Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

B.whataboutadog And A.adoginhispen Virus


  • Please log in to reply
24 replies to this topic

#1 PA15

PA15

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 29 January 2008 - 09:05 PM

(First post, just wanted to say Hi and thanks in advance for any help. Sorry if I've missed out on anything obvious or any important steps- my internet access is limited timewise at the moment, and I registered and read through the intro pages fairly quickly)

I think that my computer has the "b.whataboutadog & a.adoginhispen" virus.

My computer (windows XP, service pack 2) is set to run Trend on startup and each time I reboot now, it notifies me that it "detected a Web security policy violation" and blocked this URL:
"http://a.doginhispen.com/146/in/htmlg682147783.html?cid=49..."

I don't think that I have downloaded any suspicious files, but I might have gotten it from some random website. It just started happening late last night, but I am fairly sure that this is the virus that I have.

I ran Ad-Aware, Trend, and Spybot and failed to find any dog-related problems (as far as I can tell). A friend of mine downloaded some things and tried to fix it, but couldn't. (He didn't delete or mess up anything, as far as I know. He ran HijackThis and got a text file, but he did so incorrectly. I deleted and/or undid what he did.)

I don't have much experience with Trojans, but I've looked at a few other threads relating to this virus. Do I need to download and run AWF? If so, could I have a link to the download and instructions for use?

It isn't serious yet, but I would appreciate any help. Again, sorry if I am somewhat unclear, have left something important out, or just seem clueless.

Edited by PA15, 29 January 2008 - 09:06 PM.


BC AdBot (Login to Remove)

 


m

#2 ErikM84

ErikM84

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 29 January 2008 - 09:10 PM

If the Pa in ur name Is where ur From . I am From Pa too and i got the same virus showing up today . Coincidence ??? Could it be happenin to people with a specific ISP ?? I.e Suscom Perhaps ??? im a bit new n sorta curious on this dang virus myself .. Good luck man .

COPY'D

Edited by ErikM84, 29 January 2008 - 11:34 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 29 January 2008 - 10:26 PM

ErikM84 you should not be providing instructions for a tool that you do not know how to use. I edited your post and removed those instructions. I understand your only trying to help but you have your own thread with the same issues and are asking for help. I will take over from here.

PA15, please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups, then restore them.

Download FindAWF.exe by noahdfear and save to your desktop.
  • Double-click on FindAWF.exe to start.
  • If a "Security Alert" shows, allow the program to run.
  • Select option #1 - Scan for bak folders by typing 1 and press 'Enter'.
  • When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
  • Copy and paste the contents of the awf.txt file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 PA15

PA15
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 29 January 2008 - 10:33 PM

Thank you so much--
Here is my awf report.


Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

09/29/2007 03:22 PM 50,528 aim6.exe
1 File(s) 50,528 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/11/2007 03:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\LTMOH\BAK

05/19/2005 10:57 AM 188,416 Ltmoh.exe
1 File(s) 188,416 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 01:56 PM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
11/01/2004 08:22 PM 262,144 ElkCtrl.exe
09/01/2005 03:04 PM 221,184 LVCOMSX.EXE
3 File(s) 498,688 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/06/2005 12:05 AM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

09/11/2007 10:55 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 11:00 AM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

09/07/2005 08:33 AM 434,176 CameraAssistant.exe
09/07/2005 08:39 AM 73,728 InstallHelper.exe
01/18/2005 07:07 PM 196,608 ManifestEngine.exe
3 File(s) 704,512 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

11/04/2005 11:10 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

10/14/2004 06:26 PM 688,218 SynTPEnh.exe
10/14/2004 06:28 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK

12/30/2004 03:32 AM 65,536 toscdspd.exe
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~1\BAK

11/25/2005 04:07 PM 352,256 thotkey.exe
1 File(s) 352,256 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~3\BAK

04/26/2005 07:13 PM 122,880 SmoothView.exe
1 File(s) 122,880 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOUCHA~1\BAK

07/15/2005 01:52 PM 1,077,322 PadExe.exe
1 File(s) 1,077,322 bytes

Directory of C:\PROGRA~1\TOSHIBA\TVS\BAK

11/10/2005 01:24 PM 73,728 TvsTray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\TRENDM~1\OFFICE~1\BAK

0 File(s) 0 bytes

Directory of C:\TOSHIBA\IVP\ISM\BAK

10/20/2003 12:37 PM 475,136 ivpsvmgr.exe
03/17/2005 08:37 PM 151,552 pinger.exe
2 File(s) 626,688 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/01/2005 08:10 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 11:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115041~1\EE\BAK

05/09/2006 07:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004 06:00 AM 98,304 E_FATI9AA.EXE
1 File(s) 98,304 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Jan 28 2008 "C:\Program Files\AIM6\aim6.exe"
50528 Sep 29 2007 "C:\Program Files\AIM6\bak\aim6.exe"
50768 Aug 28 2006 "C:\Program Files\Common Files\AOL\1150418712\ee\aim6.exe"
14348 Jan 28 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Dec 11 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 16 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
361513 Jul 29 2006 "C:\Documents and Settings\li xiang\Local Settings\Temp\iTunesPluginWinSetup_2.0.9.0.exe"
116008 Dec 11 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
14348 Jan 28 2008 "C:\Program Files\ltmoh\Ltmoh.exe"
188416 May 19 2005 "C:\Program Files\ltmoh\bak\Ltmoh.exe"
14348 Jan 28 2008 "C:\Program Files\QuickTime\QTTask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 Jan 28 2008 "C:\WINDOWS\system32\ElkCtrl.exe"
262144 Nov 1 2004 "C:\WINDOWS\system32\bak\ElkCtrl.exe"
14348 Jan 28 2008 "C:\WINDOWS\system32\LVCOMSX.EXE"
221184 Sep 1 2005 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"
14348 Jan 28 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Aug 6 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
52272 Sep 11 2007 "C:\Program Files\Google\googletoolbar4user.exe"
14348 Jan 28 2008 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
126136 Sep 11 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
138680 Sep 11 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Sep 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
126136 Sep 11 2007 "C:\Program Files\Google\Google Updater\2.2.969.23408\GoogleUpdaterRestartManager.exe"
14348 Jan 28 2008 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"
14348 Jan 28 2008 "C:\Program Files\Logitech\Video\CameraAssistant.exe"
434176 Sep 7 2005 "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe"
28672 Jun 10 2004 "C:\WINDOWS\system32\InstallInf.exe"
14348 Jan 28 2008 "C:\Program Files\Logitech\Video\InstallHelper.exe"
73728 Sep 7 2005 "C:\Program Files\Logitech\Video\bak\InstallHelper.exe"
15872 Feb 21 2003 "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe"
14348 Jan 28 2008 "C:\Program Files\Logitech\Video\ManifestEngine.exe"
196608 Jan 18 2005 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
14348 Jan 28 2008 "C:\Program Files\Real\RealPlayer\RealPlay.exe"
26112 Nov 4 2005 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
14348 Jan 28 2008 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
14348 Jan 28 2008 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
14348 Jan 28 2008 "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
65536 Dec 30 2004 "C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe"
14348 Jan 28 2008 "C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe"
352256 Nov 25 2005 "C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe"
14348 Jan 28 2008 "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
122880 Apr 26 2005 "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe"
14348 Jan 28 2008 "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
1077322 Jul 15 2005 "C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe"
14348 Jan 28 2008 "C:\Program Files\TOSHIBA\Tvs\TvsTray.exe"
73728 Nov 10 2005 "C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe"
14348 Jan 28 2008 "C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe"
475136 Oct 20 2003 "C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe"
14348 Jan 28 2008 "C:\TOSHIBA\IVP\ISM\pinger.exe"
151552 Mar 17 2005 "C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
14348 Jan 28 2008 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Aug 1 2005 "C:\Program Files\Sonic\DLA\install\dlactrlw.exe"
122940 Aug 1 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
14348 Jan 28 2008 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
42032 May 25 2007 "C:\Program Files\AIM6\aolsoftware.exe"
14348 Jan 28 2008 "C:\Program Files\Common Files\AOL\1150418712\ee\AOLSoftware.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1150418712\ee\bak\AOLSoftware.exe"
14348 Jan 28 2008 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx460035df\E_FATI9AA.EXE"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9AA.EXE"


end of report

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 29 January 2008 - 10:46 PM

Double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • As instructed, press any key to continue.
  • Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\Program Files\AIM6\bak\aim6.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\ltmoh\bak\Ltmoh.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\ElkCtrl.exe"
"C:\WINDOWS\system32\bak\LVCOMSX.EXE"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"
"C:\Program Files\Logitech\Video\bak\CameraAssistant.exe"
"C:\Program Files\Logitech\Video\bak\InstallHelper.exe"
"C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
"C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe"
"C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe"
"C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe"
"C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe"
"C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
"C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
"C:\Program Files\Common Files\AOL\1150418712\ee\bak\AOLSoftware.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9AA.EXE"

  • Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list (if running).
    • Deletes the rogue file from the parent folder (if present).
    • Copies the original file to the parent folder.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 PA15

PA15
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 29 January 2008 - 11:02 PM

Here is the new awf report :thumbsup:.

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Tue 01/29/2008
The current time is: 22:59:23.19


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

09/29/2007 03:22 PM 50,528 aim6.exe
1 File(s) 50,528 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/11/2007 03:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\LTMOH\BAK

05/19/2005 10:57 AM 188,416 Ltmoh.exe
1 File(s) 188,416 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 01:56 PM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
11/01/2004 08:22 PM 262,144 ElkCtrl.exe
09/01/2005 03:04 PM 221,184 LVCOMSX.EXE
3 File(s) 498,688 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/06/2005 12:05 AM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

09/11/2007 10:55 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 11:00 AM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

09/07/2005 08:33 AM 434,176 CameraAssistant.exe
09/07/2005 08:39 AM 73,728 InstallHelper.exe
01/18/2005 07:07 PM 196,608 ManifestEngine.exe
3 File(s) 704,512 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

11/04/2005 11:10 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

10/14/2004 06:26 PM 688,218 SynTPEnh.exe
10/14/2004 06:28 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK

12/30/2004 03:32 AM 65,536 toscdspd.exe
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~1\BAK

11/25/2005 04:07 PM 352,256 thotkey.exe
1 File(s) 352,256 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~3\BAK

04/26/2005 07:13 PM 122,880 SmoothView.exe
1 File(s) 122,880 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOUCHA~1\BAK

07/15/2005 01:52 PM 1,077,322 PadExe.exe
1 File(s) 1,077,322 bytes

Directory of C:\PROGRA~1\TOSHIBA\TVS\BAK

11/10/2005 01:24 PM 73,728 TvsTray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\TRENDM~1\OFFICE~1\BAK

0 File(s) 0 bytes

Directory of C:\TOSHIBA\IVP\ISM\BAK

10/20/2003 12:37 PM 475,136 ivpsvmgr.exe
03/17/2005 08:37 PM 151,552 pinger.exe
2 File(s) 626,688 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/01/2005 08:10 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 11:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115041~1\EE\BAK

05/09/2006 07:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004 06:00 AM 98,304 E_FATI9AA.EXE
1 File(s) 98,304 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50528 Sep 29 2007 "C:\Program Files\AIM6\aim6.exe"
50528 Sep 29 2007 "C:\Program Files\AIM6\bak\aim6.exe"
50768 Aug 28 2006 "C:\Program Files\Common Files\AOL\1150418712\ee\aim6.exe"
267048 Dec 11 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Dec 11 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 16 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
361513 Jul 29 2006 "C:\Documents and Settings\li xiang\Local Settings\Temp\iTunesPluginWinSetup_2.0.9.0.exe"
116008 Dec 11 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
188416 May 19 2005 "C:\Program Files\ltmoh\Ltmoh.exe"
188416 May 19 2005 "C:\Program Files\ltmoh\bak\Ltmoh.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
262144 Nov 1 2004 "C:\WINDOWS\system32\ElkCtrl.exe"
262144 Nov 1 2004 "C:\WINDOWS\system32\bak\ElkCtrl.exe"
221184 Sep 1 2005 "C:\WINDOWS\system32\LVCOMSX.EXE"
221184 Sep 1 2005 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"
344064 Aug 6 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Aug 6 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
52272 Sep 11 2007 "C:\Program Files\Google\googletoolbar4user.exe"
68856 Sep 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
126136 Sep 11 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
138680 Sep 11 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Sep 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
126136 Sep 11 2007 "C:\Program Files\Google\Google Updater\2.2.969.23408\GoogleUpdaterRestartManager.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"
434176 Sep 7 2005 "C:\Program Files\Logitech\Video\CameraAssistant.exe"
434176 Sep 7 2005 "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe"
28672 Jun 10 2004 "C:\WINDOWS\system32\InstallInf.exe"
73728 Sep 7 2005 "C:\Program Files\Logitech\Video\InstallHelper.exe"
73728 Sep 7 2005 "C:\Program Files\Logitech\Video\bak\InstallHelper.exe"
15872 Feb 21 2003 "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe"
196608 Jan 18 2005 "C:\Program Files\Logitech\Video\ManifestEngine.exe"
196608 Jan 18 2005 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
26112 Nov 4 2005 "C:\Program Files\Real\RealPlayer\RealPlay.exe"
26112 Nov 4 2005 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
688218 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98394 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Oct 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
14348 Jan 28 2008 "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
65536 Dec 30 2004 "C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe"
352256 Nov 25 2005 "C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe"
352256 Nov 25 2005 "C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe"
14348 Jan 28 2008 "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
122880 Apr 26 2005 "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe"
1077322 Jul 15 2005 "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
1077322 Jul 15 2005 "C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe"
73728 Nov 10 2005 "C:\Program Files\TOSHIBA\Tvs\TvsTray.exe"
73728 Nov 10 2005 "C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe"
475136 Oct 20 2003 "C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe"
475136 Oct 20 2003 "C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe"
151552 Mar 17 2005 "C:\TOSHIBA\IVP\ISM\pinger.exe"
151552 Mar 17 2005 "C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
122940 Aug 1 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Aug 1 2005 "C:\Program Files\Sonic\DLA\install\dlactrlw.exe"
122940 Aug 1 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
42032 May 25 2007 "C:\Program Files\AIM6\aolsoftware.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1150418712\ee\AOLSoftware.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1150418712\ee\bak\AOLSoftware.exe"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx460035df\E_FATI9AA.EXE"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9AA.EXE"


end of report

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 30 January 2008 - 07:52 AM

Double-click the FindAWF icon once again.
  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\Program Files\AIM6\bak
C:\Program Files\iTunes\bak
C:\Program Files\ltmoh\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Hewlett-Packard\OrderReminder\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\Real\RealPlayer\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\TOSHIBA\TOSCDSPD\bak
C:\Program Files\TOSHIBA\TOSHIBA Applet\bak
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak
C:\Program Files\TOSHIBA\Touch and Launch\bak
C:\Program Files\TOSHIBA\Tvs\bak
C:\TOSHIBA\IVP\ISM\bak
C:\WINDOWS\system32\DLA\bak
C:\Program Files\Common Files\AOL\IPHSend\bak
C:\Program Files\Common Files\AOL\1150418712\ee\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 PA15

PA15
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 30 January 2008 - 11:45 AM

The new one (Thank you again for all your help!):


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 01/30/2008
The current time is: 11:41:25.14


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 11:00 AM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\TRENDM~1\OFFICE~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"


end of report

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 30 January 2008 - 11:51 AM

Open Windows Explorer, navigate to and delete the following bak folder:
C:\Program Files\Hewlett-Packard\OrderReminder\bak <- this folder

Then double-click the FindAWF icon once again.
  • Select option #4 - Reset domain zones by typing 4 and press 'Enter'.
  • You will receive a warning to reset domain zones.
  • Press 1 then press 'Enter'.
  • After resetting the domain zones, the program will return to the main menu.
  • Use the following option: Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 PA15

PA15
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 30 January 2008 - 02:36 PM

Alright! I just finished doing that...does this mean my computer is a-okay now?
If so, thank you so much for all your help quietman--I really appreciate it. :thumbsup:

Also, in the future, how can I make sure something like this doesn't happen again? Just be careful which sites I go to? Should I be regularly checking my computer for virus/spyware etc?
And should I keep the FindAWF program?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 30 January 2008 - 02:48 PM

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 PA15

PA15
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 30 January 2008 - 06:47 PM

Okay, I created a new restore point...so I guess the virus has been successfully removed?
Thank you so much for your help! :thumbsup:

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 31 January 2008 - 09:18 AM

Your welcome.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 PA15

PA15
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 01 February 2008 - 12:39 AM

Ahh! So I was working on a paper, had my AIM running and itunes too, when all of a sudden my computer shut all my applications and shut down.
Then I restarted my computer and a window from Trend Micro came up saying it had blocked connection to a.doginhispen.com.

Is the virus still on my computer? :thumbsup:
I have not downloaded anything since I thought I got rid of the virus, and I don't know how I could get it again.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 01 February 2008 - 06:38 AM

Lets run the tool again and see if you were reinfected.
  • Double-click on FindAWF.exe to start.
  • If a "Security Alert" shows, allow the program to run.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
  • Copy and paste the contents of the awf.txt file in your next reply.
Please download SDFix by AndyManchesta and save it to your desktop.
alternate zipped version
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Disconnect from the Internet before running SDFix.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs before connecting to the Internet.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users