Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A.doginhispen


  • Please log in to reply
7 replies to this topic

#1 cy2204

cy2204

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 11 February 2008 - 02:08 PM

i am having the same problems with a.doginhispen. ive downloaded the findawf... ran the report...have the report...can anyone help me from here?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:42 PM

Posted 11 February 2008 - 02:35 PM

Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 cy2204

cy2204
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 11 February 2008 - 04:14 PM

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 02/11/2008
The current time is: 12:06:36.37


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 10:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

06/23/2005 07:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 07:07 PM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ALPHAN~1\ANIWZC~1\BAK

08/21/2003 04:12 PM 32,768 WZCSLDR.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

09/14/2005 09:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/02/2005 09:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\D-LINK\AIRUTI~1\BAK

09/23/2003 06:04 PM 2,494,464 AirCFG.exe
1 File(s) 2,494,464 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of D:\BAK

12/11/2007 12:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Jan 31 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Jan 31 2008 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
32768 Aug 21 2003 "C:\Program Files\Alpha Networks\ANIWZCS Service\bak\WZCSLDR.exe"
14348 Jan 31 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Sep 14 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
14348 Jan 31 2008 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
14348 Jan 31 2008 "C:\Program Files\D-Link\Air Utility\AirCFG.exe"
2494464 Sep 23 2003 "C:\Program Files\D-Link\Air Utility\bak\AirCFG.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
14348 Jan 31 2008 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
102400 Dec 28 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
116008 Dec 11 2007 "C:\Documents and Settings\camdawg\Local Settings\Temp\IXP765.TMP\iTunesSetupAdmin.exe"
116008 Dec 11 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
37860928 Apr 14 2007 "C:\Documents and Settings\camdawg\Local Settings\Temp\Temporary Internet Files\Content.IE5\8NIHGHUH\iTunesSetup[1].exe"
14348 Jan 31 2008 "D:\iTunesHelper.exe"
267048 Dec 11 2007 "D:\bak\iTunesHelper.exe"
278528 Oct 18 2005 "D:\iTunes\iTunesHelper.exe"


end of report

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:42 PM

Posted 11 February 2008 - 09:59 PM

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\Symantec AntiVirus\VPTray.exe"
"C:\WINDOWS\system32\ctfmon.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"C:\Program Files\D-Link\Air Utility\AirCFG.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"C:\Documents and Settings\camdawg\Local Settings\Temp\IXP765.TMP\iTunesSetupAdmin.exe"
"C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
"D:\iTunesHelper.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 cy2204

cy2204
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 11 February 2008 - 11:15 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Mon 02/11/2008
The current time is: 22:07:34.09


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 10:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

06/23/2005 07:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 07:07 PM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ALPHAN~1\ANIWZC~1\BAK

08/21/2003 04:12 PM 32,768 WZCSLDR.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

09/14/2005 09:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/02/2005 09:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\D-LINK\AIRUTI~1\BAK

09/23/2003 06:04 PM 2,494,464 AirCFG.exe
1 File(s) 2,494,464 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of D:\BAK

12/11/2007 12:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Jan 31 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Jan 31 2008 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
32768 Aug 21 2003 "C:\Program Files\Alpha Networks\ANIWZCS Service\bak\WZCSLDR.exe"
14348 Jan 31 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Sep 14 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
14348 Jan 31 2008 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
14348 Jan 31 2008 "C:\Program Files\D-Link\Air Utility\AirCFG.exe"
2494464 Sep 23 2003 "C:\Program Files\D-Link\Air Utility\bak\AirCFG.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
14348 Jan 31 2008 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
102400 Dec 28 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
116008 Dec 11 2007 "C:\Documents and Settings\camdawg\Local Settings\Temp\IXP765.TMP\iTunesSetupAdmin.exe"
116008 Dec 11 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
37860928 Apr 14 2007 "C:\Documents and Settings\camdawg\Local Settings\Temp\Temporary Internet Files\Content.IE5\8NIHGHUH\iTunesSetup[1].exe"
14348 Jan 31 2008 "D:\iTunesHelper.exe"
267048 Dec 11 2007 "D:\bak\iTunesHelper.exe"
278528 Oct 18 2005 "D:\iTunes\iTunesHelper.exe"


end of report

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,765 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:42 PM

Posted 12 February 2008 - 03:40 PM

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 3 then 'Enter' to remove bak folders.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\Program Files\QuickTime\bak
C:\Program Files\Symantec AntiVirus\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alpha Networks\ANIWZCS Service\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\D-Link\Air Utility\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
D:\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 cy2204

cy2204
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 13 February 2008 - 01:14 AM

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 02/13/2008
The current time is: 0:09:05.31


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,765 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:42 PM

Posted 13 February 2008 - 08:53 AM

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 4 then 'Enter' to reset domain zones.
  • You will receive a warning to reset domain zones.
  • Press 1 then 'Enter'.
  • When done, you will receive a message: "Done! Zones have been reset".
  • After resetting the domain zones, the program will return to the main menu.
  • Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users