Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Guess I Have A Doginhispen Also


  • Please log in to reply
16 replies to this topic

#1 mkas

mkas

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 10 March 2008 - 10:44 PM

I have done nothing yet, it looks daunting.

Where do I start?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 10 March 2008 - 10:55 PM

Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 March 2008 - 01:46 AM

Thank you very much, this is a real bugger...


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 03/11/2008
The current time is: 1:33:43.37


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

12/12/2006 10:26 PM 20,480 Imgtask.exe
1 File(s) 20,480 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

02/05/2007 03:52 PM 849,280 ipoint.exe
1 File(s) 849,280 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

11/21/2006 05:08 PM 813,912 itype.exe
1 File(s) 813,912 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 11:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 01:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 06:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 04:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

09/03/2007 12:20 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Feb 26 2008 "C:\WINDOWS\Imgtask.exe"
20480 Dec 12 2006 "C:\WINDOWS\bak\Imgtask.exe"
14348 Feb 26 2008 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
849280 Feb 5 2007 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
461584 Dec 4 2005 "K:\2007 08 26 PreRebuild\Program Files\Microsoft IntelliPoint\ipoint.exe"
461584 Dec 4 2005 "K:\2007 08 26 PreRebuild\Program Files\Microsoft IntelliPoint 5.5\IPoint\Setup\Files\ipoint.exe"
14348 Feb 26 2008 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
813912 Nov 21 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 30 2005 "K:\2007 08 26 PreRebuild\Program Files\QuickTime\qttask.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
15360 Aug 10 2004 "K:\2007 08 26 PreRebuild\WINDOWS\system32\ctfmon.exe"
14348 Feb 26 2008 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
53248 Feb 23 2005 "K:\2007 08 26 PreRebuild\Program Files\PowerDVD\DVDLauncher.exe"
52272 Sep 3 2007 "C:\Program Files\Google\googletoolbar1user.exe"
126136 Sep 3 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
14348 Feb 26 2008 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
69632 Nov 13 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
26694 Feb 11 2008 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
1477176 Jan 2 2006 "C:\Documents and Settings\Kasdorf's\My Documents\My Downloads\GoogleDesktopSetup.exe"
138680 Sep 3 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
126136 Sep 3 2007 "C:\Program Files\Google\Google Updater\2.2.969.23408\GoogleUpdaterRestartManager.exe"
68856 Sep 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
52272 Feb 1 2007 "K:\2007 08 26 PreRebuild\Program Files\Google\googletoolbar2user.exe"
68856 May 22 2007 "K:\2007 08 26 PreRebuild\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
61440 Sep 14 2006 "K:\2007 08 26 PreRebuild\Program Files\Google\Google Earth\googleearth.exe"
169472 Jan 2 2006 "K:\2007 08 26 PreRebuild\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
14405024 Sep 26 2006 "K:\2007 08 26 PreRebuild\Documents and Settings\All Users\Documents\My Videos\GoogleEarthWin.exe"
1477176 Jan 2 2006 "K:\2007 08 26 PreRebuild\Documents and Settings\Mike\My Documents\My Downloads\GoogleDesktopSetup.exe"
138168 Feb 1 2007 "K:\2007 08 26 PreRebuild\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
14348 Feb 26 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
29696 Sep 23 2005 "K:\2007 08 26 PreRebuild\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
14348 Feb 26 2008 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
75520 Dec 15 2006 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
49263 Nov 9 2006 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
132496 Jul 12 2007 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
83608 Mar 14 2007 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
14348 Feb 26 2008 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


end of report

#4 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 11 March 2008 - 07:18 AM

K is an external backup drive, is that a problem?

#5 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 March 2008 - 07:14 AM

Uh oh, this doesn't seem good

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 12 March 2008 - 07:05 PM

Soory for the delay
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\WINDOWS\bak\Imgtask.exe"
"C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
"C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 March 2008 - 08:14 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Wed 03/12/2008
The current time is: 19:56:40.43


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

12/12/2006 10:26 PM 20,480 Imgtask.exe
1 File(s) 20,480 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

02/05/2007 03:52 PM 849,280 ipoint.exe
1 File(s) 849,280 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

11/21/2006 05:08 PM 813,912 itype.exe
1 File(s) 813,912 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/11/2007 11:56 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 01:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 06:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 04:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

09/03/2007 12:20 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

20480 Dec 12 2006 "C:\WINDOWS\Imgtask.exe"
20480 Dec 12 2006 "C:\WINDOWS\bak\Imgtask.exe"
849280 Feb 5 2007 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
849280 Feb 5 2007 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
461584 Dec 4 2005 "K:\2007 08 26 PreRebuild\Program Files\Microsoft IntelliPoint\ipoint.exe"
461584 Dec 4 2005 "K:\2007 08 26 PreRebuild\Program Files\Microsoft IntelliPoint 5.5\IPoint\Setup\Files\ipoint.exe"
813912 Nov 21 2006 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
813912 Nov 21 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Dec 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 30 2005 "K:\2007 08 26 PreRebuild\Program Files\QuickTime\qttask.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
15360 Aug 10 2004 "K:\2007 08 26 PreRebuild\WINDOWS\system32\ctfmon.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
53248 Feb 23 2005 "K:\2007 08 26 PreRebuild\Program Files\PowerDVD\DVDLauncher.exe"
52272 Sep 3 2007 "C:\Program Files\Google\googletoolbar1user.exe"
126136 Sep 3 2007 "C:\Program Files\Google\Google Updater\GoogleUpdater.exe"
68856 Sep 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
69632 Nov 13 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
26694 Feb 11 2008 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
1477176 Jan 2 2006 "C:\Documents and Settings\Kasdorf's\My Documents\My Downloads\GoogleDesktopSetup.exe"
138680 Sep 3 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
126136 Sep 3 2007 "C:\Program Files\Google\Google Updater\2.2.969.23408\GoogleUpdaterRestartManager.exe"
68856 Sep 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
52272 Feb 1 2007 "K:\2007 08 26 PreRebuild\Program Files\Google\googletoolbar2user.exe"
68856 May 22 2007 "K:\2007 08 26 PreRebuild\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
61440 Sep 14 2006 "K:\2007 08 26 PreRebuild\Program Files\Google\Google Earth\googleearth.exe"
169472 Jan 2 2006 "K:\2007 08 26 PreRebuild\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
14405024 Sep 26 2006 "K:\2007 08 26 PreRebuild\Documents and Settings\All Users\Documents\My Videos\GoogleEarthWin.exe"
1477176 Jan 2 2006 "K:\2007 08 26 PreRebuild\Documents and Settings\Mike\My Documents\My Downloads\GoogleDesktopSetup.exe"
138168 Feb 1 2007 "K:\2007 08 26 PreRebuild\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
29696 Sep 23 2005 "K:\2007 08 26 PreRebuild\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
75520 Dec 15 2006 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
49263 Nov 9 2006 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
132496 Jul 12 2007 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
83608 Mar 14 2007 "K:\2007 08 26 PreRebuild\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


end of report

#8 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 12 March 2008 - 09:14 PM

Where do the trojans come from?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 12 March 2008 - 10:51 PM

Hi, I don't know for sure where it comes from. Usually an attachment to some email,a download from a P2P site etc.
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder.


Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\WINDOWS\bak
C:\Program Files\Microsoft IntelliPoint\bak
C:\Program Files\Microsoft IntelliType Pro\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 March 2008 - 01:31 AM

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 03/13/2008
The current time is: 1:21:41.49


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

12/12/2006 10:26 PM 20,480 Imgtask.exe
1 File(s) 20,480 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

20480 Dec 12 2006 "C:\WINDOWS\Imgtask.exe"
20480 Dec 12 2006 "C:\WINDOWS\bak\Imgtask.exe"


end of report

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 13 March 2008 - 01:56 PM

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\WINDOWS\bak


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 March 2008 - 05:53 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 03/13/2008
The current time is: 17:45:20.84


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

12/12/2006 10:26 PM 20,480 Imgtask.exe
1 File(s) 20,480 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

20480 Dec 12 2006 "C:\WINDOWS\Imgtask.exe"
20480 Dec 12 2006 "C:\WINDOWS\bak\Imgtask.exe"


end of report

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 13 March 2008 - 07:17 PM

Open Windows Explorer, navigate to and delete the following bak folder:
Start>All Programs> Accessories>Windows explorer
C:\WINDOWS\bak<- this folder

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Press 4, then press Enter.
Press 1 then Enter to continue.
When done, you will receive similar message like this:Done! Zones have been reset
Press E then Enter to exit.


Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 mkas

mkas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 13 March 2008 - 08:01 PM

Is that it? O.O

WOOT!

Thanx, you're amazing! :thumbsup:

MK

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:07 PM

Posted 13 March 2008 - 08:31 PM

:thumbsup: You did a great job too!

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please take the time to read through these topics.... Glad I could help

Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
Best Practices - Internet Safety for 2008".
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users