Whataboutadog/rabbit etc. Removal instructions by howard_hopkinso
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Please Note: The attached files are for
example only. Your own files will have different entries.
Please follow these instructions exactly. A copy of these instructions is available as a downloadable .txt file in the attachments.
Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.
Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.
STEP1:
Please download
FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad.
See attached example 1:
STEP2:
You would then need to do the following with
Example1. Scroll down the file, until you come to the main body marked as
START HERE. It`s the entries below where it says "
Duplicate files of bak directory contents" that we`re interested in.
Double-click FindAWF.exe to start the tool. Then, do the following
Select
"option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text into the text file.
These are the entries from Example1 you would need to copy and paste into the above. Please note:
You must include the quotes.
You would only copy and paste the entries that have a
bak folder in the file path.
"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\DISC\bak\DiscUpdateMgr.exe"
"C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
"C:\Program Files\PCPal\bak\PalAgnt.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Logitech\QuickCam10\bak\QuickCam10.exe"
"C:\Program Files\Comcast\Desktop Doctor\bin\bak\sprtcmd.exe"
"C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad.
STEP3:
Please double-click the FindAWF icon once again.
Use the following option:
Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed: See attached
Example2: Again scroll down the file to where it says
START HERE. Again, it`s the entries below where the file says "
Duplicate files of bak directory contents" that we`re interested in.
Note: This time only copy and paste up to where the actual bak folder is and
we don`t need the quotes this time.
C:\hp\KBD\bak
C:\Program Files\DISC\bak
C:\Program Files\DISC\bak<This is a duplicate of the above entry. These often crop up in a awf.txt file.
C:\Program Files\Lexmark X1100 Series\bak
C:\Program Files\PCPal\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Logitech\QuickCam10\bak
C:\Program Files\Comcast\Desktop Doctor\bin\bak
C:\Program Files\Common Files\LogiShrd\LComMgr\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
PLease Note: The bold entry above, is simply a duplicate and is there for example only. For instance, you could find several bak folders in Windows/system32/bak or elsewhere. You would only need to enter one of these as in effect it`s exactly the same bak folder, so we can`t remove it twice etc.
Next, close and click Yes to save the changes.
When done with the above, FindAWF automatically runs a new scan and opens a new log.
See the attached Example3, which is clean.
STEP4
If you receive a clean log after running
option3 as in the attached Example3, then the infection is gone and you need to do the following.
To finish, run
Option 4.
Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Very Important
However, that`s not always the case and some times you`ll still see some bak files left under where it says "
Duplicate files of bak directory contents" after running
option3. See the attached
Example4.
In all cases, it is recommended you start a new thread in this forum(if you don`t already have one), even if your awf.txt is clean. That`s because your system may be infected with other malware.
You would need to attach a fresh awf.txt from running
Option1 of the FindAWF.exe tool, as well as a fresh HJT log.
See HERE for instructions.
If you have any questions, pertaining to these instructions, please don`t hesitate to ask.
Regards Howard