Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Whataboutadog & Doginhispen Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 Stuart Bierig

Stuart Bierig

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 08 January 2008 - 12:09 PM

My wife's laptop is infected with whataboutadog and doginhispen. I have tried a number of products to remove, with no avail. I have Spybot and Adaware Plus on the PC. Here is the AWF Report. THANK YOU IN ADVANCE FOR YOUR HELP!


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 01/08/2008
The current time is: 12:02:19.79


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SYMANT~1\BAK

06/23/2005 07:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes

Directory of C:\WINDOWS\CREATOR\BAK

01/23/2006 06:11 PM 802,816 Remind_XP.exe
1 File(s) 802,816 bytes

Directory of C:\WINDOWS\SMINST\BAK

12/20/2005 05:51 PM 1,187,840 Recguard.exe
02/15/2006 05:43 PM 892,928 Scheduler.exe
2 File(s) 2,080,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/23/2006 07:13 AM 77,824 hkcmd.exe
03/23/2006 07:17 AM 118,784 igfxpers.exe
03/23/2006 07:17 AM 94,208 igfxtray.exe
3 File(s) 290,816 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

05/06/2005 04:06 PM 716,800 Smax4.exe
1 File(s) 716,800 bytes

Directory of C:\PROGRA~1\CANONE~1\SCANPA~1\BAK

11/17/2004 02:54 PM 196,671 drpanel.exe
1 File(s) 196,671 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/02/2005 09:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

06/11/2007 04:25 AM 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

02/22/2006 10:03 AM 40,960 cpqset.exe
1 File(s) 40,960 bytes

Directory of C:\PROGRA~1\HPQ\HPWIRE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\INTERV~1\DVDCHE~1\BAK

11/08/2005 11:59 AM 184,320 DVDCheck.exe
1 File(s) 184,320 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

11/10/2005 01:04 PM 761,945 SynTPEnh.exe
1 File(s) 761,945 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/31/2005 07:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 03:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 19 2007 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
26636 Oct 19 2007 "C:\WINDOWS\CREATOR\Remind_XP.exe"
802816 Jan 23 2006 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
26636 Oct 19 2007 "C:\WINDOWS\SMINST\Recguard.exe"
1187840 Dec 20 2005 "C:\WINDOWS\SMINST\bak\Recguard.exe"
26636 Oct 19 2007 "C:\WINDOWS\SMINST\Scheduler.exe"
892928 Feb 15 2006 "C:\WINDOWS\SMINST\bak\Scheduler.exe"
77824 Mar 23 2006 "C:\SwSetup\VID1\hkcmd.exe"
26636 Oct 19 2007 "C:\WINDOWS\system32\hkcmd.exe"
77824 Mar 23 2006 "C:\SwSetup\VID1\Win2000\hkcmd.exe"
77824 Mar 23 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
77824 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
77824 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Mar 23 2006 "C:\SwSetup\VID1\igfxpers.exe"
26636 Oct 19 2007 "C:\WINDOWS\system32\igfxpers.exe"
118784 Mar 23 2006 "C:\SwSetup\VID1\Win2000\igfxpers.exe"
118784 Mar 23 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
118784 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\igfxpers.exe"
118784 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxpers.exe"
94208 Mar 23 2006 "C:\SwSetup\VID1\igfxtray.exe"
26636 Oct 19 2007 "C:\WINDOWS\system32\igfxtray.exe"
94208 Mar 23 2006 "C:\SwSetup\VID1\Win2000\igfxtray.exe"
94208 Mar 23 2006 "C:\WINDOWS\system32\bak\igfxtray.exe"
94208 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\igfxtray.exe"
94208 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
26636 Oct 19 2007 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
716800 May 6 2005 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
716800 May 6 2005 "C:\SwSetup\Audio\SM_Panel\Sys\SMax4.exe"
26636 Oct 19 2007 "C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe"
196671 Nov 17 2004 "C:\Program Files\Canon Electronics\Scan Panel\bak\drpanel.exe"
26636 Oct 19 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52848 Sep 16 2005 "C:\SwSetup\InetSec06\Support\ccCommon\ccCommon\ccApp.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
26636 Oct 19 2007 "C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
26636 Oct 19 2007 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
40960 Feb 22 2006 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
1085420 Nov 8 2005 "C:\SwSetup\DVD\DVDCheck.exe"
26636 Oct 19 2007 "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe"
184320 Nov 8 2005 "C:\Program Files\InterVideo\DVD Check\bak\DVDCheck.exe"
761945 Nov 10 2005 "C:\SwSetup\Touchpad\SynTPEnh.exe"
26636 Oct 19 2007 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
761945 Nov 10 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
761945 Nov 10 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
26636 Oct 19 2007 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Aug 31 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
122940 Aug 31 2005 "C:\Program Files\Sonic\DigitalMedia Plus v7\DLA\install\dlactrlw.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 08 January 2008 - 01:39 PM

Double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • As instructed, press any key to continue.
  • Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
"C:\WINDOWS\SMINST\bak\Recguard.exe"
"C:\WINDOWS\SMINST\bak\Scheduler.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
"C:\Program Files\Canon Electronics\Scan Panel\bak\drpanel.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
"C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
"C:\Program Files\InterVideo\DVD Check\bak\DVDCheck.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
"C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"

  • Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list (if running).
    • Deletes the rogue file from the parent folder (if present).
    • Copies the original file to the parent folder.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Stuart Bierig

Stuart Bierig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 08 January 2008 - 02:10 PM

I ran FindAWF and followed your instructions. Every few seconds, the Command window shows the following line (over and over again):

Killing PID 2412 'Smax4.exe'

This has been running for over 10 minutes.

By the way, how do you determine what to select from my original FindAWF posting?


Thank you.

#4 Stuart Bierig

Stuart Bierig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 08 January 2008 - 02:42 PM

Thank you for your prompt reply.

I ran FindAWF and followed your instructions. However, every few seconds, the Command window shows the following line (over and over again):

Killing PID 2412 'Smax4.exe'

This has been running for over 60 minutes.

Please advise.


By the way, how did you determine what to select from my original FindAWF posting?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 08 January 2008 - 02:53 PM

The legit SMax4.exe is related to SoundMAX. The replacement is related to the malware. The tool should not take that long. It may be having a problem killing that file. Close it down and trying running again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Stuart Bierig

Stuart Bierig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 08 January 2008 - 03:36 PM

I ended the process in Task Manager and ran FindAWF.
The new log is below.


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Tue 01/08/2008
The current time is: 15:29:22.18


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SYMANT~1\BAK

06/23/2005 07:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes

Directory of C:\WINDOWS\CREATOR\BAK

01/23/2006 06:11 PM 802,816 Remind_XP.exe
1 File(s) 802,816 bytes

Directory of C:\WINDOWS\SMINST\BAK

12/20/2005 05:51 PM 1,187,840 Recguard.exe
02/15/2006 05:43 PM 892,928 Scheduler.exe
2 File(s) 2,080,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

03/23/2006 07:13 AM 77,824 hkcmd.exe
03/23/2006 07:17 AM 118,784 igfxpers.exe
03/23/2006 07:17 AM 94,208 igfxtray.exe
3 File(s) 290,816 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

05/06/2005 04:06 PM 716,800 Smax4.exe
1 File(s) 716,800 bytes

Directory of C:\PROGRA~1\CANONE~1\SCANPA~1\BAK

11/17/2004 02:54 PM 196,671 drpanel.exe
1 File(s) 196,671 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/02/2005 09:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

06/11/2007 04:25 AM 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 07:38 AM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

02/22/2006 10:03 AM 40,960 cpqset.exe
1 File(s) 40,960 bytes

Directory of C:\PROGRA~1\HPQ\HPWIRE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\INTERV~1\DVDCHE~1\BAK

11/08/2005 11:59 AM 184,320 DVDCheck.exe
1 File(s) 184,320 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

11/10/2005 01:04 PM 761,945 SynTPEnh.exe
1 File(s) 761,945 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/31/2005 07:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 03:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
802816 Jan 23 2006 "C:\WINDOWS\CREATOR\Remind_XP.exe"
802816 Jan 23 2006 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
1187840 Dec 20 2005 "C:\WINDOWS\SMINST\Recguard.exe"
1187840 Dec 20 2005 "C:\WINDOWS\SMINST\bak\Recguard.exe"
892928 Feb 15 2006 "C:\WINDOWS\SMINST\Scheduler.exe"
892928 Feb 15 2006 "C:\WINDOWS\SMINST\bak\Scheduler.exe"
77824 Mar 23 2006 "C:\SwSetup\VID1\hkcmd.exe"
77824 Mar 23 2006 "C:\WINDOWS\system32\hkcmd.exe"
77824 Mar 23 2006 "C:\SwSetup\VID1\Win2000\hkcmd.exe"
77824 Mar 23 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
77824 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
77824 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
118784 Mar 23 2006 "C:\SwSetup\VID1\igfxpers.exe"
118784 Mar 23 2006 "C:\WINDOWS\system32\igfxpers.exe"
118784 Mar 23 2006 "C:\SwSetup\VID1\Win2000\igfxpers.exe"
118784 Mar 23 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
118784 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\igfxpers.exe"
118784 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxpers.exe"
94208 Mar 23 2006 "C:\SwSetup\VID1\igfxtray.exe"
94208 Mar 23 2006 "C:\WINDOWS\system32\igfxtray.exe"
94208 Mar 23 2006 "C:\SwSetup\VID1\Win2000\igfxtray.exe"
94208 Mar 23 2006 "C:\WINDOWS\system32\bak\igfxtray.exe"
94208 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\igfxtray.exe"
94208 Mar 23 2006 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
716800 May 6 2005 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
716800 May 6 2005 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
716800 May 6 2005 "C:\SwSetup\Audio\SM_Panel\Sys\SMax4.exe"
196671 Nov 17 2004 "C:\Program Files\Canon Electronics\Scan Panel\drpanel.exe"
196671 Nov 17 2004 "C:\Program Files\Canon Electronics\Scan Panel\bak\drpanel.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52848 Sep 16 2005 "C:\SwSetup\InetSec06\Support\ccCommon\ccCommon\ccApp.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\Hp\hpcoretech\bak\hpcmpmgr.exe"
40960 Feb 22 2006 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
40960 Feb 22 2006 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
1085420 Nov 8 2005 "C:\SwSetup\DVD\DVDCheck.exe"
184320 Nov 8 2005 "C:\Program Files\InterVideo\DVD Check\DVDCheck.exe"
184320 Nov 8 2005 "C:\Program Files\InterVideo\DVD Check\bak\DVDCheck.exe"
761945 Nov 10 2005 "C:\SwSetup\Touchpad\SynTPEnh.exe"
761945 Nov 10 2005 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
761945 Nov 10 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
761945 Nov 10 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
122940 Aug 31 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Aug 31 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
122940 Aug 31 2005 "C:\Program Files\Sonic\DigitalMedia Plus v7\DLA\install\dlactrlw.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 08 January 2008 - 09:51 PM

Double-click the FindAWF icon once again.
  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\Program Files\Symantec AntiVirus\bak
C:\WINDOWS\CREATOR\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\Program Files\Analog Devices\SoundMAX\bak
C:\Program Files\Canon Electronics\Scan Panel\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak
C:\Program Files\Hp\hpcoretech\bak
C:\Program Files\HPQ\Default Settings\bak
C:\Program Files\InterVideo\DVD Check\bak
C:\Program Files\Synaptics\SynTP\bak
C:\WINDOWS\system32\DLA\bak
C:\Program Files\Java\jre1.5.0_06\bin\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Stuart Bierig

Stuart Bierig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 09 January 2008 - 07:58 AM

Here we go.. Looking Good.


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 01/09/2008
The current time is: 7:53:42.59


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 09 January 2008 - 10:33 AM

Double-click the FindAWF icon once again.
  • Select option #4 - Reset domain zones by typing 4 and press 'Enter'.
  • You will receive a warning to reset domain zones.
  • Press 1 then press 'Enter'.
  • After resetting the domain zones, the program will return to the main menu.
  • Use the following option: Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.
Looks like your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Stuart Bierig

Stuart Bierig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 09 January 2008 - 12:00 PM

DONE. I also ran Adaware and AniSpyware.

This question may be worthy of a new post.

Both Adaware and SuperAntiSpyware both show a bunch of bad stuff in QSP files within my C:\Windows\Temp directory. (I clean the laptop weekly with ccleaner). None of the identified issues (see below) have any files anywhere else on the laptop, only in C:\Windows\Temp. I also am NOT seeing any symptoms of these isssues on the PC or when using the browser.

ISSUES:
CmdServices
iSearchToolbar
Get Mirar
Adware.Mirar

When I delete these files in Safe mode and scan the machine, the above applications find nothing else on the laptop. Should I post a Hijack log in the Hijack forum?

Thank you.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 09 January 2008 - 12:21 PM

I'm confused about your last reply. QSP files are related to QSetup. Are you saying these files are show by those names but as a qsp files?

Can I see the SAS log only?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Stuart Bierig

Stuart Bierig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 09 January 2008 - 01:54 PM

SAS Log is below. The directory fills up with more qsp files and relate to other adware/malware.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/09/2008 at 01:14 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 00:53:15

Memory items scanned : 571
Memory threats detected : 0
Registry items scanned : 6468
Registry threats detected : 0
File items scanned : 44673
File threats detected : 49

Adware.Adservs
C:\WINDOWS\TEMP\4784E914.QSP
C:\WINDOWS\TEMP\4784EBB2.QSP
C:\WINDOWS\TEMP\4784EC43.QSP
C:\WINDOWS\TEMP\4784EEDE.QSP
C:\WINDOWS\TEMP\4784EF6F.QSP
C:\WINDOWS\TEMP\4784F20A.QSP
C:\WINDOWS\TEMP\4784F29A.QSP
C:\WINDOWS\TEMP\4784F535.QSP
C:\WINDOWS\TEMP\4784F5C6.QSP
C:\WINDOWS\TEMP\4784F62D.QSP
C:\WINDOWS\TEMP\4784F6C0.QSP
C:\WINDOWS\TEMP\4784F95C.QSP
C:\WINDOWS\TEMP\4784F9F3.QSP
C:\WINDOWS\TEMP\4784FC8F.QSP
C:\WINDOWS\TEMP\4784FD1F.QSP
C:\WINDOWS\TEMP\4784FFBB.QSP
C:\WINDOWS\TEMP\4785004B.QSP
C:\WINDOWS\TEMP\478502EA.QSP
C:\WINDOWS\TEMP\4785038C.QSP
C:\WINDOWS\TEMP\4785062B.QSP
C:\WINDOWS\TEMP\478506C6.QSP
C:\WINDOWS\TEMP\47850965.QSP
C:\WINDOWS\TEMP\47850A07.QSP
C:\WINDOWS\TEMP\47850CA9.QSP
C:\WINDOWS\TEMP\47850D4E.QSP

Unclassified.Unknown Origin
C:\WINDOWS\TEMP\4784EB47.QSP
C:\WINDOWS\TEMP\4784EE8F.QSP
C:\WINDOWS\TEMP\4784F19B.QSP
C:\WINDOWS\TEMP\4784F4E3.QSP
C:\WINDOWS\TEMP\4784F5D3.QSP
C:\WINDOWS\TEMP\4784F91B.QSP
C:\WINDOWS\TEMP\4784FC27.QSP
C:\WINDOWS\TEMP\4784FF6F.QSP
C:\WINDOWS\TEMP\4785027B.QSP
C:\WINDOWS\TEMP\478505FF.QSP
C:\WINDOWS\TEMP\4785090B.QSP
C:\WINDOWS\TEMP\47850C8F.QSP

Trojan.Unknown Origin
C:\WINDOWS\TEMP\4784EBB5.QSP
C:\WINDOWS\TEMP\4784EEE1.QSP
C:\WINDOWS\TEMP\4784F20D.QSP
C:\WINDOWS\TEMP\4784F539.QSP
C:\WINDOWS\TEMP\4784F630.QSP
C:\WINDOWS\TEMP\4784F95F.QSP
C:\WINDOWS\TEMP\4784FC92.QSP
C:\WINDOWS\TEMP\4784FFBE.QSP
C:\WINDOWS\TEMP\478502EE.QSP
C:\WINDOWS\TEMP\47850630.QSP
C:\WINDOWS\TEMP\47850969.QSP
C:\WINDOWS\TEMP\47850CAD.QSP

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 09 January 2008 - 03:49 PM

Adware.Adservs usually involves .dll files.

Get a second opinion by submitting one or two of the files to jotti's virusscan or virustotal.com.
In the "File to upload & scan" box, browse to the location of the suspicious file and submit [upload] it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Stuart Bierig

Stuart Bierig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 09 January 2008 - 05:28 PM

Here ya go...

Service load: 0% 100%

File: 47851A09.qsp
Status: INFECTED/MALWARE
MD5: 0f8deb5a57d8310b2d7ef90b84480f13
Packers detected: UPX
Bit9 reports: Low threat detected (more info)

Scanner results
Scan taken on 09 Jan 2008 22:23:23 (GMT)
A-Squared Found nothing
AntiVir Found ADSPY/CommAd.A
ArcaVir Found Trojan.Delf.Hp
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Generic.GMD
BitDefender Found Adware.CommAd.A
ClamAV Found Adware.CommAd-2
CPsecure Found Malware.W32.CommAd.A
Dr.Web Found Trojan.Proxy.493
F-Prot Antivirus Found W32/Backdoor.AJHB
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.CommAd.a (4, 1, 400)
Fortinet Found Adware/Isearch
Ikarus Found Trojan-Downloader.Win32.Banload.F
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.CommAd.a
NOD32 Found Win32/Adware.CommAd application
Norman Virus Control Found W32/CommAd.B
Panda Antivirus Found nothing
Rising Antivirus Found Backdoor.BlackHole.ax
Sophos Antivirus Found nothing
VirusBuster Found Adware.CommAd.A
VBA32 Found AdWare.Win32.CommAd.a

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 PM

Posted 09 January 2008 - 06:17 PM

We can easily remove these files but that does not resolve the problem of them being regenerated. To do that you need to identify what is creating them so we probably should take a look at a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log".In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users