|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
removal of b.whataboutadog.com
|
Original Message
|
Name: oddware
Date: February 2, 2008 at 06:41:20 Pacific
Subject: removal of b.whataboutadog.comOS: xpCPU/Ram: pentium/256Manufacturer/Model: ibm a21 |
Comment: I have this whataboutadog trojan/virus thing. Per an earlier post from someone witha similar problem, I have run FindAWF, and posted the results below. Can anyone help me with this? Thanks. Find AWF report by noahdfear ©2006
Version 1.40 The current date is: Sat 02/02/2008
The current time is: 9:29:07.97
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK
02/23/2006 06:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/11/2006 03:45 PM 282,624 qttask.exe
1 File(s) 282,624 bytes Directory of C:\PROGRA~1\SPYBOT~1\BAK 08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK 07/16/2002 01:55 PM 32,768 deskup.exe
08/13/2002 05:30 PM 86,016 ImgIcon.exe
2 File(s) 118,784 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK 09/22/2005 09:29 PM 303,104 mcagent.exe
01/28/2008 04:27 PM 24,592 McUpdate.exe
2 File(s) 327,696 bytes Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK 09/22/2005 02:19 PM 122,880 mcmnhdlr.exe
08/17/2003 11:50 PM 163,840 mcvsshld.exe
2 File(s) 286,720 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK 05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK 10/08/2007 03:06 PM 24,592 mcupdate.exe
1 File(s) 24,592 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK 01/11/2006 03:05 PM 212,992 mcupdate.exe
1 File(s) 212,992 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
24592 Jan 28 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
24592 Jan 28 2008 "C:\Program Files\QuickTime\qttask.exe"
282624 Jun 11 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
24592 Jan 28 2008 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
24592 Jan 28 2008 "C:\Program Files\Iomega\DriveIcons\deskup.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
24592 Jan 28 2008 "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
86016 Aug 13 2002 "C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
24592 Sep 11 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
24592 Sep 11 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
24592 Sep 11 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
122880 Sep 22 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
163840 Aug 17 2003 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
24592 Jan 28 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
24592 Sep 11 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
24592 Sep 11 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
24592 Sep 11 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Jan 28 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
end of report
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: jabuck
Date: February 2, 2008 at 18:04:16 Pacific
|
Reply: Go to the this link: Disable Realtime Protection Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files. Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:
"C:\Program Files\iTunes\iTunesHelper.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
"C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
"C:\Program Files\Iomega\DriveIcons\deskup.exe"
"C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
"C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
"C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe"
"C:\Program Files\McAfee.com\Agent\mcagent.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\McAfee.com\Agent\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
"C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\McAfee.com\Agent\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply. Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: oddware
Date: February 4, 2008 at 14:36:56 Pacific
|
Reply: thanks- here's the latest findAWF: Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully The current date is: Mon 02/04/2008
The current time is: 17:26:11.38
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK
02/23/2006 06:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/11/2006 03:45 PM 282,624 qttask.exe
1 File(s) 282,624 bytes Directory of C:\PROGRA~1\SPYBOT~1\BAK 08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK 07/16/2002 01:55 PM 32,768 deskup.exe
08/13/2002 05:30 PM 86,016 ImgIcon.exe
2 File(s) 118,784 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK 09/22/2005 09:29 PM 303,104 mcagent.exe
01/11/2006 03:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK 09/22/2005 02:19 PM 122,880 mcmnhdlr.exe
08/17/2003 11:50 PM 163,840 mcvsshld.exe
2 File(s) 286,720 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK 05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK 10/08/2007 03:06 PM 24,592 mcupdate.exe
1 File(s) 24,592 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK 01/11/2006 03:05 PM 212,992 mcupdate.exe
1 File(s) 212,992 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
278528 Feb 23 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
282624 Jun 11 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Jun 11 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\deskup.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
86016 Aug 13 2002 "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
86016 Aug 13 2002 "C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
122880 Sep 22 2005 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
122880 Sep 22 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
163840 Aug 17 2003 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
163840 Aug 17 2003 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
end of report
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: oddware
Date: February 4, 2008 at 14:40:22 Pacific
|
Reply: Here's the HJT log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:47 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\McUpdate.exe
O4 - HKLM\..\Run: [s3nj3Fi] imm4dmod.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/...
O16 - DPF: {2513AB48-1AEF-4E55-8329-927FF97C9DCE} (ExpressView Class) - http://216.142.118.75:9999/plugin/M...
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pc...
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrob...
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe --
End of file - 5529 bytes
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: jabuck
Date: February 4, 2008 at 14:58:44 Pacific
|
Reply: Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:
C:\PROGRA~1\MESSEN~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\Iomega\DriveIcons\bak
C:\Program Files\McAfee.com\VSO\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\McAfee.com\Agent\bak\bak
C:\Program Files\McAfee.com\Agent\bak\bak\bak
Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
Name: oddware
Date: February 4, 2008 at 18:40:00 Pacific
|
Reply: Here's the FindAWF log:
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Mon 02/04/2008
The current time is: 18:39:43.27
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK
02/23/2006 06:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/11/2006 03:45 PM 282,624 qttask.exe
1 File(s) 282,624 bytes Directory of C:\PROGRA~1\SPYBOT~1\BAK 08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK 07/16/2002 01:55 PM 32,768 deskup.exe
08/13/2002 05:30 PM 86,016 ImgIcon.exe
2 File(s) 118,784 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK 09/22/2005 09:29 PM 303,104 mcagent.exe
01/11/2006 03:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK 09/22/2005 02:19 PM 122,880 mcmnhdlr.exe
08/17/2003 11:50 PM 163,840 mcvsshld.exe
2 File(s) 286,720 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK 05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK 10/08/2007 03:06 PM 24,592 mcupdate.exe
1 File(s) 24,592 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK 01/11/2006 03:05 PM 212,992 mcupdate.exe
1 File(s) 212,992 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
278528 Feb 23 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
282624 Jun 11 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Jun 11 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\deskup.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
86016 Aug 13 2002 "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
86016 Aug 13 2002 "C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
122880 Sep 22 2005 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
122880 Sep 22 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
163840 Aug 17 2003 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
163840 Aug 17 2003 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
end of report
ComboFix would not run. I keep getting this error message:
Windows cannot find "C:\WINDOWS\system32\kmd.exe
Report Offensive Follow Up For Removal
|
|
Response Number 6
|
Name: oddware
Date: February 4, 2008 at 19:02:35 Pacific
|
Reply: Here's the FindAWF log:
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Mon 02/04/2008
The current time is: 18:39:43.27
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK
02/23/2006 06:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/11/2006 03:45 PM 282,624 qttask.exe
1 File(s) 282,624 bytes Directory of C:\PROGRA~1\SPYBOT~1\BAK 08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK 07/16/2002 01:55 PM 32,768 deskup.exe
08/13/2002 05:30 PM 86,016 ImgIcon.exe
2 File(s) 118,784 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK 09/22/2005 09:29 PM 303,104 mcagent.exe
01/11/2006 03:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK 09/22/2005 02:19 PM 122,880 mcmnhdlr.exe
08/17/2003 11:50 PM 163,840 mcvsshld.exe
2 File(s) 286,720 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK 05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK 10/08/2007 03:06 PM 24,592 mcupdate.exe
1 File(s) 24,592 bytes Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK 01/11/2006 03:05 PM 212,992 mcupdate.exe
1 File(s) 212,992 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
278528 Feb 23 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
282624 Jun 11 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Jun 11 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\deskup.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
86016 Aug 13 2002 "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
86016 Aug 13 2002 "C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
122880 Sep 22 2005 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
122880 Sep 22 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
163840 Aug 17 2003 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
163840 Aug 17 2003 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
24592 Oct 8 2007 "C:\Program Files\McAfee.com\Agent\bak\bak\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\mcupdate.exe"
end of report
ComboFix would not run. I keep getting this error message:
Windows cannot find "C:\WINDOWS\system32\kmd.exe
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: oddware
Date: February 5, 2008 at 14:47:41 Pacific
|
Reply: Here's the latest: I downloaded Combofix again from site #3 this time, and it ran fine (some stack overflow messages, but it kept running). Here's the log file. Thanks for putting up with me. ComboFix 08-02.05.3 - Brian 2008-02-05 17:02:12.1 - NTFSx86
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
* Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
. ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
. C:\temp\[u]0[/u]b9
C:\temp\[u]0[/u]b9\tmpTF.log
C:\Temp\aZ001.exe
C:\temp\iee
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache(2).dsk .
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
. 2008-01-27 19:53 . 2008-01-27 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-27 13:37 . 2008-01-27 13:37 <DIR> d-------- C:\Documents and Settings\Emily\Application Data\RegClean
2008-01-27 08:51 . 2008-01-28 16:22 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-25 15:13 . 2008-01-25 15:19 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\RegClean
2008-01-25 15:12 . 2008-01-28 16:21 <DIR> d-------- C:\Program Files\RegClean
2008-01-05 22:49 . 2008-01-05 22:49 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 22:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-04 22:26 --------- d-----w C:\Program Files\QuickTime
2008-02-04 22:26 --------- d-----w C:\Program Files\iTunes
2008-02-04 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 23:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-07-10 02:42 6,369 --sh--w C:\WINDOWS\system32\xwvwa.bak1
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 02:56 82432 C:\WINDOWS\system32\tp4mon.exe]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 17:30 86016]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 13:55 32768]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2005-09-22 14:19 122880]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 23:50 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 21:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 15:05 212992]
"s3nj3Fi"="imm4dmod.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 18:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-11 15:45 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048] C:\Documents and Settings\Emily\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-02-12 11:37:48 225280] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-09 17:47:47 113664]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-01-01 19:42:29 86016]
MA521 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe [2003-11-23 23:59:48 380928]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
Script execution time was exceeded on script "C:\ComboFix\lnkread.vbs".
Script execution was terminated. [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-04-14 21:36 77824] R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
R3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;C:\WINDOWS\system32\DRIVERS\MA521nd5.SYS [2003-05-21 19:44]
R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 11:57] *Newly Created Service* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 21:17:08 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 17:10:09
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2008-02-05 17:41:51
ComboFix-quarantined-files.txt 2008-02-05 22:41:44
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
Name: jabuck
Date: February 5, 2008 at 18:38:10 Pacific
|
Reply: Go to the this link: Disable Realtime Protection Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files. Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\xwvwa.bak1
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"s3nj3Fi"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link:
ATF Cleaner
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button. Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply. Post a new Combofix log.
Report Offensive Follow Up For Removal
|
|
Response Number 9
|
Name: oddware
Date: February 6, 2008 at 13:57:26 Pacific
|
Reply: ---------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 6:21:05 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/02/2008
Kaspersky Anti-Virus database records: 550471
--------------------- Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true Scan Target - My Computer:
A:\
C:\
D:\ Scan Statistics:
Total number of scanned objects: 37907
Number of viruses found: 5
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:53:41 Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\Brian\Application Data\InterMute\SpySubtract\tmp\3 Object is locked skipped
C:\Documents and Settings\Brian\Application Data\InterMute\SpySubtract\tmp\3.ldb Object is locked skipped
C:\Documents and Settings\Brian\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temp\JETBD7A.tmp Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brian\ntuser.dat Object is locked skipped
C:\Documents and Settings\Brian\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Temp\aZ001.exe.vir/data0002/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\QooBox\Quarantine\C\Temp\aZ001.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\QooBox\Quarantine\C\Temp\aZ001.exe.vir/data0003 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\Temp\aZ001.exe.vir/data0004 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\Temp\aZ001.exe.vir/data0005 Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\QooBox\Quarantine\C\Temp\aZ001.exe.vir NSIS: infected - 5 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1479AA47-CD3D-4942-BE5D-731AA30751B3}\RP847\change.log Object is locked skipped
C:\WINDOWS\cfgmgr52.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. ******************************** Combofix log: ComboFix 08-02.05.3 - Brian 2008-02-06 6:36:18.3 - NTFSx86
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
. ((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
. 2008-02-05 22:25 . 2008-02-05 22:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-05 22:25 . 2008-02-05 22:25 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-05 22:25 . 2008-02-05 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-05 21:56 . 2004-08-04 02:56 388,608 --a------ C:\kmd.exe
2008-02-05 19:53 . 2008-02-05 19:53 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-27 19:53 . 2008-01-27 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-27 13:37 . 2008-01-27 13:37 <DIR> d-------- C:\Documents and Settings\Emily\Application Data\RegClean
2008-01-27 08:51 . 2008-01-28 16:22 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-25 15:13 . 2008-01-25 15:19 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\RegClean
2008-01-25 15:12 . 2008-01-28 16:21 <DIR> d-------- C:\Program Files\RegClean .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 00:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-04 22:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-04 22:26 --------- d-----w C:\Program Files\QuickTime
2008-02-04 22:26 --------- d-----w C:\Program Files\iTunes
2008-02-04 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 23:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-06 03:49 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
. ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 02:56 82432 C:\WINDOWS\system32\tp4mon.exe]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 17:30 86016]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 13:55 32768]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2005-09-22 14:19 122880]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 23:50 163840]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 21:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 15:05 212992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 18:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-11 15:45 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] C:\Documents and Settings\Emily\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-02-12 11:37:48 225280] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-01-09 17:47:47 113664]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-01-01 19:42:29 86016]
MA521 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe [2003-11-23 23:59:48 380928]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2005-04-14 21:36:40 1187840] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2005-04-14 21:36 77824] R3 rtl8180;NETGEAR MA521 802.11b Wireless PC Card;C:\WINDOWS\system32\DRIVERS\MA521nd5.SYS [2003-05-21 19:44] *Newly Created Service* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 08:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 06:41:36
Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully
hidden files: 0 **************************************************************************
.
Completion time: 2008-02-06 15:52:33
ComboFix-quarantined-files.txt 2008-02-06 20:52:27
ComboFix2.txt 2008-02-06 03:14:45
ComboFix3.txt 2008-02-05 22:41:53
Report Offensive Follow Up For Removal
|
|
Response Number 10
|
Name: jabuck
Date: February 6, 2008 at 15:22:48 Pacific
|
Reply: Looks much better. Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\cfgmgr52.dll Folder::
C:\Qoobox
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version. Let us known how the computer is operating please.
Report Offensive Follow Up For Removal
|
Post Locked
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
Go to Security and Virus Forum Home
Results for: removal of b.whataboutadog.com
Help b.whataboutadog.com virus Summary: Hello, I have b.whataboutadog.com showing up constantly in my history and Trusted Site List. Nothing is showing up under nortons. I have run FindAWF.exe with txt file created from option 1. If someo... www.computing.net/answers/security/help-bwhataboutadogcom-virus/21728.html
Another b.whataboutadog.com virus Summary: hijinks file Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:02:42 PM, on 10/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: No... www.computing.net/answers/security/another-bwhataboutadogcom-virus/21717.html
b.Whataboutadog virus Summary: I have posted before about a problem I was having with IE taking 6 minutes to load. Well today I was looking in my history, and came across b.whataboutadog.com I googled it and found that it is a vi... www.computing.net/answers/security/bwhataboutadog-virus/21710.html
|
|
|
