Help please

C

campingmom4

Posts: 29   +0
i am running xp home edition, IE7. i have been infected with adoginhispen, askittodayplease, ect. i think it's getting in and moving files or something. all the sudden today, the cd rom on puter wont read anything. in history file, there were a bunch of stuff we didn't reconize like "my computer" - have no idea why that would even be in history file online.
 
Hi campingmom4,

Download the ATF cleaner programme and save it to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Reboot into normal mode.
-------------------------------------------------------------------------------------------------------
FindAWF

Click here to download FindAWF and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Attach AWF.txt file in your next reply.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.



Warning! Do not click the links below in the qoute box.

sites removed after reply
Click to expand...


Click ok, then ok again and close IE. reboot your system.

This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
here's the awf file. also other things are done

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 03/23/2008
The current time is: 11:43:48.12


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
 
I need you to follow all the steps HERE and then post back with the three requested logs as attachments
  • AVG antispyware
  • ComboFix
  • Hijackthis (step 15)

Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.


This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

'To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'
Click to expand...


Go to Start > Run and copy/paste or type: taskmgr
  • Under the Processes tab find the following tasks or processes:
    ViewpointService.exe
    ViewMgr.exe
  • Highlight and click "End Process".
  • Exit Task Manager.
Click on Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab".
  • Scroll down the list and find the service called "Viewpoint Manager Service"
  • When you find the service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Disabled".
  • Now click "Apply", then "OK" and close any open windows.
Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Fix entries with HijackThis

Fix the following entries with HijackThis
  • Open HijackThis
  • Select Do a System Scan Only
  • Put a check next to the following entries (if still present)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

  • Close all browser windows and select Fix checked.


Reboot and run HijackThis again and post a fresh log.

How is the computer running now?


This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
ok, here is the new hjt log. i clicked on puter and looked at history file and the 3 popped up again. i don't know after all the stuff i've ran that they could be still in here! i went in and checked to see if they are still blocked and they were. do i need to go in and type them word for word that is in history file and then block again? i do some online bill paying, ect. and i just don't want my system at risk with this stuff. sorry for rambling, it's just got me frustrated is all. let me know what i need to do next. thanks bunches!
 
Right lets see if we can get this.

Boot into safe mode by tapping F8 as soon as the computer boots up

View hidden files and Folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.
Click OK.

Search for and delete this file
C:\WINDOWS\ALCXMNTR.EXE

Boot into Normal mode and rehide the hidden files,

Fix entries with HijackThis

Fix the following entries with HijackThis
  • Open HijackThis
  • Select Do a System Scan Only
  • Put a check next to the following entries (if still present)

O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://software-dl.real.com/18620be.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - https://actsvr.comcastonline.com/techtools/dl/Comcast Activation Controls.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - http://playgames.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab

  • Close all browser windows and select Fix checked.

DELDOMAINS

Download Deldomains.
  • Save it to your desktop.
  • Right-click DelDomains.inf and select: Install (no need to restart)
  • You may not see any noticeable changes or prompts; this is normal.
Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.



Warning! Do not click the links below in the qoute box.

sites removed after reply
Click to expand...


Click ok, then ok again and close IE. reboot your system.

Check if it's still there

FindAWF

Download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Attach the AWF.txt file in your next reply.


This thread is for the use of campingmom4 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
ok. here is the awf file. when i went into the trrusted sites icon, there was nothing there. don't know if there is something else i needed to click or not. went in and clicked the sites to block though.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 03/25/2008
The current time is: 12:55:32.35


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
 
Im not sure why theyre still showing up, there are no bak folders on your system which is the sign that you have a problem with adoginhispen.

Are they still showing in your history?
 
hey kritius! been navigating on here for about a half hour now and nothing has popped up! whoo hoo! went to usual sites that i/family visit on a normal day, and nothing yet- so i'm keeping fingers crossed. now, over the next couple days, i'm going to keep monoriting it. after a few days i should be ok. what do i need to do,if everything is going well, to clean up puter of all the stuff i've downloaded? what should i keep, and what should i get rid of? here is the list-

ccleaner
atf cleaner
spywareblaster
deldomain
hjt
awf file
antiroot kit
vundofix
drweb cure-it
combo fix
superanti spyware
avg anti spyware

i think that is all that there is- let me know which ones! thanks- if anything else goes on, i'll repost to you
 
never mind about last post- :dead: after the 4th time of getting online, as soon as i click to get on, they were there. now i'm sad again. this is soooo frustrating. any other recourse here? thanks!
 
Ill have to have a think and see waht I can come up with, I must admit I am quite stumped!!
 
yeah here is the log file for that kritius. yeah, this has us stumped too. here's what i know. when i got done on here the other night after the run, there was nothing. i got offline and back on 3 times, nothing. then later that evening, i got on and the home page (comcast) was loading. how i know when it gets in there, is there is a little hesitation when the page loads up. then i knew to check it and there it was in the history. did it again when i just got on. not having to go to any sites for it to show up. don't know if maybe the home page is corrupt or what? but something is causing it. checked again, and they are blocked still in privacy. anyways- here is the log- didn't see anything unusual in it.
 
I dont know, theres no bak files showing in that either,

Create an uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • attach this log into your next reply

do that and then run a fresh HijackThis scan for me.
 
You could start by unistalling LimeWire 4.16.6, although it itself is not malicious, the stuff that you download may be.

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    o Extended (If available, otherwise use standard)
    o Scan Options:
    o Scan Archives
    o Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Kas-SaveReport-1.gif

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file
  • In the Save as type prompt, select Text file (see below)

    Kas-Savetxt.gif

  • Include the report in your next post.

This wont fix anything but will let me know if there are any nasties lurking about.

Ill look over your log now.
 
no i don't. was looking at pics and seeing if i named a file or something like that. i'm not sure what it is. on my puter, the d drive is designated as my hp recovery. so i'm not sure what it would be having a d:// in front. where did u see this at? i need to find out what exactly it is incase something renamed itself in all this because that is the year my son graduated, and had open house, ect. so i don't want to prematurely get rid of it. but if something is hidden on that puter, you could be on to something here! i'll go look around on it. i'm on laptop, as to not get on line on the infected one and cause anymore damage, ok?
 
If you go looking, go looking in safe mode,

These two files are infected,

C:\Documents and Settings\HP_Owner\My Documents\My Music\Rare Recording.wma
D:\I386\Apps\APP19578\src\HPSummer2005.exe

Would suggest deleting them.

If you cant by the normal methods then let me know.
 
i won't touch any of them yet. which program would you suggest that i use and is going to be the most effective to get rid of them? still not sure what that summer 2005 thing is, but i can check out the music one pretty easy. what do you suggest i do with the klaspersky report on the virus'? mostly looked like cookies. want me to go back, run another scan and get rid of what it says is infecting the puter? thanks so much- ps to this message- i just went and looked at the music file. didnt open it though. i had avg run a scan on just it and found nothing, but here's the kicker- when i run the pointer over it, it says it's protected! the rest of my music is not set up like that. i run the pointer over any of them and they say protected: no but this one here says-
protected: yes. so i wonder what am i going to have to use to get that out of here? i don't even know what it is anyway. ok, thanks again-
 
Delete Files and Folders
  • Right Click on the start button and chose explore
  • Show all hidden files and folders, see how HERE
  • Navigate to the following files and folders and delete them(if still present)
C:\Documents and Settings\HP_Owner\My Documents\My Music\Rare Recording.wma<---------This File
D:\I386\Apps\APP19578\src\HPSummer2005.exe<---------This File

  • Empty the recycle bin.
If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

If that doesnt get rid of them then we can use HijackThis to delete them or the pocket killbox.
 
kritius, i found the rare recording file and deleted it, but i've searched all over and can't find that hp summer2005 file. how do i go about finding it? i did a file search and didn't come up with anything. thanks-

did another search for that file. everything i type in to find it says that it refers to a location that is unavailable. that it could be on a hard drive or network. check to make sure the disk is properly inserted or that you are connected to network and try again. or that it may have been moved to a different location.
 

Similar threads

A
Buffalo Japan is selling a transparent hard disk drive for its 50th anniversary
Replies
9
Views
78
Axeia
Axeia
zohaibahd
Half-Life beta build from 1998 is uncovered in dusty storage unit
Replies
0
Views
198
zohaibahd
zohaibahd
S
Massive hack hits Internet Archive, compromising millions of user accounts
Replies
4
Views
358
scoffer
S

Latest posts

Back