Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whataboutadog.com


  • This topic is locked This topic is locked
14 replies to this topic

#1 fakerone

fakerone

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 06 October 2007 - 10:10 AM

This shows up in my HJT log in the Trusted Zone. I select and FIX CHECKED...and some time later, there it is again. And again.

I also have been recieving 3 different warnings from my Trend Micro product. One says my computer is trying to open a hazardous site : http//: 88.80.5.21/time.txt The two others have been absent today...they are both a series of numbers followed by either DAT.EXE or or TXT.EXE

I have run Housecall, Stinger, Spybot Search & Destroy. I have run HJT and repeatedly 'removed' the *whataboutadog.com entry but usually within an hour or so, it reappears.

What follows is my HJT log. Please help!

Thank you!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:10 AM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\bak\pccguide.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O15 - Trusted Zone: http://scwmls.fnismls.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://scwmls.fnismls.com/Paragon/Codebase...rintControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105303308347
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by122fd.bay122.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7785DDA6-20E6-440E-A624-7113473E6863}: NameServer = 216.165.129.157,216.170.153.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{7785DDA6-20E6-440E-A624-7113473E6863}: NameServer = 216.165.129.157,216.170.153.146
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O24 - Desktop Component 0: (no name) - http://scwmls.fnismls.com/Paragon/Search/S...w=150&h=115

--
End of file - 6903 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 08 October 2007 - 11:37 PM

Hello fakerone,

Your problem is far deeper than whataboutadog.com :thumbsup:


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fakerone

fakerone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 October 2007 - 10:02 AM

Here is the requested AWF report. I note that now I also routinely find doginhispen.com in the Trusted Zone as well.


I await your next instructions!

Thank you !



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 10/09/2007
The current time is: 9:59:26.85


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/26/2007 02:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MI0A1E~1\BAK

11/14/2006 01:22 PM 121,640 LocationFinder.exe
1 File(s) 121,640 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\HEWLET~1\TOOLBOX2.0\BAK

03/31/2003 08:28 PM 155,648 hpbpsttp.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

09/29/2006 10:02 PM 3,112,960 pccguide.exe
1 File(s) 3,112,960 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 04:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

09/26/2006 11:37 PM 315,392 TMAS_OEMon.exe
1 File(s) 315,392 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\HEWLET~1\TOOLBOX2.0\APACHE~1.0\WEBAPPS\TOOLBOX\STATUS~1\BAK

12/16/2002 05:51 PM 36,864 StatusClient.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 3 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 3 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe"
116024 Oct 3 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe"
116024 Oct 3 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2J6RYZQB\iTunesSetupAdmin[1].exe"
28172 Oct 3 2007 "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
121640 Nov 14 2006 "C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe"
28172 Oct 3 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
28172 Oct 3 2007 "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
155648 Mar 31 2003 "C:\Program Files\Hewlett-Packard\Toolbox2.0\bak\hpbpsttp.exe"
28172 Oct 3 2007 "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
3112960 Sep 29 2006 "C:\Program Files\Trend Micro\Internet Security 2007\bak\pccguide.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
28172 Oct 3 2007 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"
471040 Sep 26 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEImp.exe"
483328 Sep 26 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OL\TMAS_OLImp.exe"
315392 Sep 26 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak\TMAS_OEMon.exe"
28172 Oct 3 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
28172 Oct 3 2007 "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe"
36864 Dec 16 2002 "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\bak\StatusClient.exe"


end of report

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 09 October 2007 - 10:14 AM

Hi fakerone,

You have a nasty AWF infection. :thumbsup:

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\bak\hpbpsttp.exe"
"C:\Program Files\Trend Micro\Internet Security 2007\bak\pccguide.exe"
"C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"
"C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak\TMAS_OEMon.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\bak\StatusClient.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 fakerone

fakerone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 October 2007 - 11:04 AM

OPTION #2 in AWF



Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Tue 10/09/2007
The current time is: 10:27:10.54


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/26/2007 02:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MI0A1E~1\BAK

11/14/2006 01:22 PM 121,640 LocationFinder.exe
1 File(s) 121,640 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\HEWLET~1\TOOLBOX2.0\BAK

03/31/2003 08:28 PM 155,648 hpbpsttp.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

09/29/2006 10:02 PM 3,112,960 pccguide.exe
1 File(s) 3,112,960 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 04:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

09/26/2006 11:37 PM 315,392 TMAS_OEMon.exe
1 File(s) 315,392 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\HEWLET~1\TOOLBOX2.0\APACHE~1.0\WEBAPPS\TOOLBOX\STATUS~1\BAK

12/16/2002 05:51 PM 36,864 StatusClient.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 3 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe"
116024 Oct 3 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe"
116024 Oct 3 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2J6RYZQB\iTunesSetupAdmin[1].exe"
121640 Nov 14 2006 "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
121640 Nov 14 2006 "C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Mar 31 2003 "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
155648 Mar 31 2003 "C:\Program Files\Hewlett-Packard\Toolbox2.0\bak\hpbpsttp.exe"
3112960 Sep 29 2006 "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
3112960 Sep 29 2006 "C:\Program Files\Trend Micro\Internet Security 2007\bak\pccguide.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"
471040 Sep 26 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEImp.exe"
483328 Sep 26 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OL\TMAS_OLImp.exe"
315392 Sep 26 2006 "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak\TMAS_OEMon.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
36864 Dec 16 2002 "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe"
36864 Dec 16 2002 "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\bak\StatusClient.exe"


end of report

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 09 October 2007 - 12:06 PM

Hi fakerone,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\iTunes\bak
C:\Program Files\Microsoft Location Finder\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Hewlett-Packard\Toolbox2.0\bak
C:\Program Files\Trend Micro\Internet Security 2007\bak
C:\Program Files\Java\jre1.5.0_10\bin\bak
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fakerone

fakerone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 October 2007 - 12:26 PM

Not much to this new log after AWF #3



Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Tue 10/09/2007
The current time is: 12:22:38.07


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 09 October 2007 - 12:58 PM

Hi fakerone,

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT


If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

If your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fakerone

fakerone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 October 2007 - 01:29 PM

First the HJT Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:45 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://scwmls.fnismls.com/Paragon/Codebase...rintControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105303308347
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by122fd.bay122.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7785DDA6-20E6-440E-A624-7113473E6863}: NameServer = 216.165.129.157,216.170.153.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{7785DDA6-20E6-440E-A624-7113473E6863}: NameServer = 216.165.129.157,216.170.153.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{7785DDA6-20E6-440E-A624-7113473E6863}: NameServer = 216.165.129.157,216.170.153.146
O17 - HKLM\System\CS3\Services\Tcpip\..\{7785DDA6-20E6-440E-A624-7113473E6863}: NameServer = 216.165.129.157,216.170.153.146
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O24 - Desktop Component 0: (no name) - http://scwmls.fnismls.com/Paragon/Search/S...w=150&h=115

--
End of file - 7291 bytes










Now the Combofix:


ComboFix 07-10-09.3 - Paul 2007-10-09 13:25:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.139 [GMT -5:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191620335.old
C:\WINDOWS\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-09 13:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 18:30 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-06 11:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-06 11:37 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-10-06 11:35 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-06 09:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-10-05 10:10 <DIR> d-------- C:\DOCUME~1\Paul\.housecall6.6
2007-10-03 16:28 <DIR> d-------- C:\Program Files\iTunes
2007-09-26 20:57 <DIR> d-------- C:\Program Files\DivX
2007-09-13 12:52 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-13 11:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-10 20:14 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\InstallShield
2007-09-10 20:14 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\InstallShield
2007-09-10 20:14 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\InstallShield
2007-09-10 20:14 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\InstallShield
2007-09-10 14:19 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\DataCast
2007-09-10 14:19 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\DataCast
2007-09-10 14:19 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\DataCast
2007-09-10 14:19 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\DataCast
2007-09-10 14:19 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-09-10 14:19 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-09-10 14:04 299,008 --a------ C:\WINDOWS\system32\LAME_MP3.dll
2007-09-10 14:04 65,024 --a------ C:\WINDOWS\IFinst26.exe
2007-09-10 14:02 <DIR> d-------- C:\Program Files\Samsung
2007-09-10 14:02 118,784 --a------ C:\WINDOWS\system32\MaDRM.dll
2007-09-10 14:00 <DIR> d-------- C:\WINDOWS\system32\URTTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 17:22 --------- d-----w C:\Program Files\QuickTime
2007-10-09 17:22 --------- d-----w C:\Program Files\Microsoft Location Finder
2007-10-06 19:21 --------- d-----w C:\Program Files\palmOne
2007-10-06 19:15 --------- d-----w C:\Program Files\Google
2007-10-06 16:16 --------- d-----w C:\Program Files\Blackjack
2007-10-05 14:55 --------- d-----w C:\Program Files\WordBiz
2007-10-03 21:28 --------- d-----w C:\Program Files\iPod
2007-10-03 21:22 --------- d-----w C:\Program Files\Apple Software Update
2007-10-03 01:37 --------- d--h--w C:\Documents and Settings\Paul\Application Data\Move Networks
2007-10-03 01:37 --------- d--h--w C:\Documents and Settings\Paul\Application Data\Move Networks
2007-10-03 01:37 --------- d--h--w C:\Documents and Settings\Paul\Application Data\Move Networks
2007-10-03 01:37 --------- d--h--w C:\DOCUME~1\Paul\APPLIC~1\Move Networks
2007-09-11 01:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-29 17:05 --------- d-----w C:\Program Files\Virtools
2007-08-09 02:19 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-31 00:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2006-01-14 21:37 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 16:19]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 17:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 20:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-09-29 22:02]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-09-26 23:37]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2006-11-14 13:22]

C:\Documents and Settings\Paul\Start Menu\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2007-08-08 21:17:02]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34]

C:\DOCUME~1\Paul\STARTM~1\Programs\Startup\
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe [2007-08-08 21:17:02]

R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\drivers\TmXPFlt.sys
R3 AEIWL;Actiontec Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\AEIWLNDS.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58cfbbea-0c5d-11db-8b55-0007e9e9cf66}]
AutoRun\command - F:\DBAStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b25d647-a5c5-11db-8b97-0007e9e9cf66}]
AutoRun\command - G:\setupSNK.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 13:28:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 13:29:05
C:\ComboFix-quarantined-files.txt ... 2007-10-09 13:28
.
--- E O F ---

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 09 October 2007 - 01:38 PM

Hi fakerone,


You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\IFinst26.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 fakerone

fakerone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 October 2007 - 04:11 PM

I think this is right.

Didn't see where to enter my email address...cut and pasted the : File IFinst26.exe as I didn't understand how to 'browse' to it.

Thank you,

Fakerone




received on 10.09.2007 23:05:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 48 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.10.10.0 2007.10.09 -
AntiVir 7.6.0.20 2007.10.09 -
Authentium 4.93.8 2007.10.09 -
Avast 4.7.1051.0 2007.10.09 -
AVG 7.5.0.488 2007.10.09 -
BitDefender 7.2 2007.10.09 -
CAT-QuickHeal 9.00 2007.10.09 -
ClamAV 0.91.2 2007.10.09 -
DrWeb 4.44.0.09170 2007.10.09 -
eSafe 7.0.15.0 2007.10.09 suspicious Trojan/Worm
eTrust-Vet 31.2.5198 2007.10.09 -
Ewido 4.0 2007.10.09 -
FileAdvisor 1 2007.10.09 -
Fortinet 3.11.0.0 2007.10.09 -
F-Prot 4.3.2.48 2007.10.09 -
F-Secure 6.70.13030.0 2007.10.09 -
Ikarus T3.1.1.12 2007.10.09 -
Kaspersky 7.0.0.125 2007.10.09 -
McAfee 5137 2007.10.09 -
Microsoft 1.2908 2007.10.09 -
NOD32v2 2582 2007.10.09 -
Norman 5.80.02 2007.10.09 -
Panda 9.0.0.4 2007.10.09 -
Prevx1 V2 2007.10.09 -
Rising 19.44.12.00 2007.10.09 -
Sophos 4.22.0 2007.10.09 -
Sunbelt 2.2.907.0 2007.10.08 -
Symantec 10 2007.10.09 -
TheHacker 6.2.6.080 2007.10.09 -
VBA32 3.12.2.4 2007.10.08 -
VirusBuster 4.3.26:9 2007.10.09 -
Webwasher-Gateway 6.0.1 2007.10.09 -
Additional information
File size: 65024 bytes
MD5: fdc9d4de50a845137580698494b19f13
SHA1: 0982241e310fd7d79ce544d1c78ee4c6ce704091
packers: UPX
packers: UPX
packers: UPX


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.





File IFinst26.exe received on 10.09.2007 23:05:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 48 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.10.10.0 2007.10.09 -
AntiVir 7.6.0.20 2007.10.09 -
Authentium 4.93.8 2007.10.09 -
Avast 4.7.1051.0 2007.10.09 -
AVG 7.5.0.488 2007.10.09 -
BitDefender 7.2 2007.10.09 -
CAT-QuickHeal 9.00 2007.10.09 -
ClamAV 0.91.2 2007.10.09 -
DrWeb 4.44.0.09170 2007.10.09 -
eSafe 7.0.15.0 2007.10.09 suspicious Trojan/Worm
eTrust-Vet 31.2.5198 2007.10.09 -
Ewido 4.0 2007.10.09 -
FileAdvisor 1 2007.10.09 -
Fortinet 3.11.0.0 2007.10.09 -
F-Prot 4.3.2.48 2007.10.09 -
F-Secure 6.70.13030.0 2007.10.09 -
Ikarus T3.1.1.12 2007.10.09 -
Kaspersky 7.0.0.125 2007.10.09 -
McAfee 5137 2007.10.09 -
Microsoft 1.2908 2007.10.09 -
NOD32v2 2582 2007.10.09 -
Norman 5.80.02 2007.10.09 -
Panda 9.0.0.4 2007.10.09 -
Prevx1 V2 2007.10.09 -
Rising 19.44.12.00 2007.10.09 -
Sophos 4.22.0 2007.10.09 -
Sunbelt 2.2.907.0 2007.10.08 -
Symantec 10 2007.10.09 -
TheHacker 6.2.6.080 2007.10.09 -
VBA32 3.12.2.4 2007.10.08 -
VirusBuster 4.3.26:9 2007.10.09 -
Webwasher-Gateway 6.0.1 2007.10.09 -
Additional information
File size: 65024 bytes
MD5: fdc9d4de50a845137580698494b19f13
SHA1: 0982241e310fd7d79ce544d1c78ee4c6ce704091
packers: UPX
packers: UPX
packers: UPX


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 09 October 2007 - 04:43 PM

Hi fakerone,

That file is OK.
How is your computer running? :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 fakerone

fakerone
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 October 2007 - 05:14 PM

Hello~


Things are running much better thank you. The whataboutadog and doginhispen have both disappeared and not reappeared. Seems like an awful lot of work for all involved. What is the point, from the point of view of the creator?

I will make a donation via PayPal...

Thank you !

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 09 October 2007 - 05:35 PM

Hi fakerone,

Your welcome. :wacko: And thank you for your for the donation.


Seems like an awful lot of work for all involved. What is the point, from the point of view of the creator?


Just a very malicous person who whats to screw up peoples computers. :blink:



Your Hijackthis log looks clean! :thumbsup: Good job on the cleanup!



Uninstall ComboFix, go to to Start > Run & type in ComboFix /u

Delete FindAWF.exe from you desktop.



Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.



Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 15 October 2007 - 02:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:21 AM

Posted 15 October 2007 - 02:08 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users