Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whataboutadog Virus/hijackthis Log


  • This topic is locked This topic is locked
22 replies to this topic

#1 wordisbonz

wordisbonz

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 09 December 2007 - 09:03 PM

hi i think I got the whataboutadog virus on Saturday and I posted here last nite. I followed the steps i was told to do (downloading and running and then deleting viruses/spyware with multiple anti-virus and spyblocking programs). Posted below is my HIJACKTHIS! log. Could anyone please let me know what to do next because my computer still is running slow and new virus are detected with each program. Thanks a bunch.

- PHIL









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:17 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcuxjho] c:\windows\system32\gkditfr.exe
O4 - HKLM\..\Run: [kcxin] C:\DOCUME~1\Owner\LOCALS~1\Temp\app86.tmp
O4 - HKLM\..\Run: [AutoTBar] AUTOTBAR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MOGClient] C:\Program Files\MOG-O-MATIC\MogClient.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Anti-Spyware Blocker.lnk = C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137825049234
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6370 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:19 PM

Posted 10 December 2007 - 12:57 AM

Hello wordisbonz,

I am not seeing whataboutadog in your log.

If you have it then this will show in your log:

O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com


Why do you think you have whataboutadog infection?

Edited by SifuMike, 10 December 2007 - 01:01 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 wordisbonz

wordisbonz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 10 December 2007 - 04:01 PM

i had it in my internet explorer history the other day. all the spyware and anti-virus programs i ran found a bunch of high risk viruses such as whataboutdog and trojans but i cleaned them as the preparation guide instructed....did that fix the problem by itself?

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:19 PM

Posted 10 December 2007 - 06:06 PM

Hi wordisbonz,


Probably not, but let's make sure.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 wordisbonz

wordisbonz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 December 2007 - 12:01 AM

Hi,

I downloaded the program but after I press "1" to perform the scan a window pops up that says "The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to termintate the application." I tried to click Ignore instead of closed and the program terminates and this log is created:



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 12/10/2007
The current time is: 23:57:53.45


bak folders found
~~~~~~~~~~~


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~


end of report


Am i doing something wrong?
thanks again.

-wordisbonz

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:19 PM

Posted 11 December 2007 - 01:13 AM

Sounds like you have some missing files.

Check the C:\WINDOWS\System32 folder for the file autoexec.nt ....... it's probably missing.

Also check the C:\WINDOWS\System32 folder for the file config.nt.

There should be a copy of it in the C:\Windows\repair folder that can be copied and Pasted to C:\WINDOWS\System32 folder.

Sometimes, config.nt will also be missing from the C:\Windows\System32 folder too.
There should be a copy of it in the C:\Windows\repair folder also. So copy and paste it to the C:\WINDOWS\System32 folder if it is missing.

then try FindAWF with option 1 and see if it works.

Edited by SifuMike, 11 December 2007 - 01:15 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 wordisbonz

wordisbonz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 December 2007 - 11:22 AM

thanks that was the problem. I replaced those files.

here is the log AWF generated:




Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 12/11/2007
The current time is: 11:05:53.62


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 02:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/10/2007 09:18 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

12/09/2007 11:56 AM 181 hpsysdrv.DAT
05/07/1998 07:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,917 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/16/2002 06:57 PM 81,920 ps2.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 06:38 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/12/2003 07:23 AM 172,032 hpztsb08.exe
1 File(s) 172,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\DRIVERS\SM1\SM1bg.exe"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
270648 Jul 10 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jul 19 2007 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 Jul 19 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
186 Oct 17 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
181 Dec 9 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
324 Dec 8 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-1027479107.xml"
32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
172032 Mar 12 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb08.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:19 PM

Posted 11 December 2007 - 12:17 PM

Hi wordisbonz,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\WINDOWS\bak\SM1BG.EXE"
"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb08.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 wordisbonz

wordisbonz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 December 2007 - 09:21 PM

thank you,

here is the new log after I followed the instructions above:

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Tue 12/11/2007
The current time is: 21:17:03.21


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 02:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/10/2007 09:18 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

12/09/2007 11:56 AM 181 hpsysdrv.DAT
05/07/1998 07:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,917 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/16/2002 06:57 PM 81,920 ps2.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 06:38 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/12/2003 07:23 AM 172,032 hpztsb08.exe
1 File(s) 172,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\DRIVERS\SM1\SM1bg.exe"
61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
270648 Jul 10 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
270648 Jul 10 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jul 19 2007 "C:\WINDOWS\Installer\{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}\iTunesIco.exe"
116024 Jul 19 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.1.3\iTunesSetupAdmin.exe"
181 Dec 9 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
181 Dec 9 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
324 Dec 8 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-1027479107.xml"
32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
172032 Mar 12 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe"
172032 Mar 12 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb08.exe"


end of report

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:19 PM

Posted 11 December 2007 - 09:51 PM

Hi wordisbonz,

Your welcome. :thumbsup:

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important

***************************


Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak
C:\hp\KBD\bak
C:\Program Files\iTunes\bak
C:\WINDOWS\system\bak
C:\WINDOWS\system32\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply

Edited by SifuMike, 11 December 2007 - 09:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 wordisbonz

wordisbonz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 December 2007 - 11:10 PM

ok i did it, here are the results, thank you:

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Tue 12/11/2007
The current time is: 23:05:18.98


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 02:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\DRIVERS\SM1\SM1bg.exe"
324 Dec 8 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-1027479107.xml"


end of report

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:19 PM

Posted 11 December 2007 - 11:40 PM

Hi wordisbonz,


Looks like we still have one bak folder to remove.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'



Please find and delete this bak folder


C:\WINDOWS\bak <== folder


Then run FindAWF with Option 1, and post the FindAWF log.

Edited by SifuMike, 11 December 2007 - 11:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 wordisbonz

wordisbonz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 12 December 2007 - 12:18 AM

done.

thanks, here is the new log:


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 12/12/2007
The current time is: 0:15:54.59


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

324 Dec 8 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-1027479107.xml"


end of report

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:19 PM

Posted 12 December 2007 - 12:26 AM

Hi wordisbonz,

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Reboot and post a fresh Hijackthis log.

What antivirus are you running on this computer?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 wordisbonz

wordisbonz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 12 December 2007 - 01:18 AM

i run PC Tools Spyware Doctor and Threatfire.

here is the latest HijackThis log after following your instructions:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:05 AM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcuxjho] c:\windows\system32\gkditfr.exe
O4 - HKLM\..\Run: [kcxin] C:\DOCUME~1\Owner\LOCALS~1\Temp\app86.tmp
O4 - HKLM\..\Run: [AutoTBar] AUTOTBAR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MOGClient] C:\Program Files\MOG-O-MATIC\MogClient.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137825049234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6809 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users