Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Subject: whataboutadog sucks

Original Message
Name: benbob
Date: October 26, 2007 at 18:31:20 Pacific
Subject: whataboutadog sucks
OS: Win XP
CPU/Ram: 2.4Mhz / 1.2G
Model/Manufacturer: self
Comment:
I'm being attacked by the whataboutadog and doginhispen $&!# too. I have the Hijack this and FindAWF reports, if any can help me out. I'm not sure how you know what to edit, so any help is greatly appreciated.

Don't know if it's related to the whataboutadog infection, but if I try to install the free AVG, or the purchased Zone Alarm Pro software, my computer shuts down when I run IE. Blue screen of death, and then it takes it several tries to reboot. When it finally reboots, it's fine unless I run IE. New one on me.


Report Offensive Message For Removal

Response Number 1
Name: benbob
Date: October 26, 2007 at 18:34:33 Pacific
Subject: whataboutadog sucks
Reply: (edit)
And, I evidently don't know the difference between Mhz and Ghz (if anyone noticed my CPU callout). Just noticed it after I posted. I'm an idiot.

Report Offensive Follow Up For Removal

Response Number 2
Name: jabuck
Date: October 26, 2007 at 19:04:16 Pacific
Subject: whataboutadog sucks
Reply: (edit)
Please post the Hijack This log and the FindAWF log.

Report Offensive Follow Up For Removal

Response Number 3
Name: benbob
Date: October 26, 2007 at 19:19:33 Pacific
Subject: whataboutadog sucks
Reply: (edit)
Here you go. Thanks for taking a look.

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:10 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Ben Murphy\My Documents\Downloaded Setups\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=7brC1TiMlQ...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.09.13&unknown&unknown&http://www.toyota.com/fjcruiser/features.html
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/de...
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/bingame/pppp/de...
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://sympatico.zone.msn.com/binga...
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/amun/de...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUn...
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/de...
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUn...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcapl...
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7356 bytes


****FindAWF Log****


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 10/26/2007
The current time is: 20:05:09.31


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

03/18/2006 07:04 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

11/15/2005 01:28 PM 85,744 VPTray.exe
1 File(s) 85,744 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 05:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

10/04/2005 12:42 PM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\MICROS~2\KEYBOARD\BAK

03/21/2002 11:41 PM 94,208 type32.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 11:00 AM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/10/2007 02:27 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

09/25/2004 02:37 AM 1,691,648 DrgToDsc.exe
1 File(s) 1,691,648 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 Mar 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
94208 Mar 21 2002 "C:\Program Files\Microsoft Hardware\Keyboard\bak\type32.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
28672 May 24 2004 "C:\Program Files\Autodesk\Inventor Professional 9\Stress Analysis\AISOL\CAD Integration\ReaderHostU.exe"
185896 Mar 10 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
1691648 Sep 25 2004 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


end of report


benbob


Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: October 26, 2007 at 19:33:15 Pacific
Subject: whataboutadog sucks
Reply: (edit)

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Microsoft Hardware\Keyboard\bak\type32.exe"
"C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 5
Name: benbob
Date: October 26, 2007 at 19:48:46 Pacific
Subject: whataboutadog sucks
Reply: (edit)
FindAWF Report:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 10/26/2007
The current time is: 21:45:04.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

03/18/2006 07:04 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

11/15/2005 01:28 PM 85,744 VPTray.exe
1 File(s) 85,744 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 05:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

10/04/2005 12:42 PM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\MICROS~2\KEYBOARD\BAK

03/21/2002 11:41 PM 94,208 type32.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 11:00 AM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/10/2007 02:27 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

09/25/2004 02:37 AM 1,691,648 DrgToDsc.exe
1 File(s) 1,691,648 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 Mar 18 2006 "C:\Program Files\QuickTime\qttask.exe"
98304 Mar 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
94208 Mar 21 2002 "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
94208 Mar 21 2002 "C:\Program Files\Microsoft Hardware\Keyboard\bak\type32.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
28672 May 24 2004 "C:\Program Files\Autodesk\Inventor Professional 9\Stress Analysis\AISOL\CAD Integration\ReaderHostU.exe"
185896 Mar 10 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Mar 10 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
1691648 Sep 25 2004 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
1691648 Sep 25 2004 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


end of report

****ComboFix Report****

ComboFix 07-10-26.4 - Ben Murphy 2007-10-26 21:41:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.693 [GMT -5:00]
Running from: C:\Documents and Settings\Ben Murphy\My Documents\Downloaded Setups\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 21:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 19:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-26 19:09 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-26 19:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-10-25 20:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-25 20:47 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-25 19:56 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-16 20:12 <DIR> d-------- C:\Documents and Settings\Ben Murphy\Application Data\PlayFirst
2007-10-03 21:34 <DIR> d-------- C:\WINDOWS\system32\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 02:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-27 02:38 --------- d-----w C:\Program Files\QuickTime
2007-10-27 02:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-26 03:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 03:10 --------- d-----w C:\Program Files\Google
2007-10-26 02:13 49,152 ----a-w C:\WINDOWS\system32\niSvcLoc.exe
2007-10-04 22:47 --------- d-----w C:\Documents and Settings\Ben Murphy\Application Data\Canon
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-19 02:31 92,064 ----a-w C:\Documents and Settings\Ben Murphy\mqdmmdm.sys
2007-08-19 02:31 9,232 ----a-w C:\Documents and Settings\Ben Murphy\mqdmmdfl.sys
2007-08-19 02:31 79,328 ----a-w C:\Documents and Settings\Ben Murphy\mqdmserd.sys
2007-08-19 02:31 66,656 ----a-w C:\Documents and Settings\Ben Murphy\mqdmbus.sys
2007-08-19 02:31 6,208 ----a-w C:\Documents and Settings\Ben Murphy\mqdmcmnt.sys
2007-08-19 02:31 5,936 ----a-w C:\Documents and Settings\Ben Murphy\mqdmwhnt.sys
2007-08-19 02:31 4,048 ----a-w C:\Documents and Settings\Ben Murphy\mqdmcr.sys
2007-08-19 02:31 25,600 ----a-w C:\Documents and Settings\Ben Murphy\usbsermptxp.sys
2007-08-19 02:31 22,768 ----a-w C:\Documents and Settings\Ben Murphy\usbsermpt.sys
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 63,712 2007-03-09 16:09:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
----a-w 63,712 2007-03-09 16:09:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

----a-w 40,048 2007-05-11 08:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 40,048 2007-05-11 08:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

----a-w 185,896 2007-03-10 19:27:08 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2007-03-10 19:27:08 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 48,752 2005-10-04 17:42:40 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 48,752 2005-10-04 17:42:40 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 94,208 2002-03-22 04:41:56 C:\Program Files\Microsoft Hardware\Keyboard\bak\type32.exe
----a-w 94,208 2002-03-22 04:41:56 C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

----a-w 98,304 2006-03-19 00:04:13 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 98,304 2006-03-19 00:04:13 C:\Program Files\QuickTime\qttask.exe

----a-w 1,691,648 2004-09-25 07:37:42 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe
----a-w 1,691,648 2004-09-25 07:37:42 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

----a-w 49,152 2003-05-08 16:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe
----a-w 49,152 2003-05-08 16:00:58 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

----a-w 85,744 2005-11-15 18:28:04 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 85,744 2005-11-15 18:28:04 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 59,392 2004-08-10 10:04:42 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 59,392 2004-08-10 10:04:42 C:\WINDOWS\ehome\ehtray.exe

----a-w 15,360 2004-08-10 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 12:00:00 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 02:47 C:\WINDOWS\SOUNDMAN.EXE]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2004-08-10 07:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Shockwave Updater"=C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE -Update -1020022 -iexplore.exe7.0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 09:00:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 21:42:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 21:43:24
.
--- E O F ---

benbob


Report Offensive Follow Up For Removal

Response Number 6
Name: jabuck
Date: October 26, 2007 at 20:36:08 Pacific
Subject: whataboutadog sucks
Reply: (edit)
Option 3:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:


C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Microsoft Hardware\Keyboard\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\Program Files\Symantec AntiVirus\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.


Next Option 4.


Option 4:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Next,

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.

Post a new Combofix log please.


Report Offensive Follow Up For Removal

Response Number 7
Name: benbob
Date: October 26, 2007 at 21:02:43 Pacific
Subject: whataboutadog sucks
Reply: (edit)
This is my last post tonight. I'll check back in tomorrow. Thanks for the help.

FindAWF report:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Fri 10/26/2007
The current time is: 22:52:07.23


bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report


****Combofix report****

ComboFix 07-10-26.4 - Ben Murphy 2007-10-26 22:58:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.700 [GMT -5:00]
Running from: C:\Documents and Settings\Ben Murphy\My Documents\Downloaded Setups\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-26 21:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-26 19:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-26 19:09 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-26 19:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-10-25 20:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-25 20:47 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-25 19:56 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-16 20:12 <DIR> d-------- C:\Documents and Settings\Ben Murphy\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 03:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-27 03:52 --------- d-----w C:\Program Files\QuickTime
2007-10-27 03:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-26 03:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-26 03:10 --------- d-----w C:\Program Files\Google
2007-10-26 02:13 49,152 ----a-w C:\WINDOWS\system32\niSvcLoc.exe
2007-10-04 22:47 --------- d-----w C:\Documents and Settings\Ben Murphy\Application Data\Canon
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-19 02:31 92,064 ----a-w C:\Documents and Settings\Ben Murphy\mqdmmdm.sys
2007-08-19 02:31 9,232 ----a-w C:\Documents and Settings\Ben Murphy\mqdmmdfl.sys
2007-08-19 02:31 79,328 ----a-w C:\Documents and Settings\Ben Murphy\mqdmserd.sys
2007-08-19 02:31 66,656 ----a-w C:\Documents and Settings\Ben Murphy\mqdmbus.sys
2007-08-19 02:31 6,208 ----a-w C:\Documents and Settings\Ben Murphy\mqdmcmnt.sys
2007-08-19 02:31 5,936 ----a-w C:\Documents and Settings\Ben Murphy\mqdmwhnt.sys
2007-08-19 02:31 4,048 ----a-w C:\Documents and Settings\Ben Murphy\mqdmcr.sys
2007-08-19 02:31 25,600 ----a-w C:\Documents and Settings\Ben Murphy\usbsermptxp.sys
2007-08-19 02:31 22,768 ----a-w C:\Documents and Settings\Ben Murphy\usbsermpt.sys
2007-07-31 00:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-31 00:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-31 00:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-31 00:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-31 00:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-31 00:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-31 00:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-31 00:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 02:47 C:\WINDOWS\SOUNDMAN.EXE]
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2004-08-10 07:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 09:00:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 22:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 22:59:35
C:\ComboFix2.txt ... 2007-10-26 21:43
.
--- E O F ---

benbob


Report Offensive Follow Up For Removal

Response Number 8
Name: jabuck
Date: October 26, 2007 at 21:10:35 Pacific
Subject: whataboutadog sucks
Reply: (edit)
Your log is clean.

You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.


Report Offensive Follow Up For Removal

Response Number 9
Name: benbob
Date: October 27, 2007 at 04:52:56 Pacific
Subject: whataboutadog sucks
Reply: (edit)
THANKS! You're my hero. If I see any more problems, I'll be back.

Report Offensive Follow Up For Removal

Response Number 10
Name: jabuck
Date: October 27, 2007 at 05:11:06 Pacific
Subject: whataboutadog sucks
Reply: (edit)
Glad we could help.

Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: whataboutadog sucks

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



Version Tracker Pro
Keep your software current and secure, effortlessly
Click Here for a Free Scan

Driver Agent
Automatically find the latest drivers for your computer.
 Click Here for a Free Scan

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC