[ct122592]

btw i cant access the link to Findawf.exe.

[evilfantasy]

Try this one.

http://download.bleepingcomputer.com.../OTMoveIt2.exe

[ct122592]

Okay i downloaded the other one. How do i use it?

[evilfantasy]

Sorry I gave the wrong link. Too many things going on right now. Use this one for FindAWF.

Please download FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please attach the Find AWF report in your reply

[ct122592]

Okayy. its running.

[ct122592]

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 01/27/2008
The current time is: 18:03:29.53


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/11/2003 07:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

12/20/2005 07:54 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/26/2006 06:13 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/17/2003 10:31 PM 118,784 Remind_XP.exe
1 File(s) 118,784 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 07:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 03:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 11:00 AM 15,360 ctfmon.exe
06/07/2004 05:42 PM 659,456 hphmon06.exe
10/16/2002 03:57 PM 81,920 ps2.exe
3 File(s) 756,736 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

08/13/2004 12:17 PM 58,488 ccApp.exe
1 File(s) 58,488 bytes

Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

06/07/2004 05:53 PM 49,152 hphupd06.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/07/2004 01:03 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

08/07/2004 11:36 AM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004 07:46 AM 172,032 hpztsb10.exe
1 File(s) 172,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
67160 Dec 8 2004 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
286720 Apr 21 2004 "C:\Program Files\iTunes\iTunesHelper.exe1168563073"
278528 Dec 20 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
155648 Jun 26 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
118784 Dec 17 2003 "C:\WINDOWS\CREATOR\Remind_XP.exe"
118784 Dec 17 2003 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.EXE"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58488 Aug 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe1168563073"
180269 Aug 7 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Aug 7 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
32881 Aug 7 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
172032 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb 10.exe"
172032 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hp ztsb10.exe"


end of report

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

Code:

"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\AIM\bak\aim.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hphmon06.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hp ztsb10.exe"

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

[ct122592]

How comee there isnt a new scan running?? i dont reallyy the pasting part too.

[evilfantasy]

It should look like this attachment.

[ct122592]

wheree am i suppose to paste the code thing?