TechSpot

Help please

By campingmom4
Mar 22, 2008
  1. i am running xp home edition, IE7. i have been infected with adoginhispen, askittodayplease, ect. i think it's getting in and moving files or something. all the sudden today, the cd rom on puter wont read anything. in history file, there were a bunch of stuff we didn't reconize like "my computer" - have no idea why that would even be in history file online.
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Hi campingmom4,

    Download the ATF cleaner programme and save it to your desktop.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Reboot into normal mode.
    -------------------------------------------------------------------------------------------------------
    FindAWF

    Click here to download FindAWF and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach AWF.txt file in your next reply.
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.



    Warning! Do not click the links below in the qoute box.



    Click ok, then ok again and close IE. reboot your system.

    This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    here's the awf file. also other things are done

    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Sun 03/23/2008
    The current time is: 11:43:48.12


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report
     
  4. kritius

    kritius TS Guru Posts: 2,084

    I need you to follow all the steps HERE and then post back with the three requested logs as attachments
    • AVG antispyware
    • ComboFix
    • Hijackthis (step 15)

    Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.


    This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    wow- ok finally done! here is the logs from the 3 you asked for-
     
  6. kritius

    kritius TS Guru Posts: 2,084

    This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,


    Go to Start > Run and copy/paste or type: taskmgr
    • Under the Processes tab find the following tasks or processes:
      ViewpointService.exe
      ViewMgr.exe
    • Highlight and click "End Process".
    • Exit Task Manager.
    Click on Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder

    Fix entries with HijackThis


    Fix the following entries with HijackThis
    • Open HijackThis
    • Select Do a System Scan Only
    • Put a check next to the following entries (if still present)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    • Close all browser windows and select Fix checked.


    Reboot and run HijackThis again and post a fresh log.

    How is the computer running now?


    This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    ok, here is the new hjt log. i clicked on puter and looked at history file and the 3 popped up again. i don't know after all the stuff i've ran that they could be still in here! i went in and checked to see if they are still blocked and they were. do i need to go in and type them word for word that is in history file and then block again? i do some online bill paying, ect. and i just don't want my system at risk with this stuff. sorry for rambling, it's just got me frustrated is all. let me know what i need to do next. thanks bunches!
     
  8. kritius

    kritius TS Guru Posts: 2,084

    Right lets see if we can get this.

    Boot into safe mode by tapping F8 as soon as the computer boots up

    View hidden files and Folders

    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.
    Click OK.

    Search for and delete this file
    C:\WINDOWS\ALCXMNTR.EXE

    Boot into Normal mode and rehide the hidden files,

    Fix entries with HijackThis

    Fix the following entries with HijackThis
    • Open HijackThis
    • Select Do a System Scan Only
    • Put a check next to the following entries (if still present)

    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://software-dl.real.com/18620be.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - https://actsvr.comcastonline.com/techtools/dl/Comcast Activation Controls.cab
    O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab

    • Close all browser windows and select Fix checked.

    DELDOMAINS

    Download Deldomains.
    • Save it to your desktop.
    • Right-click DelDomains.inf and select: Install (no need to restart)
    • You may not see any noticeable changes or prompts; this is normal.
    Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.



    Warning! Do not click the links below in the qoute box.


    Click ok, then ok again and close IE. reboot your system.

    Check if it's still there

    FindAWF

    Download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach the AWF.txt file in your next reply.


    This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    ok. here is the awf file. when i went into the trrusted sites icon, there was nothing there. don't know if there is something else i needed to click or not. went in and clicked the sites to block though.


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Tue 03/25/2008
    The current time is: 12:55:32.35


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report
     
  10. kritius

    kritius TS Guru Posts: 2,084

    Im not sure why theyre still showing up, there are no bak folders on your system which is the sign that you have a problem with adoginhispen.

    Are they still showing in your history?
     
  11. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    hey kritius! been navigating on here for about a half hour now and nothing has popped up! whoo hoo! went to usual sites that i/family visit on a normal day, and nothing yet- so i'm keeping fingers crossed. now, over the next couple days, i'm going to keep monoriting it. after a few days i should be ok. what do i need to do,if everything is going well, to clean up puter of all the stuff i've downloaded? what should i keep, and what should i get rid of? here is the list-

    ccleaner
    atf cleaner
    spywareblaster
    deldomain
    hjt
    awf file
    antiroot kit
    vundofix
    drweb cure-it
    combo fix
    superanti spyware
    avg anti spyware

    i think that is all that there is- let me know which ones! thanks- if anything else goes on, i'll repost to you
     
  12. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    never mind about last post- :dead: after the 4th time of getting online, as soon as i click to get on, they were there. now i'm sad again. this is soooo frustrating. any other recourse here? thanks!
     
  13. kritius

    kritius TS Guru Posts: 2,084

    Ill have to have a think and see waht I can come up with, I must admit I am quite stumped!!
     
  14. kritius

    kritius TS Guru Posts: 2,084

    Can you run comboFix for me please?
     
  15. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    yeah here is the log file for that kritius. yeah, this has us stumped too. here's what i know. when i got done on here the other night after the run, there was nothing. i got offline and back on 3 times, nothing. then later that evening, i got on and the home page (comcast) was loading. how i know when it gets in there, is there is a little hesitation when the page loads up. then i knew to check it and there it was in the history. did it again when i just got on. not having to go to any sites for it to show up. don't know if maybe the home page is corrupt or what? but something is causing it. checked again, and they are blocked still in privacy. anyways- here is the log- didn't see anything unusual in it.
     
  16. kritius

    kritius TS Guru Posts: 2,084

    I dont know, theres no bak files showing in that either,

    Create an uninstall list
    • Launch Hijackthis
    • Click the Open the Misc Tools section button
    • Click the Open Uninstall Manager button.
    • Click the Save list button.
    • attach this log into your next reply

    do that and then run a fresh HijackThis scan for me.
     
  17. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    ok here are the scans. didn't see anything unusual in the uninstall either- quite baffled!
     
  18. kritius

    kritius TS Guru Posts: 2,084

    You could start by unistalling LimeWire 4.16.6, although it itself is not malicious, the stuff that you download may be.

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.

    This wont fix anything but will let me know if there are any nasties lurking about.

    Ill look over your log now.
     
  19. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    here is the file from kaspersky run-
     
  20. kritius

    kritius TS Guru Posts: 2,084

    Do you know what this is?
    D:\I386\Apps\APP19578\src\HPSummer2005.exe
     
  21. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    no i don't. was looking at pics and seeing if i named a file or something like that. i'm not sure what it is. on my puter, the d drive is designated as my hp recovery. so i'm not sure what it would be having a d:// in front. where did u see this at? i need to find out what exactly it is incase something renamed itself in all this because that is the year my son graduated, and had open house, ect. so i don't want to prematurely get rid of it. but if something is hidden on that puter, you could be on to something here! i'll go look around on it. i'm on laptop, as to not get on line on the infected one and cause anymore damage, ok?
     
  22. kritius

    kritius TS Guru Posts: 2,084

    If you go looking, go looking in safe mode,

    These two files are infected,

    C:\Documents and Settings\HP_Owner\My Documents\My Music\Rare Recording.wma
    D:\I386\Apps\APP19578\src\HPSummer2005.exe


    Would suggest deleting them.

    If you cant by the normal methods then let me know.
     
  23. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    i won't touch any of them yet. which program would you suggest that i use and is going to be the most effective to get rid of them? still not sure what that summer 2005 thing is, but i can check out the music one pretty easy. what do you suggest i do with the klaspersky report on the virus'? mostly looked like cookies. want me to go back, run another scan and get rid of what it says is infecting the puter? thanks so much- ps to this message- i just went and looked at the music file. didnt open it though. i had avg run a scan on just it and found nothing, but here's the kicker- when i run the pointer over it, it says it's protected! the rest of my music is not set up like that. i run the pointer over any of them and they say protected: no but this one here says-
    protected: yes. so i wonder what am i going to have to use to get that out of here? i don't even know what it is anyway. ok, thanks again-
     
  24. kritius

    kritius TS Guru Posts: 2,084

    Delete Files and Folders
    • Right Click on the start button and chose explore
    • Show all hidden files and folders, see how HERE
    • Navigate to the following files and folders and delete them(if still present)
    C:\Documents and Settings\HP_Owner\My Documents\My Music\Rare Recording.wma<---------This File
    D:\I386\Apps\APP19578\src\HPSummer2005.exe<---------This File


    • Empty the recycle bin.
    If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
    ***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

    If that doesnt get rid of them then we can use HijackThis to delete them or the pocket killbox.
     
  25. campingmom4

    campingmom4 TS Rookie Topic Starter Posts: 29

    kritius, i found the rare recording file and deleted it, but i've searched all over and can't find that hp summer2005 file. how do i go about finding it? i did a file search and didn't come up with anything. thanks-

    did another search for that file. everything i type in to find it says that it refers to a location that is unavailable. that it could be on a hard drive or network. check to make sure the disk is properly inserted or that you are connected to network and try again. or that it may have been moved to a different location.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...