Another Whataboutadog & Doginhispen Infection

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Another Whataboutadog & Doginhispen Infection, Please help me remove this

Options

quietman7 View Member Profile	Jan 8 2008, 01:39 PM Post #2
Bleepin' Janitor Group: Global Moderator Posts: 18,043 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Double-click the FindAWF icon once again. If a "Security Alert" shows, allow the program to run. As instructed, press any key to continue. Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'. A text file named files.txt will then open. Click below the line and copy/paste the following list of files in the quote box into the text file: QUOTE "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe" "C:\WINDOWS\CREATOR\bak\Remind_XP.exe" "C:\WINDOWS\SMINST\bak\Recguard.exe" "C:\WINDOWS\SMINST\bak\Scheduler.exe" "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32\bak\igfxpers.exe" "C:\WINDOWS\system32\bak\igfxtray.exe" "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" "C:\Program Files\Canon Electronics\Scan Panel\bak\drpanel.exe" "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe" "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe" "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe" "C:\Program Files\InterVideo\DVD Check\bak\DVDCheck.exe" "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe" "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE" "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe" Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following: It attempts to terminate the process represented by each filename on the list (if running). Deletes the rogue file from the parent folder (if present). Copies the original file to the parent folder. When done, it automatically runs a new scan and opens a new log. Please copy/paste the contents of the new awf.txt log in your reply. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Stuart Bierig View Member Profile	Jan 8 2008, 02:10 PM Post #3
New Member Group: Members Posts: 10 Joined: 10-December 07 Member No.: 175,645	I ran FindAWF and followed your instructions. Every few seconds, the Command window shows the following line (over and over again): Killing PID 2412 'Smax4.exe' This has been running for over 10 minutes. By the way, how do you determine what to select from my original FindAWF posting? Thank you.

Stuart Bierig View Member Profile	Jan 8 2008, 02:42 PM Post #4
New Member Group: Members Posts: 10 Joined: 10-December 07 Member No.: 175,645	Thank you for your prompt reply. I ran FindAWF and followed your instructions. However, every few seconds, the Command window shows the following line (over and over again): Killing PID 2412 'Smax4.exe' This has been running for over 60 minutes. Please advise. By the way, how did you determine what to select from my original FindAWF posting?

quietman7 View Member Profile	Jan 8 2008, 02:53 PM Post #5
Bleepin' Janitor Group: Global Moderator Posts: 18,043 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	The legit SMax4.exe is related to SoundMAX. The replacement is related to the malware. The tool should not take that long. It may be having a problem killing that file. Close it down and trying running again. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators

quietman7 View Member Profile	Jan 8 2008, 09:51 PM Post #7
Bleepin' Janitor Group: Global Moderator Posts: 18,043 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Double-click the FindAWF icon once again. Select option #3 - Remove bak folders by typing 3 and press 'Enter'. A text file named files.txt will then open. Click below the line and copy/paste the following list of folders in the quote box into the text file: QUOTE C:\Program Files\Symantec AntiVirus\bak C:\WINDOWS\CREATOR\bak C:\WINDOWS\SMINST\bak C:\WINDOWS\system32\bak C:\Program Files\Analog Devices\SoundMAX\bak C:\Program Files\Canon Electronics\Scan Panel\bak C:\Program Files\Common Files\Symantec Shared\bak C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak C:\Program Files\Hp\hpcoretech\bak C:\Program Files\HPQ\Default Settings\bak C:\Program Files\InterVideo\DVD Check\bak C:\Program Files\Synaptics\SynTP\bak C:\WINDOWS\system32\DLA\bak C:\Program Files\Java\jre1.5.0_06\bin\bak Close the text file and click Yes to save the changes. When done, it automatically runs a new scan and opens a new log. Please copy/paste the contents of the new awf.txt log in your reply. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Stuart Bierig View Member Profile	Jan 9 2008, 07:58 AM Post #8
New Member Group: Members Posts: 10 Joined: 10-December 07 Member No.: 175,645	Here we go.. Looking Good. Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: Wed 01/09/2008 The current time is: 7:53:42.59 bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report

quietman7 View Member Profile	Jan 9 2008, 10:33 AM Post #9
Bleepin' Janitor Group: Global Moderator Posts: 18,043 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Double-click the FindAWF icon once again. Select option #4 - Reset domain zones by typing 4 and press 'Enter'. You will receive a warning to reset domain zones. Press 1 then press 'Enter'. After resetting the domain zones, the program will return to the main menu. Use the following option: Press E then 'Enter' to EXIT. Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted. Looks like your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update: Java Runtime Environment (JRE) Version 6 and save it to your desktop. Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications". Click the "Download" button to the right. Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Stuart Bierig View Member Profile	Jan 9 2008, 12:00 PM Post #10
New Member Group: Members Posts: 10 Joined: 10-December 07 Member No.: 175,645	DONE. I also ran Adaware and AniSpyware. This question may be worthy of a new post. Both Adaware and SuperAntiSpyware both show a bunch of bad stuff in QSP files within my C:\Windows\Temp directory. (I clean the laptop weekly with ccleaner). None of the identified issues (see below) have any files anywhere else on the laptop, only in C:\Windows\Temp. I also am NOT seeing any symptoms of these isssues on the PC or when using the browser. ISSUES: CmdServices iSearchToolbar Get Mirar Adware.Mirar When I delete these files in Safe mode and scan the machine, the above applications find nothing else on the laptop. Should I post a Hijack log in the Hijack forum? Thank you.

quietman7 View Member Profile	Jan 9 2008, 12:21 PM Post #11
Bleepin' Janitor Group: Global Moderator Posts: 18,043 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	I'm confused about your last reply. QSP files are related to QSetup. Are you saying these files are show by those names but as a qsp files? Can I see the SAS log only? -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Stuart Bierig View Member Profile	Jan 9 2008, 01:54 PM Post #12
New Member Group: Members Posts: 10 Joined: 10-December 07 Member No.: 175,645	SAS Log is below. The directory fills up with more qsp files and relate to other adware/malware. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/09/2008 at 01:14 PM Application Version : 3.9.1008 Core Rules Database Version : 3377 Trace Rules Database Version: 1371 Scan type : Complete Scan Total Scan Time : 00:53:15 Memory items scanned : 571 Memory threats detected : 0 Registry items scanned : 6468 Registry threats detected : 0 File items scanned : 44673 File threats detected : 49 Adware.Adservs C:\WINDOWS\TEMP\4784E914.QSP C:\WINDOWS\TEMP\4784EBB2.QSP C:\WINDOWS\TEMP\4784EC43.QSP C:\WINDOWS\TEMP\4784EEDE.QSP C:\WINDOWS\TEMP\4784EF6F.QSP C:\WINDOWS\TEMP\4784F20A.QSP C:\WINDOWS\TEMP\4784F29A.QSP C:\WINDOWS\TEMP\4784F535.QSP C:\WINDOWS\TEMP\4784F5C6.QSP C:\WINDOWS\TEMP\4784F62D.QSP C:\WINDOWS\TEMP\4784F6C0.QSP C:\WINDOWS\TEMP\4784F95C.QSP C:\WINDOWS\TEMP\4784F9F3.QSP C:\WINDOWS\TEMP\4784FC8F.QSP C:\WINDOWS\TEMP\4784FD1F.QSP C:\WINDOWS\TEMP\4784FFBB.QSP C:\WINDOWS\TEMP\4785004B.QSP C:\WINDOWS\TEMP\478502EA.QSP C:\WINDOWS\TEMP\4785038C.QSP C:\WINDOWS\TEMP\4785062B.QSP C:\WINDOWS\TEMP\478506C6.QSP C:\WINDOWS\TEMP\47850965.QSP C:\WINDOWS\TEMP\47850A07.QSP C:\WINDOWS\TEMP\47850CA9.QSP C:\WINDOWS\TEMP\47850D4E.QSP Unclassified.Unknown Origin C:\WINDOWS\TEMP\4784EB47.QSP C:\WINDOWS\TEMP\4784EE8F.QSP C:\WINDOWS\TEMP\4784F19B.QSP C:\WINDOWS\TEMP\4784F4E3.QSP C:\WINDOWS\TEMP\4784F5D3.QSP C:\WINDOWS\TEMP\4784F91B.QSP C:\WINDOWS\TEMP\4784FC27.QSP C:\WINDOWS\TEMP\4784FF6F.QSP C:\WINDOWS\TEMP\4785027B.QSP C:\WINDOWS\TEMP\478505FF.QSP C:\WINDOWS\TEMP\4785090B.QSP C:\WINDOWS\TEMP\47850C8F.QSP Trojan.Unknown Origin C:\WINDOWS\TEMP\4784EBB5.QSP C:\WINDOWS\TEMP\4784EEE1.QSP C:\WINDOWS\TEMP\4784F20D.QSP C:\WINDOWS\TEMP\4784F539.QSP C:\WINDOWS\TEMP\4784F630.QSP C:\WINDOWS\TEMP\4784F95F.QSP C:\WINDOWS\TEMP\4784FC92.QSP C:\WINDOWS\TEMP\4784FFBE.QSP C:\WINDOWS\TEMP\478502EE.QSP C:\WINDOWS\TEMP\47850630.QSP C:\WINDOWS\TEMP\47850969.QSP C:\WINDOWS\TEMP\47850CAD.QSP

quietman7 View Member Profile	Jan 9 2008, 03:49 PM Post #13
Bleepin' Janitor Group: Global Moderator Posts: 18,043 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Adware.Adservs usually involves .dll files. Get a second opinion by submitting one or two of the files to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit [upload] it for scanning/analysis. Post back with the results of the file analysis. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Stuart Bierig View Member Profile	Jan 9 2008, 05:28 PM Post #14
New Member Group: Members Posts: 10 Joined: 10-December 07 Member No.: 175,645	Here ya go... Service load: 0% 100% File: 47851A09.qsp Status: INFECTED/MALWARE MD5: 0f8deb5a57d8310b2d7ef90b84480f13 Packers detected: UPX Bit9 reports: Low threat detected (more info) Scanner results Scan taken on 09 Jan 2008 22:23:23 (GMT) A-Squared Found nothing AntiVir Found ADSPY/CommAd.A ArcaVir Found Trojan.Delf.Hp Avast Found Win32:Trojan-gen {Other} AVG Antivirus Found Generic.GMD BitDefender Found Adware.CommAd.A ClamAV Found Adware.CommAd-2 CPsecure Found Malware.W32.CommAd.A Dr.Web Found Trojan.Proxy.493 F-Prot Antivirus Found W32/Backdoor.AJHB F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.CommAd.a (4, 1, 400) Fortinet Found Adware/Isearch Ikarus Found Trojan-Downloader.Win32.Banload.F Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.CommAd.a NOD32 Found Win32/Adware.CommAd application Norman Virus Control Found W32/CommAd.B Panda Antivirus Found nothing Rising Antivirus Found Backdoor.BlackHole.ax Sophos Antivirus Found nothing VirusBuster Found Adware.CommAd.A VBA32 Found AdWare.Win32.CommAd.a

quietman7 View Member Profile	Jan 9 2008, 06:17 PM Post #15
Bleepin' Janitor Group: Global Moderator Posts: 18,043 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	We can easily remove these files but that does not resolve the problem of them being regenerated. To do that you need to identify what is creating them so we probably should take a look at a hijackthis log. Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log".In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator. When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day. Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. *Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team. Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies* as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009 Member of UNITE, Unified Network of Instructors and Trusted Eliminators

« Next Oldest · Am I infected? What do I do? · Next Newest »

2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides