Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

88.80.7.66, A.doginhispen, B.skitodayplease


  • Please log in to reply
21 replies to this topic

#1 angel61082

angel61082

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 06 February 2008 - 12:02 AM

:flowers: Hello!! I am new to this forum...All of the sudden the past couple of weeks I have been getting random internet explorer popups with the following websites:

88.80.7.66
a.doginhispen
b.skitodayplease


I have tried blocking them with my pop up blocker but it is still not working....Also, it is causing the internet explorer that I am working in to sometimes randomly shut down.....I dont want to take my computer in so any help would be GREATLY appreciated.....thanks so much :thumbsup:



~Talia

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:05 AM

Posted 06 February 2008 - 12:20 AM

Hello angel61082 and welcome to BC:

You have a difficult infection to get rid of. It is related to downloader.awf and it replaces many legitimate files with bad ones. The good ones are put into backup files. The bad ones are put where the good ones should be and when you run the programs, the malware runs instead. For the first step,

Download FindAWF.exe by noahdfear and save to your desktop.
  • Double-click on FindAWF.exe to start.
  • If a "Security Alert" shows, allow the program to run.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 1 then 'Enter' to scan for bak folders
  • When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
  • Copy and paste the contents of the awf.txt file in your next reply.
Also you should read "How can I clear browser history? IE, Firefox, Mozilla, Netscape, Opera".

In addition to the log, please tell us what operating system you have: Windows XP, Vista etc.

(Thanks quietman7)

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 angel61082

angel61082
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 06 February 2008 - 08:46 PM

Hey there!! Thanks again for all your help....I ran the program and this is what it said:




Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 02/06/2008
The current time is: 19:42:54.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT2K\BAK

10/07/2003 09:40 PM 159,744 Apoint.exe
1 File(s) 159,744 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

01/19/2007 11:54 AM 5,674,352 MsnMsgr.Exe
1 File(s) 5,674,352 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/15/2007 06:28 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

03/21/2007 10:47 PM 100,048 SNDMon.exe
1 File(s) 100,048 bytes

Directory of C:\PROGRA~1\USBDIS~1\BAK

09/14/2005 07:44 PM 65,536 Res.EXE
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 05:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 07:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 10:56 PM 15,360 ctfmon.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/15/2003 07:00 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 04:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 02:43 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

08/04/2003 05:28 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

10/17/2003 12:51 PM 196,670 cpqset.exe
1 File(s) 196,670 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

10/15/2003 10:41 AM 237,568 EabServr.exe
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/25/2003 11:04 PM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

03/01/2007 09:37 AM 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 12:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Jan 29 2008 "C:\Program Files\Apoint2K\Apoint.exe"
159744 Oct 7 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
14348 Jan 29 2008 "C:\Program Files\QuickTime\qttask.exe"
77824 Oct 15 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Jan 29 2008 "C:\Program Files\SymNetDrv\SNDMon.exe"
100048 Mar 21 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
14348 Jan 29 2008 "C:\Program Files\USB Disk Win98 Driver\Res.EXE"
65536 Sep 14 2005 "C:\Program Files\USB Disk Win98 Driver\bak\Res.EXE"
14348 Jan 29 2008 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
14348 Jan 29 2008 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
14348 Jan 29 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 Jan 29 2008 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
14348 Jan 29 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Nov 15 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
14348 Jan 29 2008 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Mar 21 2007 "C:\Program Files\Google\googletoolbar1user.exe"
14994152 Mar 20 2007 "C:\Documents and Settings\default\Desktop\GoogleEarthWin_EARV.exe"
69632 Nov 13 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
124912 Aug 15 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
14348 Jan 29 2008 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
125176 May 16 2007 "C:\WINDOWS\Temp\gis202e5ffc\GoogleUpdater.exe"
124912 Aug 15 2007 "C:\WINDOWS\Temp\gis686f5\GoogleUpdater.exe"
124152 Apr 3 2007 "C:\WINDOWS\Temp\gisa0109\GoogleUpdater.exe"
138680 May 16 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124912 Aug 15 2007 "C:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterRestartManager.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Jan 28 2008 "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
14348 Jan 29 2008 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
14348 Jan 29 2008 "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
14348 Jan 29 2008 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
196670 Oct 17 2003 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
14348 Jan 29 2008 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
237568 Oct 15 2003 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
114741 Sep 25 2003 "C:\Program Files\HP DLA\install\tfswctrl.exe"
14348 Jan 29 2008 "C:\WINDOWS\system32\dla\tfswctrl.exe"
114741 Sep 25 2003 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
14348 Jan 29 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
140920 May 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
45760 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
14348 Jan 29 2008 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report







Also I am running on windows XP. Hope this helps :thumbsup:


Thanks!!!

~Talia


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:05 AM

Posted 06 February 2008 - 10:03 PM

Good job angel61082,

At this point, I'm going to turn this thread over to someone more experienced than I. Please be patient and await his reply. It may take awhile as he is not online right now.

I do notice one thing that is not specifically related to the infection. Your Java is quite out of date. Older versions leave your computer open to exploitation. However, I suggest waiting until the malware expert responds to do anything about it as changing anything now may confuse things for him.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 06 February 2008 - 11:16 PM

Hello angel61082,

I am SifuMike and I will be helping you with the whataboutadog infection. :thumbsup:

Please tell me what version of Windows XP your have on your computer.
Is it Windows XP SP1 or Window XP SP2?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 angel61082

angel61082
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 February 2008 - 02:44 AM

Thank you Orange Blossom :flowers:

Hello SifuMike :thumbsup: I am actually not sure which of the windows XP I have...how would I go about finding that out for you?? Sorry!!


~Talia

#7 angel61082

angel61082
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 February 2008 - 02:48 AM

I FOUND IT!!!!!! I have windows XPsp1....I went into my computer then into my windows file from there and found something with that in it so im assuming thats what I have :thumbsup:

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 07 February 2008 - 11:26 AM

Hi angel61082,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Apoint2K\bak\Apoint.exe"
"C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SymNetDrv\bak\SNDMon.exe"
"C:\Program Files\USB Disk Win98 Driver\bak\Res.EXE"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
"C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
"C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
"C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 angel61082

angel61082
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 07 February 2008 - 10:48 PM

hey!!! I followed your instructions...here is the new information you requested!!!

Thanks :thumbsup:

~Talia

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 02/07/2008
The current time is: 21:44:09.76


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT2K\BAK

10/07/2003 09:40 PM 159,744 Apoint.exe
1 File(s) 159,744 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

01/19/2007 11:54 AM 5,674,352 MsnMsgr.Exe
1 File(s) 5,674,352 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/15/2007 06:28 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

03/21/2007 10:47 PM 100,048 SNDMon.exe
1 File(s) 100,048 bytes

Directory of C:\PROGRA~1\USBDIS~1\BAK

09/14/2005 07:44 PM 65,536 Res.EXE
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 05:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 07:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 10:56 PM 15,360 ctfmon.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/15/2003 07:00 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 04:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 02:43 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

08/04/2003 05:28 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

10/17/2003 12:51 PM 196,670 cpqset.exe
1 File(s) 196,670 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

10/15/2003 10:41 AM 237,568 EabServr.exe
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/25/2003 11:04 PM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

03/01/2007 09:37 AM 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 12:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

159744 Oct 7 2003 "C:\Program Files\Apoint2K\Apoint.exe"
159744 Oct 7 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
77824 Oct 15 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Oct 15 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
100048 Mar 21 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100048 Mar 21 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
65536 Sep 14 2005 "C:\Program Files\USB Disk Win98 Driver\Res.EXE"
65536 Sep 14 2005 "C:\Program Files\USB Disk Win98 Driver\bak\Res.EXE"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
335872 Nov 15 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Nov 15 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Mar 21 2007 "C:\Program Files\Google\googletoolbar1user.exe"
14994152 Mar 20 2007 "C:\Documents and Settings\default\Desktop\GoogleEarthWin_EARV.exe"
69632 Nov 13 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
124912 Aug 15 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
125176 May 16 2007 "C:\WINDOWS\Temp\gis202e5ffc\GoogleUpdater.exe"
124912 Aug 15 2007 "C:\WINDOWS\Temp\gis686f5\GoogleUpdater.exe"
124152 Apr 3 2007 "C:\WINDOWS\Temp\gisa0109\GoogleUpdater.exe"
138680 May 16 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124912 Aug 15 2007 "C:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterRestartManager.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Jan 28 2008 "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
196670 Oct 17 2003 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
196670 Oct 17 2003 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
237568 Oct 15 2003 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
237568 Oct 15 2003 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
114741 Sep 25 2003 "C:\Program Files\HP DLA\install\tfswctrl.exe"
114741 Sep 25 2003 "C:\WINDOWS\system32\dla\tfswctrl.exe"
114741 Sep 25 2003 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
140920 May 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
45760 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 08 February 2008 - 01:20 AM

Hi angel61082,

Look like one file did not get copied to the original file, so we will try again.

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 angel61082

angel61082
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 08 February 2008 - 10:00 AM

Here ya go :thumbsup:

THANKS !!!!!!!

~Talia



Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Fri 02/08/2008
The current time is: 8:57:42.23


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT2K\BAK

10/07/2003 09:40 PM 159,744 Apoint.exe
1 File(s) 159,744 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

01/19/2007 11:54 AM 5,674,352 MsnMsgr.Exe
1 File(s) 5,674,352 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/15/2007 06:28 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

03/21/2007 10:47 PM 100,048 SNDMon.exe
1 File(s) 100,048 bytes

Directory of C:\PROGRA~1\USBDIS~1\BAK

09/14/2005 07:44 PM 65,536 Res.EXE
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 05:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 07:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 10:56 PM 15,360 ctfmon.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/15/2003 07:00 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 04:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

04/03/2007 02:43 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 08:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

08/04/2003 05:28 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

10/17/2003 12:51 PM 196,670 cpqset.exe
1 File(s) 196,670 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

10/15/2003 10:41 AM 237,568 EabServr.exe
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/25/2003 11:04 PM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

03/01/2007 09:37 AM 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 12:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

159744 Oct 7 2003 "C:\Program Files\Apoint2K\Apoint.exe"
159744 Oct 7 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
77824 Oct 15 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Oct 15 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
100048 Mar 21 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100048 Mar 21 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
65536 Sep 14 2005 "C:\Program Files\USB Disk Win98 Driver\Res.EXE"
65536 Sep 14 2005 "C:\Program Files\USB Disk Win98 Driver\bak\Res.EXE"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
335872 Nov 15 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
335872 Nov 15 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Mar 21 2007 "C:\Program Files\Google\googletoolbar1user.exe"
14994152 Mar 20 2007 "C:\Documents and Settings\default\Desktop\GoogleEarthWin_EARV.exe"
69632 Nov 13 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
124912 Aug 15 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
125176 May 16 2007 "C:\WINDOWS\Temp\gis202e5ffc\GoogleUpdater.exe"
124912 Aug 15 2007 "C:\WINDOWS\Temp\gis686f5\GoogleUpdater.exe"
124152 Apr 3 2007 "C:\WINDOWS\Temp\gisa0109\GoogleUpdater.exe"
138680 May 16 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
124912 Aug 15 2007 "C:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterRestartManager.exe"
68856 Apr 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26694 Jan 28 2008 "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
49152 Aug 4 2003 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd.exe"
196670 Oct 17 2003 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
196670 Oct 17 2003 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
237568 Oct 15 2003 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
237568 Oct 15 2003 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
114741 Sep 25 2003 "C:\Program Files\HP DLA\install\tfswctrl.exe"
114741 Sep 25 2003 "C:\WINDOWS\system32\dla\tfswctrl.exe"
114741 Sep 25 2003 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
140920 May 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
45760 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 08 February 2008 - 12:45 PM

Hi angel61082,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important


************************

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Apoint2K\bak
C:\Program Files\MSN Messenger\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SymNetDrv\bak
C:\Program Files\USB Disk Win98 Driver\bak
C:\Program Files\Windows Defender\bak
C:\Program Files\Windows Media Player\bak
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\HPQ\Default Settings\bak
C:\Program Files\HPQ\Quick Launch Buttons\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Adobe\Updater5\bak
C:\Program Files\Java\jre1.5.0_06\bin\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 angel61082

angel61082
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 08 February 2008 - 01:04 PM

Here is the new info :thumbsup:

~Talia



Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Fri 02/08/2008
The current time is: 12:01:59.12


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT2K\BAK

10/07/2003 09:40 PM 159,744 Apoint.exe
1 File(s) 159,744 bytes

Directory of C:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

03/01/2007 09:37 AM 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

159744 Oct 7 2003 "C:\Program Files\Apoint2K\Apoint.exe"
159744 Oct 7 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
140920 May 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
45760 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"


end of report

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:05 AM

Posted 08 February 2008 - 01:10 PM

Hi angel61082,


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Apoint2K\bak
    C:\Program Files\Common Files\Adobe\Updater5\bak


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.





Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply as well as the OTMoveIt2 log.

Edited by SifuMike, 08 February 2008 - 01:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 angel61082

angel61082
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 08 February 2008 - 04:32 PM

Here are the OTmove it results:


C:\Program Files\Apoint2K\bak moved successfully.
C:\Program Files\Common Files\Adobe\Updater5\bak moved successfully.

OTMoveIt2 v1.0.19 log created on 02082008_152618



And the AWF results


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Fri 02/08/2008
The current time is: 15:30:40.89


bak folders found
~~~~~~~~~~~


Directory of C:\_OTMOV~1\MOVEDF~1\020820~1\PROGRA~1\APOINT2K\BAK

10/07/2003 09:40 PM 159,744 Apoint.exe
1 File(s) 159,744 bytes

Directory of C:\_OTMOV~1\MOVEDF~1\020820~1\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

03/01/2007 09:37 AM 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

159744 Oct 7 2003 "C:\Program Files\Apoint2K\Apoint.exe"
159744 Oct 7 2003 "C:\_OTMoveIt\MovedFiles\02082008_152618\Program Files\Apoint2K\bak\Apoint.exe"
140920 May 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
45760 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "C:\_OTMoveIt\MovedFiles\02082008_152618\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"


end of report




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users