[Cadiebri]

Hi JSntgRvr



Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 03/31/2008
The current time is: 16:22:35.67


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

07/12/2002 06:15 AM 106,496 SiSUSBrg.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\MICROS~2\BAK

06/03/2004 04:51 AM 172,032 type32.exe
1 File(s) 172,032 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

06/03/2004 04:50 AM 204,800 point32.exe
1 File(s) 204,800 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

01/02/2006 05:41 PM 45,056 cli.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/04/2007 02:33 AM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\SEAGATE\DISCWI~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

03/07/2007 10:58 AM 1,773,568 tgcmd.exe
1 File(s) 1,773,568 bytes

Directory of C:\PROGRA~1\COMMON~1\SEAGATE\SCHEDU~1\BAK

04/19/2007 10:29 PM 149,024 schedhlp.exe
1 File(s) 149,024 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

106496 Jul 12 2002 "C:\WINDOWS\SiSUSBrg.exe"
106496 Jul 12 2002 "C:\WINDOWS\bak\SiSUSBrg.exe"
172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
204800 Jun 3 2004 "C:\Program Files\Microsoft IntelliPoint\point32.exe"
204800 Jun 3 2004 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
45056 Jan 2 2006 "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe"
45056 Jan 2 2006 "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\tgcmd.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
149024 Apr 19 2007 "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
149024 Apr 19 2007 "C:\Program Files\Common Files\Seagate\Schedule2\bak\schedhlp.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

[Advertisements]

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\BAK
  C:\PROGRAM FILES\Microsoft IntelliType Pro\BAK
  C:\PROGRAM FILES\Microsoft IntelliPoint\BAK
  C:\WINDOWS\SYSTEM32\BAK
  C:\PROGRAM FILES\ATI Technologies\ATI.ACE\BAK
  C:\PROGRAM FILES\MCAFEE.COM\AGENT\BAK
  C:\PROGRAM FILES\SUPPORT.COM\BIN\BAK
  C:\PROGRAM FILES\Common Files\SEAGATE\Schedule2\BAK
  C:\PROGRAM FILES\JAVA\jre1.6.0_02\BIN\BAK
  C:\PROGRAM FILES\SEAGATE\DiscWizard\BAK
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[JSntgRvr]

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\BAK
  C:\PROGRAM FILES\Microsoft IntelliType Pro\BAK
  C:\PROGRAM FILES\Microsoft IntelliPoint\BAK
  C:\WINDOWS\SYSTEM32\BAK
  C:\PROGRAM FILES\ATI Technologies\ATI.ACE\BAK
  C:\PROGRAM FILES\MCAFEE.COM\AGENT\BAK
  C:\PROGRAM FILES\SUPPORT.COM\BIN\BAK
  C:\PROGRAM FILES\Common Files\SEAGATE\Schedule2\BAK
  C:\PROGRAM FILES\JAVA\jre1.6.0_02\BIN\BAK
  C:\PROGRAM FILES\SEAGATE\DiscWizard\BAK
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[Cadiebri]

Woot! backdoor virus is gone. I waited an extra day and played my games and the minimizing is gone as well. Excellent job, well done. You don't know how much I appreciate it. You deserve the payment that will be sent on the 15th. Thank You so much JSntgRvr I will refer all my friends to this site.

Cadiebri.



Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 04/01/2008
The current time is: 7:58:38.95


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

[JSntgRvr]

Hi, Cadiebri.

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  
  
  
  • 
  
  
• If the disclaimer notice is displayed, select "2" and press Enter

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Create a Restore point (If the above process fails):

• Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
• In the System Restore dialog box, click Create a restore point, and then click Next.
• Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  
• Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet...prevention.html .

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes!

[Cadiebri]

Hi JSntgRvr


I followed everything in last post but after combofix was removed. I still have dss.exe & FindAWF.exe on my desktop. Were these suppose to be gone with the combofix uninstall? and how do I get rid of these two Also not sure about reset the clock settings? My clock is running fine it seems. restore point was set before I did the combofix uninstall. Sorry for being a pain, not been thru this process yet.

Cadie

[JSntgRvr]

Hi.

I don't believe this action is intended to remove all tools. It should however, remove Combofix, the C:\Deckard folder and other folders that in general terms are use to quarantine bad files. It may miss these applications.

Right click on both files and select Delete.

[JSntgRvr]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.