memerot
asked on
Annoying pest on my PC
A couple weeks ago I started working on a computer to remove all the spyware/viruses on it. During this process I started to get a green flashing sign that pops up in the bottom right corner of the screen reading 'Take coffee break' (note, shows a crude pixel art shape of a coffee cup instead of the word coffee). The person who had the computer didn't know what it was, and I've never seen anything like it before. Every once in a while it will stop briefly before starting up again. It kind of looks like something based out of DOS instead of windows, its just one solid dark green color and doesn't interact with the mouse or anything else. I won't be back on the PC until this evening, but does this sound familiar to anyone? Any help would be appreciated, this is driving me nuts.
ASKER
Will do. I figured that would be the first thing I need to do. Will do so this evening. What I had done so far was first to run AdAware, then to go to PestPatrol and scan, then manually remove any of the listed programs. Will post my HiJack this log here this evening.
no problem..... i'll remain in touch :)
just outta curiousty , what operating system are you using? Also is there anything that starts up with windows?
to check that go to Start--> Run --> and type "msconfig" without quptes.
Also if you have windows xp then go to the following URL to see how to disable programs starting up with windows using the registry editor :
http://www.jsiinc.com/SUBL/tip5500/rh5550.htm
Also check the startup folder which is in start-->all programs -->startup
Other then that I would highly reccomend getting AVG , whether you get the free version or the Pro version is entirely up to you !!
I personally prefer the professional version that way I have peace of mind that nothing was left out !! This can be downloaded from :
http://www.grisoft.com/us/us_dwnl7.php
as for getting rid of spy ware and adaware:
www.webroot.com and get a program called spy sweeper , there is also spyware blaster which you can get from www.spywareblaster.net i think, if not just search for it on www.google.com. There is also a program called adaware which can be downloaded from :
http://www.lavasoftusa.com/support/download/
I am not sure if this will help much but if you clear out all your temp files:
for windows 98 if you just right click on your C drive and go to properties, click on disk cleanup and check all the check boxes that show there is stuff to delete. Then Click on ok.
For windows ME you do the same as far as I am aware.
Windows 2000 and xp both have Temp folders as well as doing the disk cleanup. I am not familiar with 2000 but I know for xp you can type "prefetch" ,"cookies" and "%Temp%" (without quotes) and clear out all of the stuff in them folders. Typing %Temp% in the run dialog box will take you to "C:\windows\prefetch" as far as I know.
Also you could check your add / remove programs to see if you have any program that are installed that would do something like that ?
I hope this helps !!
to check that go to Start--> Run --> and type "msconfig" without quptes.
Also if you have windows xp then go to the following URL to see how to disable programs starting up with windows using the registry editor :
http://www.jsiinc.com/SUBL/tip5500/rh5550.htm
Also check the startup folder which is in start-->all programs -->startup
Other then that I would highly reccomend getting AVG , whether you get the free version or the Pro version is entirely up to you !!
I personally prefer the professional version that way I have peace of mind that nothing was left out !! This can be downloaded from :
http://www.grisoft.com/us/us_dwnl7.php
as for getting rid of spy ware and adaware:
www.webroot.com and get a program called spy sweeper , there is also spyware blaster which you can get from www.spywareblaster.net i think, if not just search for it on www.google.com. There is also a program called adaware which can be downloaded from :
http://www.lavasoftusa.com/support/download/
I am not sure if this will help much but if you clear out all your temp files:
for windows 98 if you just right click on your C drive and go to properties, click on disk cleanup and check all the check boxes that show there is stuff to delete. Then Click on ok.
For windows ME you do the same as far as I am aware.
Windows 2000 and xp both have Temp folders as well as doing the disk cleanup. I am not familiar with 2000 but I know for xp you can type "prefetch" ,"cookies" and "%Temp%" (without quotes) and clear out all of the stuff in them folders. Typing %Temp% in the run dialog box will take you to "C:\windows\prefetch" as far as I know.
Also you could check your add / remove programs to see if you have any program that are installed that would do something like that ?
I hope this helps !!
Make sure you turn off system restore before you run any spyware remover or anti virus software.
I remember a little gimmicky bit of software that did this (windows 3.1 days) you could also get eyes that followed the mouse around the screen
The coffee cup thing told you to take a break every so often and the "hilarious" thing was that the mouse would knock the cup over and it would spill cofee. If this is the same thing it was completely harmless - it was called coffee cup something or other - I've probably still got it in my collection of floppies !!!
The coffee cup thing told you to take a break every so often and the "hilarious" thing was that the mouse would knock the cup over and it would spill cofee. If this is the same thing it was completely harmless - it was called coffee cup something or other - I've probably still got it in my collection of floppies !!!
hey rayok123, any chance you can send me that coffee break thing from the floppy disk to my email address which you can find in my profile. Any other stuff that isnt a virus that is funny that you can send me would be very much appreciated !!
thanks !!
thanks !!
ASKER
My Hijack This log is below. I also still have a problem with some crap called seekseek.com that I thought I was rid of, I'll open a new question and give 300 points to anyone who can help me with that too. The computer is running Windows XP and zonealarm.
Logfile of HijackThis v1.98.2
Scan saved at 7:43:05 PM, on 8/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\jawa32.exe
C:\Program Files\support.com\bin\tgcm
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon
C:\WINDOWS\System32\bsqfvb
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZONELA
C:\WINDOWS\System32\MsPMSP
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\Hij
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {3C8D460D-9446-5E97-8756-6
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [UsbD] C:\Documents and Settings\Salvation PC\Local Settings\Temp\Temporary Directory 1 for p_usb[1].zip\usb_d2.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [VYB] C:\WINDOWS\VYB.exe
O4 - HKLM\..\Run: [WkTGu] C:\WINDOWS\sfbvcj.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcm
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Ygsbfc] C:\WINDOWS\System32\bsqfvb
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-F
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2
O9 - Extra button: Help - {97809617-3937-4F84-B335-9
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-0
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1
Logfile of HijackThis v1.98.2
Scan saved at 7:43:05 PM, on 8/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\jawa32.exe
C:\Program Files\support.com\bin\tgcm
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon
C:\WINDOWS\System32\bsqfvb
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZONELA
C:\WINDOWS\System32\MsPMSP
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\Hij
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {3C8D460D-9446-5E97-8756-6
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [UsbD] C:\Documents and Settings\Salvation PC\Local Settings\Temp\Temporary Directory 1 for p_usb[1].zip\usb_d2.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [VYB] C:\WINDOWS\VYB.exe
O4 - HKLM\..\Run: [WkTGu] C:\WINDOWS\sfbvcj.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcm
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Ygsbfc] C:\WINDOWS\System32\bsqfvb
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-F
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2
O9 - Extra button: Help - {97809617-3937-4F84-B335-9
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-0
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
These lines:
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2
O9 - Extra button: Help - {97809617-3937-4F84-B335-9
are for the lame ass and unhelpful comcast support agent, useless in my experience but not spyware.
Thanks for the tip on jawa32.exe
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2
O9 - Extra button: Help - {97809617-3937-4F84-B335-9
are for the lame ass and unhelpful comcast support agent, useless in my experience but not spyware.
Thanks for the tip on jawa32.exe
no they are not spyawres,,, but the original files are misisng so they are useless and just taking up space in IE buttons :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to do 2 things:
1. Clean your system
2. Update your system so that these trojans do not get into it again
For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp
For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com
Then re-scan again and everything should be ok
1. Clean your system
2. Update your system so that these trojans do not get into it again
For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp
For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com
Then re-scan again and everything should be ok
What on earth is C:\WINDOWS\System32\bsqfvb
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn
are we sure this isn't a printer? HP maybe? i don't know just thought it might be
i would also like to add a word of caution here - from a guy that can crash any box
protect that registry - backup it up before you start punching that delete key -
you can always delete - and delete one item at a time and if you backup the registry each time between deletes,
you always have several working copies to fall back on if one of delete screws something up
do the regedit and export a copy - many times it saved my butt and also serves as proof
of your starting point if needed for clients or just today as a mater of fact,
i had to prove to a DFEU 'self-proclaimed power-user' non-tech, nosy, narcesstic warehouse manager'
just how many damn trojans & dialer prgs i cleaned off his
"i can handle it, theres too many high level confidencial files that you could see" XP laptop - (translation - porn)
(he gave in after i created a form for his signature verifing that he refused me access to maintanence the laptop,
just for my records, ah.. its a warranty thing, yea... oh damn, it seems i still have a copy of that registry)
sorry, bad day
www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame
i've located nasty trojans - by left window, left click, terminate -
and then watching the unknown pgm rename & restart themselves -
but i knew the what, the where and the how the trojan was called -
then did a search in the registry for each file and bada boom bada boom
click on the program or whatever thats running in the left hand window
and in the lower right hand box will show you what command called the program, what file was called, version, etc.
left hand window also shows how much ram, both phy & vir it uses, its run priority, number of threads,
and more than you need, lot more infor than i have ever needed,
its simple, its one the first clean up rograms i put on all PCs that i work on for several years now,
as far as i'm concerned, its equal to the WRKACTJOB (*ALL) screen on an AS400
eh, sorry... i'll get off my horse now and take my medication
are we sure this isn't a printer? HP maybe? i don't know just thought it might be
i would also like to add a word of caution here - from a guy that can crash any box
protect that registry - backup it up before you start punching that delete key -
you can always delete - and delete one item at a time and if you backup the registry each time between deletes,
you always have several working copies to fall back on if one of delete screws something up
do the regedit and export a copy - many times it saved my butt and also serves as proof
of your starting point if needed for clients or just today as a mater of fact,
i had to prove to a DFEU 'self-proclaimed power-user' non-tech, nosy, narcesstic warehouse manager'
just how many damn trojans & dialer prgs i cleaned off his
"i can handle it, theres too many high level confidencial files that you could see" XP laptop - (translation - porn)
(he gave in after i created a form for his signature verifing that he refused me access to maintanence the laptop,
just for my records, ah.. its a warranty thing, yea... oh damn, it seems i still have a copy of that registry)
sorry, bad day
www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame
i've located nasty trojans - by left window, left click, terminate -
and then watching the unknown pgm rename & restart themselves -
but i knew the what, the where and the how the trojan was called -
then did a search in the registry for each file and bada boom bada boom
click on the program or whatever thats running in the left hand window
and in the lower right hand box will show you what command called the program, what file was called, version, etc.
left hand window also shows how much ram, both phy & vir it uses, its run priority, number of threads,
and more than you need, lot more infor than i have ever needed,
its simple, its one the first clean up rograms i put on all PCs that i work on for several years now,
as far as i'm concerned, its equal to the WRKACTJOB (*ALL) screen on an AS400
eh, sorry... i'll get off my horse now and take my medication
Hey Wileya... Completely unrelated, but have you tested the taskinfo software on an HT processor, or a multiCPU machine. I was thinking of writing something like this myself, as typically above the standard single processor these things don't know what to do.
Thanks
K
Thanks
K
Hi Wileya taskinfo is not a free program it is shareware. If you are going to use it you should pay for it.
>www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame
>www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame
kganjei
no, haven't tried it on a multi-processor box
RDAdams
yea, i know it's shareware, i paid for my version, for your information the older versions were shareware with unlimited use, i don't know if the newer versions are unlimited
no, haven't tried it on a multi-processor box
RDAdams
yea, i know it's shareware, i paid for my version, for your information the older versions were shareware with unlimited use, i don't know if the newer versions are unlimited
ASKER
I don't know how to end this question. The blinking sign disappeared before I did any of the above, and I don't know that it's related to any of them. But I got a couple of good tips on processes I hadn't noticed.
SheharyaarSaahil and WillHudson I'd like to split this between you two. Do you know how one does that?
SheharyaarSaahil and WillHudson I'd like to split this between you two. Do you know how one does that?
Yes u can do that..... u can see a Split Points link above the box u type ur comments,,, hit it and then assign points for the experts according to ur wish :)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
A Belinea monitor has a "coffee break" function in its own push-button menu :)
It seems that u have run most of the tools already,,,,, so from my side, there is a tool which u have to download, run and Save the LOG file,,, then paste its contents here :)
Hijakcthis >> http://tools.radiosplace.com/HijackThis.exe