Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I Am Infected With A.doginhispen; Problem W/ K8l.com


  • Please log in to reply
14 replies to this topic

#1 MarqR

MarqR

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 20 February 2008 - 05:50 AM

My computer hs been infected with a.doginhispen, b.skitdayplease. I was getting repeated notices and did not know what they had meant. Now I do not get the notices anymore, but I think they are still there. Now everytime I get online, I get a notice from my Internet Security about a k8l.info. I need help on what is wrong, and how I can get rid of the problem. My computer is super slow right now and doing anything online is a challenge. Any help from expert would greatly appreciated!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 20 February 2008 - 01:30 PM

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.
Doginhispen
Skitodayplease


If your homepage has been changed, go to Start > Control Panel > Internet Options > General Tab and under Home Page, click Use Default. Add default homepage you want to use and click Apply > then OK. Open a new web browser and check to ensure you have the default homepage you selected. When done, "Clear your browser history" by following the instructions provided for your web browser.

Download FindAWF.exe by noahdfear and save to your desktop.
  • Double-click on FindAWF.exe to start.
  • If a "Security Alert" shows, allow the program to run.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
    • 1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT
  • Press 1 then 'Enter' to scan for bak folders
  • The FindAWF tool will begin scanning your computer for the infected AWF files and backups created by the trojan.
  • It may take a few minutes to complete so be patient.
  • When complete, it will open a text file in notepad called awf.txt which will be saved to your desktop.
  • Copy and paste the contents of the awf.txt file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MarqR

MarqR
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 20 February 2008 - 06:33 PM

I did not find adoginhispen of bskitodayplease in mt add/remove programs section. However, I did do the amf.txt and so here you go:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 02/20/2008
The current time is: 15:21:27.42


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

06/18/2003 06:19 PM 53,248 AUTOTKIT.EXE
1 File(s) 53,248 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 07:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/11/2007 12:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

08/14/2003 08:11 PM 139,264 shwicon2k.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 10:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 08:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

02/15/2008 02:32 PM 182 hpsysdrv.DAT
05/07/1998 03:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 11:56 PM 15,360 ctfmon.exe
04/07/2003 06:07 AM 114,688 hkcmd.exe
05/23/2003 01:55 AM 483,328 hphmon05.exe
10/16/2002 03:57 PM 81,920 ps2.exe
4 File(s) 695,296 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~2\SYSTEM\BAK

06/18/2003 06:00 PM 200,704 mnyexpr.exe
1 File(s) 200,704 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

02/05/2004 08:24 AM 53,248 mmtask.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\NOKIA\NOKIAP~1\BAK

10/13/2003 03:17 PM 929,792 DataLayer.exe
1 File(s) 929,792 bytes

Directory of C:\PROGRA~1\SBCSEL~1\SMARTB~1\BAK

08/24/2005 06:51 AM 442,455 MotiveSB.exe
1 File(s) 442,455 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/11/2003 02:51 PM 57,344 ybrwicon.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 06:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\NOKIA\NCLTOOLS\BAK

02/10/2003 12:30 PM 425,984 NclTray.exe
1 File(s) 425,984 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/23/2004 03:01 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 07:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\UNLOAD\BAK

10/07/2002 06:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/07/2005 08:42 PM 176,128 hpztsb12.exe
1 File(s) 176,128 bytes

Directory of C:\DOCUME~1\OWNER\LOCALS~1\TEMP\SBCCMAN\SPRT\VAULT\NE\NETWOR~1.BAK

07/19/2002 01:12 AM 1,061 2196_556c29a5c_
1 File(s) 1,061 bytes

Directory of C:\DOCUME~1\OWNER\LOCALS~1\TEMP\SBCCMAN\SPRT\VAULT\WI\WIRING~1.BAK

07/19/2002 01:12 AM 125 40_5357ad65e_
07/19/2002 01:12 AM 128 41_5bc212c48_
2 File(s) 253 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

53248 Jun 18 2003 "C:\hp\EXPLOREBAR\AUTOTKIT.EXE"
53248 Jun 18 2003 "C:\hp\bin\bak\AUTOTKIT.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
267048 Dec 11 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 26 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
116008 Dec 26 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
139264 Aug 14 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
188 Jan 30 2008 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Feb 15 2008 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
483328 May 23 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
200704 Jun 18 2003 "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
53248 Feb 5 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 Sep 23 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
929792 Oct 13 2003 "C:\Program Files\Nokia\Nokia PC Suite 5\bak\DataLayer.exe"
442455 Aug 24 2005 "C:\Program Files\SBC Self Support Tool\SmartBridge\bak\MotiveSB.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
1055008 Apr 4 2004 "C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
425984 Feb 10 2003 "C:\Program Files\Common Files\Nokia\NCLTools\bak\NclTray.exe"
180269 Dec 23 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
90112 Oct 7 2002 "C:\Program Files\HP\Digital Imaging\Unload\bak\hpqcmon.exe"
176128 Mar 7 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"
1061 Jul 19 2002 "C:\Documents and Settings\Owner\Local Settings\Temp\SBCCMAN\SPRT\vault\ne\networkinterfacecardtestfailure.htm.bak\2196_556c29a5c_"
125 Jul 19 2002 "C:\Documents and Settings\Owner\Local Settings\Temp\SBCCMAN\SPRT\vault\wi\wiring.htm.bak\40_5357ad65e_"
124 Jul 19 2002 "C:\Documents and Settings\Owner\Local Settings\Temp\SBCCMAN\SPRT\vault\wi\wiring.htm\41_5bc212c48_"
128 Jul 19 2002 "C:\Documents and Settings\Owner\Local Settings\Temp\SBCCMAN\SPRT\vault\wi\wiring.htm.bak\41_5bc212c48_"


end of report

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 20 February 2008 - 06:43 PM

Double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 2 then 'Enter' to restore files from bak folders
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\hp\bin\bak\AUTOTKIT.EXE"
"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
"C:\Program Files\Nokia\Nokia PC Suite 5\bak\DataLayer.exe"
"C:\Program Files\SBC Self Support Tool\SmartBridge\bak\MotiveSB.exe"
"C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\Nokia\NCLTools\bak\NclTray.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\HP\Digital Imaging\Unload\bak\hpqcmon.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"
"C:\Documents and Settings\Owner\Local Settings\Temp\SBCCMAN\SPRT\vault\ne\networkinterfacecardtestfailure.htm.bak\2196_556c29a5c_"
"C:\Documents and Settings\Owner\Local Settings\Temp\SBCCMAN\SPRT\vault\wi\wiring.htm.bak\40_5357ad65e_"
"C:\Documents and Settings\Owner\Local Settings\Temp\SBCCMAN\SPRT\vault\wi\wiring.htm.bak\41_5bc212c48_"

  • Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list (if running).
    • Deletes the rogue file from the parent folder (if present).
    • Copies the original file to the parent folder.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

Edited by quietman7, 20 February 2008 - 06:44 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 MarqR

MarqR
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 20 February 2008 - 06:49 PM

I ran it as you said. Nothing has happened as of yet. Does it take time??

#6 MarqR

MarqR
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 20 February 2008 - 08:21 PM

It is taking a very long time to run a scan, upwards to about 40 minutes and I am just wondering if the program is stalling..

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 20 February 2008 - 09:47 PM

The scan shouldn't take that long. Shut it down and look to see if it created a new awf.txt. The log should indicate "Option 2 run successfully". If not, then try running it again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 MarqR

MarqR
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 21 February 2008 - 12:00 PM

Thanks Quietman. It ran successfully. Here you go..


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 02/21/2008
The current time is: 8:28:53.62


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

06/18/2003 06:19 PM 53,248 AUTOTKIT.EXE
1 File(s) 53,248 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 07:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/11/2007 12:10 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

08/14/2003 08:11 PM 139,264 shwicon2k.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 10:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 08:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

02/15/2008 02:32 PM 182 hpsysdrv.DAT
05/07/1998 03:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 11:56 PM 15,360 ctfmon.exe
04/07/2003 06:07 AM 114,688 hkcmd.exe
05/23/2003 01:55 AM 483,328 hphmon05.exe
10/16/2002 03:57 PM 81,920 ps2.exe
4 File(s) 695,296 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICROS~2\SYSTEM\BAK

06/18/2003 06:00 PM 200,704 mnyexpr.exe
1 File(s) 200,704 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

02/05/2004 08:24 AM 53,248 mmtask.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\NOKIA\NOKIAP~1\BAK

10/13/2003 03:17 PM 929,792 DataLayer.exe
1 File(s) 929,792 bytes

Directory of C:\PROGRA~1\SBCSEL~1\SMARTB~1\BAK

08/24/2005 06:51 AM 442,455 MotiveSB.exe
1 File(s) 442,455 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/11/2003 02:51 PM 57,344 ybrwicon.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 06:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\COMMON~1\NOKIA\NCLTOOLS\BAK

02/10/2003 12:30 PM 425,984 NclTray.exe
1 File(s) 425,984 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/23/2004 03:01 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 07:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\UNLOAD\BAK

10/07/2002 06:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/07/2005 08:42 PM 176,128 hpztsb12.exe
1 File(s) 176,128 bytes

Directory of C:\DOCUME~1\OWNER\LOCALS~1\TEMP\SBCCMAN\SPRT\VAULT\NE\NETWOR~1.BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\OWNER\LOCALS~1\TEMP\SBCCMAN\SPRT\VAULT\WI\WIRING~1.BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

53248 Jun 18 2003 "C:\hp\bin\AUTOTKIT.EXE"
53248 Jun 18 2003 "C:\hp\EXPLOREBAR\AUTOTKIT.EXE"
53248 Jun 18 2003 "C:\hp\bin\bak\AUTOTKIT.EXE"
61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
267048 Dec 11 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Dec 11 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 26 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
116008 Dec 26 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
139264 Aug 14 2003 "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
139264 Aug 14 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
182 Feb 15 2008 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Feb 15 2008 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
483328 May 23 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 May 23 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
200704 Jun 18 2003 "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
200704 Jun 18 2003 "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
53248 Feb 5 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Feb 5 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 Sep 23 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
929792 Oct 13 2003 "C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe"
929792 Oct 13 2003 "C:\Program Files\Nokia\Nokia PC Suite 5\bak\DataLayer.exe"
442455 Aug 24 2005 "C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe"
442455 Aug 24 2005 "C:\Program Files\SBC Self Support Tool\SmartBridge\bak\MotiveSB.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
1055008 Apr 4 2004 "C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
425984 Feb 10 2003 "C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe"
425984 Feb 10 2003 "C:\Program Files\Common Files\Nokia\NCLTools\bak\NclTray.exe"
180269 Dec 23 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Dec 23 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
90112 Oct 7 2002 "C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe"
90112 Oct 7 2002 "C:\Program Files\HP\Digital Imaging\Unload\bak\hpqcmon.exe"
176128 Mar 7 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe"
176128 Mar 7 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"


end of report

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 21 February 2008 - 12:09 PM

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 3 then 'Enter' to remove bak folders.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\hp\bin\bak
C:\hp\KBD\bak
C:\Program Files\iTunes\bak
C:\Program Files\Multimedia Card Reader\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system\bak\
C:\WINDOWS\system32\bak
C:\Program Files\Microsoft Money\System\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Nokia\Nokia PC Suite 5\bak
C:\Program Files\SBC Self Support Tool\SmartBridge\bak
C:\Program Files\Yahoo!\browser\bak
C:\Program Files\Yahoo!\Search Protection\bak
C:\Program Files\Common Files\Nokia\NCLTools\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\HP\Digital Imaging\Unload\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 MarqR

MarqR
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 21 February 2008 - 07:10 PM

Thanks Quietman...Here are the results of the latest scan!


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 02/21/2008
The current time is: 15:52:28.17


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

02/15/2008 02:32 PM 182 hpsysdrv.DAT
05/07/1998 03:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\OWNER\LOCALS~1\TEMP\SBCCMAN\SPRT\VAULT\NE\NETWOR~1.BAK

0 File(s) 0 bytes

Directory of C:\DOCUME~1\OWNER\LOCALS~1\TEMP\SBCCMAN\SPRT\VAULT\WI\WIRING~1.BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

182 Feb 15 2008 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Feb 15 2008 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"


end of report

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 21 February 2008 - 10:04 PM

Open Windows Explorer, navigate to and delete the following bak folder(s):
C:\WINDOWS\system\bak <- this folder

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 4 then 'Enter' to reset domain zones.
  • You will receive a warning to reset domain zones.
  • Press 1 then 'Enter'.
  • When done, you will receive a message: "Done! Zones have been reset".
  • After resetting the domain zones, the program will return to the main menu.
  • Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 MarqR

MarqR
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 22 February 2008 - 08:43 PM

All of that is done!! Is there anything else??

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 22 February 2008 - 08:57 PM

Yes you're all done, please take afew moments to read...
How did I get infected?, With steps so it does not happen again!
Best Practices - Internet Safety For 2008
Suggested Safe Practices
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 MarqR

MarqR
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 23 February 2008 - 07:57 PM

Thanks for the help. but I still have a problem. Everytime I open Internet Explorer, my Internet Security keeps giving me repeated warnings, saying that I have attempted to open a dangerous web site: www.k8l.info/tc2/tc2.t> so something is still there. Is there anything else that I can do??

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 23 February 2008 - 08:44 PM

These are stubborn infections., when this attempt fails we need to go to the HiJackThis folks. The will clean it for you. There are other tools to use ,but you need to have guidance. Please follow the instructions in this post. You can go right to step 9,creating a log.
Preparation Guide for use before posting a HijackThis Log
Please then post that log in this forum not here. Click New Topic and give it a title like I Am Infected With A.doginhispen
HijackThis Logs and Malware Removal
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users