Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zonebac.b Infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 bfunkhouser

bfunkhouser

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 12 November 2007 - 02:00 PM

Attached File  hijackthis.log   11.75KB   10 downloadsI'm trying to get rid of zonebac.b, but it keeps coming back. I went through all the steps on the Bleeping Computer site (thank you all), but it's still there when I boot up. Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:40 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE
C:\Program Files\Quicken\qw.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.copyright.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.copyright.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 231874442] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\231874442
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.copyright.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.rightsphere.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.copyright.com (HKLM)
O15 - Trusted Zone: *.rightsphere.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab
O16 - DPF: {5879B3B0-566E-4ECB-9B77-9A8A5E62AAB8} - http://www.blackberry.com/DST2007/patch/de...teLoaderUSB.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189088257420
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://cccapp5.copyright.com:7778/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://jupiter.copyright.com:8000/jinitiator/oajinit.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cvent.webex.com/client/T23L/training/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = copyright.com
O17 - HKLM\Software\..\Telephony: DomainName = copyright.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{116EE825-7A39-42A4-80F0-ED647F4B9DA6}: Domain = copyright.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{116EE825-7A39-42A4-80F0-ED647F4B9DA6}: NameServer = 10.1.1.93 10.1.1.94 10.1.1.94 10.1.1.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = copyright.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = copyright.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHomeClientCache - Unknown owner - C:\Program Files\ccc\oracle\bin\ONRSD.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12026 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:31 PM

Posted 14 November 2007 - 02:53 PM

Hello bfunkhouser,

You wont be able to get rid of zonebac.b though normal means. It is a nasty malware.:thumbsup:

Any idea where you go zonebac.b or whataboutadog from?

Whether or not it's helpful, we're interested in knowing where it came from so that we can get it ourselves. We need to further analyze this infection. We've had reports of users becoming infected while looking for Vanessa Anne Hudgens pics.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 14 November 2007 - 03:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bfunkhouser

bfunkhouser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 18 November 2007 - 11:55 PM

I don't know where this infection originated.
Here is the afw.txt


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 11/18/2007
The current time is: 7:08:03.92


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LINKSY~1\BAK

03/15/2007 05:16 PM 454,784 LinksysAgent.exe
1 File(s) 454,784 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 10:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 02:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\ATIMUL~1\MAIN\BAK

10/31/2006 08:25 PM 26,624 ATISched.EXE
1 File(s) 26,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/09/2004 04:31 PM 66,680 ccApp.exe
1 File(s) 66,680 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 08:31 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/12/2003 01:03 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of S:\NAPLES\WEBSER~1\DEVELO~1\VBWEBS~1\MMG1-BAK

02/27/2007 11:50 AM 908 MMG1.sln
1 File(s) 908 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

515200 Mar 22 2007 "C:\Program Files\Linksys EasyLink Advisor\LinksysAdvisor.exe"
454784 Mar 15 2007 "C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
28172 Oct 3 2007 "C:\Program Files\QuickTime\qttask.exe"

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:31 PM

Posted 18 November 2007 - 11:59 PM

Hi bfunkhouser,

It looks like you posted a partial FindAWF log. Duplicate files of bak directory contents
should be longer than that.

Please post the entire log.

Edited by SifuMike, 19 November 2007 - 12:00 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bfunkhouser

bfunkhouser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 19 November 2007 - 12:36 PM

This should be the whole thing:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 11/18/2007
The current time is: 7:08:03.92


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LINKSY~1\BAK

03/15/2007 05:16 PM 454,784 LinksysAgent.exe
1 File(s) 454,784 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 10:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 02:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\ATIMUL~1\MAIN\BAK

10/31/2006 08:25 PM 26,624 ATISched.EXE
1 File(s) 26,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/09/2004 04:31 PM 66,680 ccApp.exe
1 File(s) 66,680 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 08:31 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/12/2003 01:03 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of S:\NAPLES\WEBSER~1\DEVELO~1\VBWEBS~1\MMG1-BAK

02/27/2007 11:50 AM 908 MMG1.sln
1 File(s) 908 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

515200 Mar 22 2007 "C:\Program Files\Linksys EasyLink Advisor\LinksysAdvisor.exe"
454784 Mar 15 2007 "C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
28172 Oct 3 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
28172 Oct 3 2007 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
1404928 Oct 14 2004 "C:\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
1404928 Oct 14 2004 "D:\PreCleanInstall C-drive Nov06\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
28172 Oct 3 2007 "C:\Program Files\ATI Multimedia\main\ATISched.EXE"
26624 Oct 31 2006 "C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE"
28172 Oct 3 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
28172 Oct 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
123640 Feb 8 2007 "C:\WINDOWS\Temp\gis316f5a91\GoogleUpdater.exe"
125176 May 27 2007 "C:\WINDOWS\Temp\gis5648d43\GoogleUpdater.exe"
124912 Aug 8 2007 "C:\WINDOWS\Temp\gis7e8c7\GoogleUpdater.exe"
124152 Apr 3 2007 "C:\WINDOWS\Temp\gisdbc2c\GoogleUpdater.exe"
1145896 Oct 10 2007 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"
138680 May 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterRestartManager.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Oct 7 2007 "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
426072 Nov 24 2003 "D:\My Documents\My Received Files\GoogleToolbarInstaller.exe"
28172 Oct 3 2007 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Mar 12 2003 "C:\Program Files\VERITAS Software\DLA\install\tfswctrl.exe"
114741 Mar 12 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
28172 Oct 3 2007 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
140720 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.SHDocVw.dll"
401408 Dec 12 2006 "C:\Program Files\Reasonable NoClone 4 Home\Interop.Outlook.dll"
13312 Sep 25 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Implementation\Interop.WBOCXLib.dll"
225280 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSComctlLib.dll"
8192 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HPQUNLDLib.dll"
225280 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSComctlLib\2.0.0.0__90ba9c70f846762e\Interop.MSComctlLib.DLL"
360448 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSForms\2.0.0.0__90ba9c70f846762e\Interop.MSForms.DLL"
49152 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.NewIWshRuntimeLibrary\1.0.0.0__90ba9c70f846762e\Interop.NewIWshRuntimeLibrary.DLL"
13312 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.DLL"
131072 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC_MSIL\Interop.SHDocVw\1.1.0.0__90ba9c70f846762e\Interop.SHDocVw.DLL"
234928 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.MSComctlLib.dll"
360448 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSForms.dll"
10752 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HpqDevUn.dll"
140720 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.SHDocVw.dll"
401408 Dec 12 2006 "C:\Program Files\Reasonable NoClone 4 Home\Interop.Outlook.dll"
13312 Sep 25 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Implementation\Interop.WBOCXLib.dll"
225280 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSComctlLib.dll"
8192 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HPQUNLDLib.dll"
225280 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSComctlLib\2.0.0.0__90ba9c70f846762e\Interop.MSComctlLib.DLL"
360448 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSForms\2.0.0.0__90ba9c70f846762e\Interop.MSForms.DLL"
49152 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.NewIWshRuntimeLibrary\1.0.0.0__90ba9c70f846762e\Interop.NewIWshRuntimeLibrary.DLL"
13312 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.DLL"
131072 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC_MSIL\Interop.SHDocVw\1.1.0.0__90ba9c70f846762e\Interop.SHDocVw.DLL"
234928 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.MSComctlLib.dll"
360448 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSForms.dll"
10752 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HpqDevUn.dll"


end of report

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:31 PM

Posted 19 November 2007 - 01:21 PM

Hi bfunkhouser,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
"C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bfunkhouser

bfunkhouser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 21 November 2007 - 10:12 AM

The newer awf.txt file:


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Tue 11/20/2007
The current time is: 20:40:23.31


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LINKSY~1\BAK

03/15/2007 05:16 PM 454,784 LinksysAgent.exe
1 File(s) 454,784 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 10:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 02:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\ATIMUL~1\MAIN\BAK

10/31/2006 08:25 PM 26,624 ATISched.EXE
1 File(s) 26,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/09/2004 04:31 PM 66,680 ccApp.exe
1 File(s) 66,680 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 08:31 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/12/2003 01:03 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

515200 Mar 22 2007 "C:\Program Files\Linksys EasyLink Advisor\LinksysAdvisor.exe"
454784 Mar 15 2007 "C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
1404928 Oct 14 2004 "C:\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
1404928 Oct 14 2004 "D:\PreCleanInstall C-drive Nov06\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
26624 Oct 31 2006 "C:\Program Files\ATI Multimedia\main\ATISched.EXE"
26624 Oct 31 2006 "C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
123640 Feb 8 2007 "C:\WINDOWS\Temp\gis316f5a91\GoogleUpdater.exe"
125176 May 27 2007 "C:\WINDOWS\Temp\gis5648d43\GoogleUpdater.exe"
124912 Aug 8 2007 "C:\WINDOWS\Temp\gis7e8c7\GoogleUpdater.exe"
124152 Apr 3 2007 "C:\WINDOWS\Temp\gisdbc2c\GoogleUpdater.exe"
1145896 Oct 10 2007 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"
138680 May 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterRestartManager.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Oct 7 2007 "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
426072 Nov 24 2003 "D:\My Documents\My Received Files\GoogleToolbarInstaller.exe"
114741 Mar 12 2003 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Mar 12 2003 "C:\Program Files\VERITAS Software\DLA\install\tfswctrl.exe"
114741 Mar 12 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:31 PM

Posted 21 November 2007 - 03:19 PM

Hi bfunkhouser,

Looks like all the files were restored but one, so please double-click the FindAWF icon once again.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 bfunkhouser

bfunkhouser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 24 November 2007 - 12:25 AM

Here is the latest (3rd) awf.txt file:


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Fri 11/23/2007
The current time is: 17:18:32.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LINKSY~1\BAK

03/15/2007 05:16 PM 454,784 LinksysAgent.exe
1 File(s) 454,784 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 10:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 02:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\ATIMUL~1\MAIN\BAK

10/31/2006 08:25 PM 26,624 ATISched.EXE
1 File(s) 26,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/09/2004 04:31 PM 66,680 ccApp.exe
1 File(s) 66,680 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 08:31 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/12/2003 01:03 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

515200 Mar 22 2007 "C:\Program Files\Linksys EasyLink Advisor\LinksysAdvisor.exe"
454784 Mar 15 2007 "C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
1404928 Oct 14 2004 "C:\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
1404928 Oct 14 2004 "D:\PreCleanInstall C-drive Nov06\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
26624 Oct 31 2006 "C:\Program Files\ATI Multimedia\main\ATISched.EXE"
26624 Oct 31 2006 "C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
123640 Feb 8 2007 "C:\WINDOWS\Temp\gis316f5a91\GoogleUpdater.exe"
125176 May 27 2007 "C:\WINDOWS\Temp\gis5648d43\GoogleUpdater.exe"
124912 Aug 8 2007 "C:\WINDOWS\Temp\gis7e8c7\GoogleUpdater.exe"
124152 Apr 3 2007 "C:\WINDOWS\Temp\gisdbc2c\GoogleUpdater.exe"
1145896 Oct 10 2007 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"
138680 May 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterRestartManager.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Oct 7 2007 "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
426072 Nov 24 2003 "D:\My Documents\My Received Files\GoogleToolbarInstaller.exe"
114741 Mar 12 2003 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Mar 12 2003 "C:\Program Files\VERITAS Software\DLA\install\tfswctrl.exe"
114741 Mar 12 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"


end of report

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:31 PM

Posted 24 November 2007 - 12:43 AM

Hi bfunkhouser,

Looks like FindAWF did not move that one file back. :thumbsup:

No matter, we will manually move the clean file back to the place jt belongs.

Go to My Computer and browse to the following folder:
C:\Program Files\Linksys EasyLink Advisor\bak\
Inside the BAK folder is a file named LinksysAgent.exe
Right click it with your mouse and choose Cut

The go back to the main folder, C:\Program Files\Linksys EasyLink Advisor
Click the background with your mouse, choose Paste

Now you should have the LinksysAgent.exe file in the C:\Program Files\Linksys EasyLink Advisor folder.

Now run FindAWF with option 1 and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bfunkhouser

bfunkhouser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 24 November 2007 - 10:08 PM

AWF.TXT log #4

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 11/24/2007
The current time is: 10:21:59.51


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LINKSY~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 10:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 02:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\ATIMUL~1\MAIN\BAK

10/31/2006 08:25 PM 26,624 ATISched.EXE
1 File(s) 26,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/09/2004 04:31 PM 66,680 ccApp.exe
1 File(s) 66,680 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 08:31 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/12/2003 01:03 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of S:\NAPLES\WEBSER~1\DEVELO~1\VBWEBS~1\MMG1-BAK

02/27/2007 11:50 AM 908 MMG1.sln
1 File(s) 908 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
1404928 Oct 14 2004 "C:\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
1404928 Oct 14 2004 "D:\PreCleanInstall C-drive Nov06\DELL\drivers\R97809\SMAXWDM\W2K_XP\SMax4PNP.exe"
26624 Oct 31 2006 "C:\Program Files\ATI Multimedia\main\ATISched.EXE"
26624 Oct 31 2006 "C:\Program Files\ATI Multimedia\main\bak\ATISched.EXE"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
123640 Feb 8 2007 "C:\WINDOWS\Temp\gis316f5a91\GoogleUpdater.exe"
125176 May 27 2007 "C:\WINDOWS\Temp\gis5648d43\GoogleUpdater.exe"
124912 Aug 8 2007 "C:\WINDOWS\Temp\gis7e8c7\GoogleUpdater.exe"
124152 Apr 3 2007 "C:\WINDOWS\Temp\gisdbc2c\GoogleUpdater.exe"
1145896 Oct 10 2007 "C:\Program Files\Common Files\Real\GToolbar\googletoolbarinstaller.exe"
138680 May 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124912 Aug 8 2007 "C:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterRestartManager.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Oct 7 2007 "C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
426072 Nov 24 2003 "D:\My Documents\My Received Files\GoogleToolbarInstaller.exe"
114741 Mar 12 2003 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Mar 12 2003 "C:\Program Files\VERITAS Software\DLA\install\tfswctrl.exe"
114741 Mar 12 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
140720 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.SHDocVw.dll"
401408 Dec 12 2006 "C:\Program Files\Reasonable NoClone 4 Home\Interop.Outlook.dll"
13312 Sep 25 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Implementation\Interop.WBOCXLib.dll"
225280 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSComctlLib.dll"
8192 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HPQUNLDLib.dll"
225280 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSComctlLib\2.0.0.0__90ba9c70f846762e\Interop.MSComctlLib.DLL"
360448 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSForms\2.0.0.0__90ba9c70f846762e\Interop.MSForms.DLL"
49152 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.NewIWshRuntimeLibrary\1.0.0.0__90ba9c70f846762e\Interop.NewIWshRuntimeLibrary.DLL"
13312 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.DLL"
131072 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC_MSIL\Interop.SHDocVw\1.1.0.0__90ba9c70f846762e\Interop.SHDocVw.DLL"
234928 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.MSComctlLib.dll"
360448 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSForms.dll"
10752 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HpqDevUn.dll"
140720 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.SHDocVw.dll"
401408 Dec 12 2006 "C:\Program Files\Reasonable NoClone 4 Home\Interop.Outlook.dll"
13312 Sep 25 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Implementation\Interop.WBOCXLib.dll"
225280 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSComctlLib.dll"
8192 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HPQUNLDLib.dll"
225280 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSComctlLib\2.0.0.0__90ba9c70f846762e\Interop.MSComctlLib.DLL"
360448 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.MSForms\2.0.0.0__90ba9c70f846762e\Interop.MSForms.DLL"
49152 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.NewIWshRuntimeLibrary\1.0.0.0__90ba9c70f846762e\Interop.NewIWshRuntimeLibrary.DLL"
13312 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.DLL"
131072 Sep 4 2007 "C:\WINDOWS\ASSEMBLY\GAC_MSIL\Interop.SHDocVw\1.1.0.0__90ba9c70f846762e\Interop.SHDocVw.DLL"
234928 Mar 26 2007 "C:\Program Files\Live Search Maps for Outlook\Interop.MSComctlLib.dll"
360448 Sep 13 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\Interop.MSForms.dll"
10752 Feb 9 2006 "C:\Program Files\HP\Digital Imaging\Unload\Interop.HpqDevUn.dll"


end of report

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:31 PM

Posted 24 November 2007 - 11:45 PM

Hi bfunkhouser,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important

********************************

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\ATI Multimedia\main\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 bfunkhouser

bfunkhouser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 26 November 2007 - 02:02 AM

AWF.TXT file #5


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sun 11/25/2007
The current time is: 18:31:43.75


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LINKSY~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:31 PM

Posted 26 November 2007 - 12:40 PM

Hi bfunkhouser,


We will have to manually delete one bak folder, as the FindAWF tool did not work correctly.

Using Windows Explorer, delete the following folder in bold

C:\Program Files\QuickTime\bak<== folder


Run FindAWF with option 1 and post the log.

Edited by SifuMike, 26 November 2007 - 12:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 bfunkhouser

bfunkhouser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 26 November 2007 - 02:01 PM

AWF.TXT file #6 (Note: I took the liberty of deleting the already empty Linksys/bak folder before running this report.


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 11/26/2007
The current time is: 10:58:41.92


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users