90174 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\cgahelp.exe"
90174 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgahelp.exe"
73784 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\cgav.exe"
73784 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgav.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Feb 20 2001 "C:\coeesd\proj2k2\FILES\SYSTEM\CTFMON.EXE"
126976 Oct 8 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Oct 8 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
151552 Aug 8 2005 "C:\em\bin\Tivoli_EM\hwinv2k.exe"
151552 Aug 8 2005 "C:\em\bin\Tivoli_EM\bak\hwinv2k.exe"
53248 Jul 7 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Jul 7 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\IMJPMIG.EXE"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
282624 Aug 18 2003 "C:\Program Files\CA\eTrust\Antivirus\bak\realmon.exe"
970752 Feb 21 2007 "C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe"
602182 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
819200 Feb 21 2007 "C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe"
667718 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"


end of report

2. HIJACK THIS- some portions replaced with xxx
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Drivers\trcboot.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\WINDOWS\System32\cisvc.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\EM\OPT\TIVOLI\Mobile\mobile.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\PROGRA~1\CYBERG~1\cgav.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by xxx xxx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://xxxconfig.xxx.com
O1 - Hosts: xxx
O1 - Hosts: xxx
O1 - Hosts: xxx
O1 - Hosts: xxx
O1 - Hosts: xxx
O1 - Hosts: xxx
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Mobile] C:\EM\OPT\TIVOLI\Mobile\epspawn.exe -w C:\EM\OPT\TIVOLI\Mobile C:\EM\OPT\TIVOLI\Mobile\mobile.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\eTrust\ANTIVI~1\realmon.exe
O4 - HKLM\..\Run: [CgaHelper] C:\PROGRA~1\CYBERG~1\cgahelp.exe -check
O4 - HKLM\..\Run: [CgaViewer] C:\PROGRA~1\CYBERG~1\cgav.exe -check
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\hwinv2k.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.X] "C:\em\opt\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\em\opt\Tivoli\swdis\1

\wdusrpcn.env"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [MASStartup] C:\Program Files\xxx\Deskapps\DSU\Mobile Access Services Client\1.2_2\MASStartup.exe (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MASStartup] C:\Program Files\xxx\Deskapps\DSU\Mobile Access Services Client\1.2_2\MASStartup.exe (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ProfileSet] C:\Windows\xxx\ProfileSet.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MASStartup] C:\Program Files\xxx\Deskapps\DSU\Mobile Access Services Client\1.2_2\MASStartup.exe (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MASStartup] C:\Program Files\xxx\Deskapps\DSU\Mobile Access Services Client\1.2_2\MASStartup.exe (User

'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {X} (ConfigChkr Class) - https://onsite.verisign.com/services/xxxCor...CA/vscnfchk.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {X} (PjAdoInfo3 Class) - x
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab
O16 - DPF: {X} (Pj11enuC Class) - x
O16 - DPF: {X} (GpcContainer Class) - x
O16 - DPF: {X} (akmsSigner Class) - https://certificates.xxx.com/cms/akmsSigner6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx.com
O17 - HKLM\Software\..\Telephony: DomainName = xxx.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxx.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: CyberGatekeeper Agent (CGAgent) - InfoExpress - C:\PROGRA~1\CYBERG~1\cgasvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Mobile Access

Services\ServiceMgr.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\System32\Drivers\trcboot.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program

Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file -


F Secure
Result: 41 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan.Win32.Agent.bxj (virus)
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\REALMON.EXE (Renamed & Submitted)
Type_Script (virus)
C:\EM\SWDIS\ESUTIVOLI.VBE (Submitted)
W32/Malware.BELZ (virus)
C:\PROGRAM FILES\DELL\NICCONFIGSVC\SVCLAUNCHER.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 43550
System: 4602
Not scanned: 11
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
None: 39
Submitted: 3
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
C:\WINDOWS\$NTUNINSTALLKB839645$\XPSP2RES.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB833998$\SHELL32.DLL
C:\WINDOWS\$NTUNINSTALLKB833987$\SXS.DLL
C:\WINDOWS\$NTUNINSTALLKB829558$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-09
F-Secure AVP: 7.0.171, 2007-11-10
F-Secure Orion: 1.2.37, 2007-11-09
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-30
F-Secure Pegasus: 1.19.0, 2007-10-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

#9 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 11 November 2007 - 03:28 PM

Hi,

Did you run the bat file? Because it appears that you didn't.


Posted Image


#10 RosarioM

RosarioM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 11 November 2007 - 07:05 PM

Yes, I had run the bat file. I just did it again.

new AWF output -
Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 11/11/2007
The current time is: 18:51:25.84


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

08/21/2004 05:04 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\CYBERG~1\BAK

06/16/2004 04:12 PM 90,174 cgahelp.exe
06/16/2004 04:12 PM 73,784 cgav.exe
2 File(s) 163,958 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
10/08/2004 04:27 PM 126,976 hkcmd.exe
10/08/2004 04:31 PM 155,648 igfxtray.exe
3 File(s) 297,984 bytes

Directory of C:\EM\BIN\TIVOLI~1\BAK

08/08/2005 08:25 AM 151,552 hwinv2k.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

07/07/2004 04:58 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/03/2004 10:32 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\CA\ETRUST\ANTIVI~1\BAK

08/18/2003 03:15 PM 282,624 realmon.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

04/14/2006 11:52 AM 602,182 ifrmewrk.exe
04/14/2006 11:51 AM 667,718 ZCfgSvc.exe
2 File(s) 1,269,900 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/28/2002 11:39 PM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/28/2002 11:39 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Aug 21 2004 "C:\Program Files\Apoint\Apoint.exe"
155648 Aug 21 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
90174 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\cgahelp.exe"
90174 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgahelp.exe"
73784 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\cgav.exe"
73784 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgav.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Feb 20 2001 "C:\coeesd\proj2k2\FILES\SYSTEM\CTFMON.EXE"
126976 Oct 8 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Oct 8 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
151552 Aug 8 2005 "C:\em\bin\Tivoli_EM\hwinv2k.exe"
151552 Aug 8 2005 "C:\em\bin\Tivoli_EM\bak\hwinv2k.exe"
53248 Jul 7 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Jul 7 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\IMJPMIG.EXE"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
282624 Aug 18 2003 "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
282624 Aug 18 2003 "C:\Program Files\CA\eTrust\Antivirus\bak\realmon.exe"
970752 Feb 21 2007 "C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe"
602182 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
819200 Feb 21 2007 "C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe"
667718 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"


end of report

NEW Hijack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:55 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Drivers\trcboot.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\ccmsetup\ccmsetup.exe
C:\PROGRA~1\CYBERG~1\cgasvc.exe
C:\PROGRA~1\CYBERG~1\cgagent.exe
C:\WINDOWS\System32\cisvc.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Fiberlink\Mobile Access Services\ServiceMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\EM\OPT\TIVOLI\Mobile\mobile.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\CYBERG~1\cgahelp.exe
C:\PROGRA~1\CYBERG~1\cgav.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Hope this is sufficent as the bottom portion is the same.

#11 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 12 November 2007 - 03:18 PM

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\PROGRA~1\APOINT\BAK\Apoint.exe"

"C:\PROGRA~1\CYBERG~1\BAK\cgahelp.exe"

"C:\PROGRA~1\CYBERG~1\BAK\cgav.exe"

"C:\WINDOWS\SYSTEM32\BAK\ctfmon.exe"

"C:\WINDOWS\SYSTEM32\BAK\hkcmd.exe"

"C:\WINDOWS\SYSTEM32\BAK\igfxtray.exe"

"C:\WINDOWS\SYSTEM32\BAK\hkcmd.exe"

"C:\WINDOWS\SYSTEM32\BAK\igfxtray.exe"

"C:\EM\BIN\TIVOLI~1\BAK\hwinv2k.exe"

"C:\PROGRA~1\CYBERL~1\POWERDVD\BAK\DVDLauncher.exe"

"C:\WINDOWS\IME\IMJP8_1\BAK\IMJPMIG.EXE"

"C:\PROGRA~1\CA\ETRUST\ANTIVI~1\BAK\realmon.exe"

"C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK\ifrmewrk.exe"

"C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK\ZCfgSvc.exe"

"C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK\ImScInst.exe"

"C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK\TINTSETP.EXE"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.


Posted Image


#12 RosarioM

RosarioM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 12 November 2007 - 05:17 PM

Posting newest AWF file below:

Question: Didn't the downloaded bat file correct the issue with copying the BAK to the primary? The file size between the 2 are identical. (see 7:05am posting) I would think we are in the remove BAK phase? But your in charge;

PS. Is the hijack link in my trusted site removed at this point? How was that correct since I didn't utilize the HIJACK this - correct feature as some other posts have been requested?

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Mon 11/12/2007
The current time is: 16:59:17.15


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

08/21/2004 05:04 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\CYBERG~1\BAK

06/16/2004 04:12 PM 90,174 cgahelp.exe
06/16/2004 04:12 PM 73,784 cgav.exe
2 File(s) 163,958 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
10/08/2004 04:27 PM 126,976 hkcmd.exe
10/08/2004 04:31 PM 155,648 igfxtray.exe
3 File(s) 297,984 bytes

Directory of C:\EM\BIN\TIVOLI~1\BAK

08/08/2005 08:25 AM 151,552 hwinv2k.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

07/07/2004 04:58 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/03/2004 10:32 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\CA\ETRUST\ANTIVI~1\BAK

08/18/2003 03:15 PM 282,624 realmon.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

04/14/2006 11:52 AM 602,182 ifrmewrk.exe
04/14/2006 11:51 AM 667,718 ZCfgSvc.exe
2 File(s) 1,269,900 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/28/2002 11:39 PM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/28/2002 11:39 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Aug 21 2004 "C:\Program Files\Apoint\Apoint.exe"
155648 Aug 21 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
90174 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\cgahelp.exe"
90174 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgahelp.exe"
73784 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\cgav.exe"
73784 Jun 16 2004 "C:\Program Files\CyberGatekeeper Agent\bak\cgav.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Feb 20 2001 "C:\coeesd\proj2k2\FILES\SYSTEM\CTFMON.EXE"
126976 Oct 8 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Oct 8 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Oct 8 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
151552 Aug 8 2005 "C:\em\bin\Tivoli_EM\hwinv2k.exe"
151552 Aug 8 2005 "C:\em\bin\Tivoli_EM\bak\hwinv2k.exe"
53248 Jul 7 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Jul 7 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\IMJPMIG.EXE"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
282624 Aug 18 2003 "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
282624 Aug 18 2003 "C:\Program Files\CA\eTrust\Antivirus\bak\realmon.exe"
602182 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe"
602182 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
667718 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe"
667718 Apr 14 2006 "C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"


end of report

#13 RosarioM

RosarioM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 12 November 2007 - 06:11 PM

PS. Due to the last action, PC is infected! Running various programs and multiply malware found.

#14 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:20 AM

Posted 13 November 2007 - 11:37 PM

Hello,

We are still in the cleaning process so just hang in there!

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\PROGRA~1\APOINT\BAK
C:\PROGRA~1\CYBERG~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\EM\BIN\TIVOLI~1\BAK
C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
C:\WINDOWS\IME\IMJP8_1\BAK
C:\PROGRA~1\CA\ETRUST\ANTIVI~1\BAK
C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK
C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.


Posted Image


#15 RosarioM

RosarioM
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:20 AM

Posted 14 November 2007 - 08:16 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 11/14/2007
The current time is: 19:56:12.78


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users