Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Awf Whataboutadog Trustedzone Keeps Returning


  • This topic is locked This topic is locked
27 replies to this topic

#1 vghp

vghp

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 11:18 AM

I cannot get rid of whatabout.... through HJT. I followed a post and used findAWF and everything was great for about 8 hours when they returned. Thanks in advance and here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:16 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Documents and Settings\v\Desktop\Computer Maintenance\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?ie=UTF-8&...p;tab=wn&q=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Soloist.jar
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192232449703
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBDAAB26-05BA-4FBC-92F7-E5391AFF2675}: NameServer = 172.16.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 6144 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 15 October 2007 - 11:59 AM

Hello vghp,

Welcome to Bleeping Computer :thumbsup:

Let's start from the beginning with FindAWF. Please run option #1 and post the report for me, please. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 vghp

vghp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 12:42 PM

Thanks, here are the results from option 1:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 10/15/2007
The current time is: 11:39:51.50


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

05/01/2006 11:07 AM 843,776 smax4pnp.exe
1 File(s) 843,776 bytes

Directory of C:\WINDOWS\ASSEMBLY\NATIVE~1.507\SBAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24592 Sep 13 2007 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
843776 May 1 2006 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
15360 Oct 12 2007 "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SBAK\c1f69f5a26824200fc0a53c34c3812d8\SBAK.ni.dll"
57928 Apr 17 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.exe"
63048 Apr 17 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe1191391808"
24592 Sep 13 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.exe"


end of report

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 15 October 2007 - 02:11 PM

Hello,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

Almost done. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 vghp

vghp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 02:35 PM

Ok, done.


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 10/15/2007
The current time is: 13:33:28.04


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

05/01/2006 11:07 AM 843,776 smax4pnp.exe
1 File(s) 843,776 bytes

Directory of C:\WINDOWS\ASSEMBLY\NATIVE~1.507\SBAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24592 Sep 13 2007 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
843776 May 1 2006 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
15360 Oct 12 2007 "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SBAK\c1f69f5a26824200fc0a53c34c3812d8\SBAK.ni.dll"
57928 Apr 17 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.exe"
63048 Apr 17 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe1191391808"
24592 Sep 13 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.exe"


end of report

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 15 October 2007 - 02:48 PM

Hello,

One more time with that option.....I forgot to take the file name off the end. :thumbsup: Sorry about that.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Analog Devices\Core\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

I'll go ahead and put the next option in here, rather than wait. I'm sure the AWF log will be good now, so might as well do it. :blink:

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Please also post a new HijackThis log and let me know how it's running now. :wacko:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 vghp

vghp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 02:55 PM

hmmm. still shows up. here is the log.


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 10/15/2007
The current time is: 13:53:48.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

05/01/2006 11:07 AM 843,776 smax4pnp.exe
1 File(s) 843,776 bytes

Directory of C:\WINDOWS\ASSEMBLY\NATIVE~1.507\SBAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24592 Sep 13 2007 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
843776 May 1 2006 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
15360 Oct 12 2007 "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SBAK\c1f69f5a26824200fc0a53c34c3812d8\SBAK.ni.dll"
57928 Apr 17 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.exe"
63048 Apr 17 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe1191391808"
24592 Sep 13 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.exe"


end of report

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 15 October 2007 - 03:03 PM

Well dang it. :thumbsup:

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 vghp

vghp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 03:06 PM

Here it is.


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Mon 10/15/2007
The current time is: 14:06:17.00


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

05/01/2006 11:07 AM 843,776 smax4pnp.exe
1 File(s) 843,776 bytes

Directory of C:\WINDOWS\ASSEMBLY\NATIVE~1.507\SBAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

843776 May 1 2006 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
843776 May 1 2006 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
15360 Oct 12 2007 "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SBAK\c1f69f5a26824200fc0a53c34c3812d8\SBAK.ni.dll"
57928 Apr 17 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.exe"
63048 Apr 17 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe1191391808"
24592 Sep 13 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.exe"


end of report

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 15 October 2007 - 03:57 PM

Now that looks better. :thumbsup:

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Analog Devices\Core\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

This time, please also include a new HijackThis log and let me know how it'as running now. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 vghp

vghp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 04:20 PM

hmmmm, still there?


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 10/15/2007
The current time is: 15:19:34.39


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

05/01/2006 11:07 AM 843,776 smax4pnp.exe
1 File(s) 843,776 bytes

Directory of C:\WINDOWS\ASSEMBLY\NATIVE~1.507\SBAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

843776 May 1 2006 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
843776 May 1 2006 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
15360 Oct 12 2007 "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SBAK\c1f69f5a26824200fc0a53c34c3812d8\SBAK.ni.dll"
57928 Apr 17 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.exe"
63048 Apr 17 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe1191391808"
24592 Sep 13 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.exe"


end of report

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 15 October 2007 - 07:08 PM

Hello,

Navigate to this one and delete it manually.

C:\Program Files\Analog Devices\Core\bak<---this folder

If you aren't sure, then please ask.

Please post a new HijackThis log and let me know how it's running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 vghp

vghp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 07:17 PM

Here are both the FindAWF and the HJT logs. One question, should I now try and remove the TrustedZone: whataboutadog through HJT?


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 10/15/2007
The current time is: 18:16:22.75


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\ASSEMBLY\NATIVE~1.507\SBAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Oct 12 2007 "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SBAK\c1f69f5a26824200fc0a53c34c3812d8\SBAK.ni.dll"
57928 Apr 17 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.exe"
63048 Apr 17 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe1191391808"
24592 Sep 13 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.exe"


end of report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:13 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Envelope Manager\DAZzle\DAZZLE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\v\Desktop\Computer Maintenance\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?ie=UTF-8&...p;tab=wn&q=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Soloist.jar
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192232449703
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBDAAB26-05BA-4FBC-92F7-E5391AFF2675}: NameServer = 172.16.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 6280 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:31 AM

Posted 15 October 2007 - 07:30 PM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Did you run option #4 with FindAWF?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 vghp

vghp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:31 AM

Posted 15 October 2007 - 07:47 PM

I ran HJT and "fixed" the two "whatabout...." entries. Rebooted and here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:56 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\v\Desktop\Computer Maintenance\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?ie=UTF-8&...p;tab=wn&q=
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Soloist.jar
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192232449703
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBDAAB26-05BA-4FBC-92F7-E5391AFF2675}: NameServer = 172.16.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 6060 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users