Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adoginhispen Infection Shuts My Browser


  • This topic is locked This topic is locked
12 replies to this topic

#1 russjill

russjill

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 04 March 2008 - 08:53 PM

adoginhispen shuts my browser down.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:24 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193716591199
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193716582216
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5979 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 AM

Posted 05 March 2008 - 03:08 PM

Hello russjill,

Welcome to Bleeping Computer :thumbsup:

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run option 1.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 russjill

russjill
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 05 March 2008 - 05:08 PM

Here is my awf file.


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 03/05/2008
The current time is: 15:05:37.16


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 09:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/04/2008 08:16 PM 14,860 qttask.exe
1 File(s) 14,860 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

08/30/2007 05:43 PM 4,670,704 YahooMessenger.exe
1 File(s) 4,670,704 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

02/26/2008 12:28 PM 14,348 qttask.exe
1 File(s) 14,348 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/19/2006 02:41 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

02/01/2008 07:49 PM 579,072 avgcc.exe
1 File(s) 579,072 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK\BAK

11/27/2007 08:07 PM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
14348 Feb 26 2008 "C:\Program Files\Messenger\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
579072 Feb 1 2008 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
14348 Feb 26 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 AM

Posted 05 March 2008 - 05:28 PM

Hello,

I'm going to recommend that you uninstall QuickTime via Add/Remove Programs, then reinstall it after we finish with the removal process, please.

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 russjill

russjill
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 05 March 2008 - 06:26 PM

Here is the new awf file.


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Wed 03/05/2008
The current time is: 16:24:03.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 09:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/04/2008 08:16 PM 14,860 qttask.exe
1 File(s) 14,860 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

08/30/2007 05:43 PM 4,670,704 YahooMessenger.exe
1 File(s) 4,670,704 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

02/26/2008 12:28 PM 14,348 qttask.exe
1 File(s) 14,348 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/19/2006 02:41 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

02/01/2008 07:49 PM 579,072 avgcc.exe
1 File(s) 579,072 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK\BAK

11/27/2007 08:07 PM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
579072 Feb 1 2008 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
579072 Feb 1 2008 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Nov 27 2007 "C:\Program Files\QuickTime\bak\bak\bak\qttask.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 AM

Posted 05 March 2008 - 07:07 PM

Hello,

Did you uninstall QuickTime? It's really infected and needs to be replaced. Please tell me what you've done, or not done, so I'll know how to proceed with it. :thumbsup:

For the rest:

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Messenger\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Grisoft\AVG7\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

How is it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 russjill

russjill
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 05 March 2008 - 08:28 PM

Tea,

I unistalled Quicktime then followed your instructions. The computer has not shut off like it has been doing. Other than that it is still slow. Here is the new awf file.


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 03/05/2008
The current time is: 18:25:14.33


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 AM

Posted 05 March 2008 - 08:46 PM

Hello,

Looks excellent so far! :blink:

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT.

Now you can reinstall QuickTime, if you like. Please post a new HijackThis log and we'll see what might be left. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 russjill

russjill
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 05 March 2008 - 10:19 PM

Tea,

Here is the Hijackthis log.

Thanks for help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:19 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193716591199
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193716582216
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O23 - Service: McAfee Application Installer Cleanup (0132291204689254) (0132291204689254mcinstcleanup) - Unknown owner - C:\DOCUME~1\RUSS_J~1\LOCALS~1\Temp\013229~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7095 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 AM

Posted 05 March 2008 - 10:59 PM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: TTB000000 - {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - C:\WINDOWS\COUPON~1.DLL
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - C:\WINDOWS\CouponBarIE.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O23 - Service: McAfee Application Installer Cleanup (0132291204689254) (0132291204689254mcinstcleanup) - Unknown owner - C:\DOCUME~1\RUSS_J~1\LOCALS~1\Temp\013229~1.EXE (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following file:

C:\WINDOWS\CouponBarIE.dll

Reboot your computer.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

In your reply, please let me know if it's running better. :thumbsup: Everything else looks good. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 russjill

russjill
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 05 March 2008 - 11:44 PM

Tea,

Thank you very much. The computer seems to be working better now.

Russ

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 AM

Posted 05 March 2008 - 11:50 PM

Hi Russ,

That's great to know. :thumbsup: You can delete FindAWF now. Keep ATF cleaner if you like it.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:00 AM

Posted 09 March 2008 - 06:17 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users