Solved

Annoying pest on my PC

Posted on 2004-08-30
21
122 Views
Last Modified: 2008-02-01
A couple weeks ago I started working on a computer to remove all the spyware/viruses on it.  During this process I started to get a green flashing sign that pops up in the bottom right corner of the screen reading 'Take coffee break' (note, shows a crude pixel art shape of a coffee cup instead of the word coffee).  The person who had the computer didn't know what it was, and I've never seen anything like it before.  Every once in a while it will stop briefly before starting up again.  It kind of looks like something based out of DOS instead of windows, its just one solid dark green color and doesn't interact with the mouse or anything else.  I won't be back on the PC until this evening, but does this sound familiar to anyone?  Any help would be appreciated, this is driving me nuts.
0
Comment
Question by:memerot
  • 5
  • 4
  • 2
  • +9
21 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello memerot =)

It seems that u have run most of the tools already,,,,, so from my side, there is a tool which u have to download, run and Save the LOG file,,, then paste its contents here :)

Hijakcthis >> http://tools.radiosplace.com/HijackThis.exe
0
 
LVL 2

Author Comment

by:memerot
Comment Utility
Will do.  I figured that would be the first thing I need to do.  Will do so this evening.  What I had done so far was first to run AdAware, then to go to PestPatrol and scan, then manually remove any of the listed programs.  Will post my HiJack this log here this evening.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
no problem..... i'll remain in touch :)
0
 
LVL 23

Expert Comment

by:gecko_au2003
Comment Utility
just outta curiousty , what operating system are you using? Also is there anything that starts up with windows?

to check that go to Start--> Run --> and type "msconfig" without quptes.

Also if you have windows xp then go to the following URL to see how to disable programs starting up with windows using the registry editor :

http://www.jsiinc.com/SUBL/tip5500/rh5550.htm

Also check the startup folder which is in start-->all programs -->startup

Other then that I would highly reccomend getting AVG , whether you get the free version or the Pro version is entirely up to you !!

I personally prefer the professional version that way I have peace of mind that nothing was left out !! This can be downloaded from :

http://www.grisoft.com/us/us_dwnl7.php


as for getting rid of spy ware and adaware:

www.webroot.com and get a program called spy sweeper , there is also spyware blaster which you can get from www.spywareblaster.net i think, if not just search for it on www.google.com. There is also a program called adaware which can be downloaded from :

http://www.lavasoftusa.com/support/download/

I am not sure if this will help much but if you clear out all your temp files:

for windows 98 if you just right click on your C drive and go to properties, click on disk cleanup and check all the check boxes that show there is stuff to delete. Then Click on ok.

For windows ME you do the same as far as I am aware.

Windows 2000 and xp both have Temp folders as well as doing the disk cleanup. I am not familiar with 2000 but I know for xp you can type "prefetch" ,"cookies" and "%Temp%" (without quotes) and clear out all of the stuff in them folders. Typing %Temp% in the run dialog box will take you to "C:\windows\prefetch" as far as I know.

Also you could check your add / remove programs to see if you have any program that are installed that would do something like that ?

I hope this helps !!


0
 
LVL 7

Expert Comment

by:crazijoe
Comment Utility
Make sure you turn off system restore before you run any spyware remover or anti virus software.
0
 
LVL 1

Expert Comment

by:rayok123
Comment Utility
I remember a little gimmicky bit of software that did this (windows 3.1 days) you could also get eyes that followed the mouse around the screen

The coffee cup thing told you to take a break every so often and the "hilarious" thing was that the mouse would knock the cup over and it would spill cofee.  If this is the same thing it was completely harmless - it was called coffee cup something or other - I've probably still got it in my collection of floppies !!!
0
 
LVL 23

Expert Comment

by:gecko_au2003
Comment Utility
hey rayok123, any chance you can send me that coffee break thing from the floppy disk to my email address which you can find in my profile. Any other stuff that isnt a virus that is funny that you can send me would be very much appreciated !!

thanks !!
0
 
LVL 2

Author Comment

by:memerot
Comment Utility
My Hijack This log is below.  I also still have a problem with some crap called seekseek.com that I thought I was rid of, I'll open a new question and give 300 points to anyone who can help me with that too.  The computer is running Windows XP and zonealarm.

Logfile of HijackThis v1.98.2
Scan saved at 7:43:05 PM, on 8/30/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\jawa32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\bsqfvbcj.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C8D460D-9446-5E97-8756-64550DA77D41} - C:\WINDOWS\System32\qrlty.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UsbD] C:\Documents and Settings\Salvation PC\Local Settings\Temp\Temporary Directory 1 for p_usb[1].zip\usb_d2.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [VYB] C:\WINDOWS\VYB.exe
O4 - HKLM\..\Run: [WkTGu] C:\WINDOWS\sfbvcj.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn12.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Ygsbfc] C:\WINDOWS\System32\bsqfvbcj.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
Comment Utility
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3C8D460D-9446-5E97-8756-64550DA77D41} - C:\WINDOWS\System32\qrlty.dll
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [VYB] C:\WINDOWS\VYB.exe
O4 - HKLM\..\Run: [WkTGu] C:\WINDOWS\sfbvcj.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn12.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Ygsbfc] C:\WINDOWS\System32\bsqfvbcj.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
=============================================

Check these lines and click on Fix Checked !!!!!
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine, Boot into safemode and Login as Administrator
2. Delete this file if present in ur C:\Windows folder >> jawa32.exe
3. Run ur AntiVirus tool and delete all viruses it found
4. Run ur Spyware Removal tools and delete everything they detect
5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.
0
 
LVL 2

Author Comment

by:memerot
Comment Utility
These lines:
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
are for the lame ass and unhelpful comcast support agent, useless in my experience but not spyware.

Thanks for the tip on jawa32.exe
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
no they are not spyawres,,, but the original files are misisng so they are useless and just taking up space in IE buttons :)
0
 
LVL 13

Assisted Solution

by:WillHudson
WillHudson earned 250 total points
Comment Utility
tgcmd.exe is also a type of spyware, so get rid of it.
www.liutilities.com/products/ wintaskspro/processlibrary/tgcmd/
0
 
LVL 5

Expert Comment

by:Hammadian2
Comment Utility
You need to do 2 things:

1. Clean your system
2. Update your system so that these trojans do not get into it again

For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp

For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com

Then re-scan again and everything should be ok
0
 
LVL 55

Expert Comment

by:andyalder
Comment Utility
What on earth is C:\WINDOWS\System32\bsqfvbcj.exe that you have running? I'd get rid of that unless it's some process you wrote yourself.
0
 
LVL 4

Expert Comment

by:wileya
Comment Utility
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn12.exe
are we sure this isn't a printer? HP maybe? i don't know just thought it might be

i would also like to add a word of caution here - from a guy that can crash any box

protect that registry - backup it up before you start punching that delete key -
you can always delete - and delete one item at a time and if you backup the registry each time between deletes,
you always have several working copies to fall back on if one of delete screws something up

do the regedit and export a copy - many times it saved my butt and also serves as proof
of your starting point if needed for clients or just today as a mater of fact,
i had to prove to a DFEU 'self-proclaimed power-user' non-tech, nosy, narcesstic warehouse manager'
just how many damn trojans & dialer prgs i cleaned off his
"i can handle it, theres too many high level confidencial files that you could see"  XP laptop - (translation - porn)
(he gave in after i created a form for his signature verifing that he refused me access to maintanence the laptop,
just for my records, ah.. its a warranty thing, yea... oh damn, it seems i still have a copy of that registry)
sorry, bad day

www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame

i've located nasty trojans -  by left window, left click, terminate -
and then watching the unknown pgm rename & restart themselves -
but i knew the what, the where and the how the trojan was called -
then did a search in the registry for each file and bada boom bada boom

click on the program or whatever thats running in the left hand window
and in the lower right hand box will show you what command called the program, what file was called,  version, etc.

left hand window also shows how much ram, both phy & vir it uses, its run priority, number of threads,
and more than you need, lot more infor than i have ever needed,

its simple, its one the first clean up rograms i put on all PCs that i work on for several years now,
as far as i'm concerned, its equal to the WRKACTJOB (*ALL) screen on an AS400

eh, sorry... i'll get off my horse now and take my medication




0
 
LVL 2

Expert Comment

by:kganjei
Comment Utility
Hey Wileya... Completely unrelated, but have you tested the taskinfo software on an HT processor, or a multiCPU machine.  I was thinking of writing something like this myself, as typically above the standard single processor these things don't know what to do.

Thanks
K
0
 
LVL 17

Expert Comment

by:RDAdams
Comment Utility
Hi Wileya taskinfo is not a free program it is shareware.  If you are going to use it you should pay for it.

>www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame
0
 
LVL 4

Expert Comment

by:wileya
Comment Utility
kganjei
no, haven't tried it on a multi-processor box

RDAdams
yea, i know it's shareware, i paid for my version, for your information the older versions were shareware with unlimited use, i don't know if the newer versions are unlimited
0
 
LVL 2

Author Comment

by:memerot
Comment Utility
I don't know how to end this question.  The blinking sign disappeared before I did any of the above, and I don't know that it's related to any of them.  But I got a couple of good tips on processes I hadn't noticed.

SheharyaarSaahil and WillHudson I'd like to split this between you two.  Do you know how one does that?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Yes u can do that..... u can see a Split Points link above the box u type ur comments,,, hit it and then assign points for the experts according to ur wish :)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
0
 

Expert Comment

by:zoltankis
Comment Utility
A Belinea monitor has a "coffee break" function in its own push-button menu :)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I really like Experts Exchange but the text formatting tags are pretty basic. For example in an article I wrote I found that when I put a "[bullet]" tag in front of a list of items and a closing "[/bullet]" tag at the end I expected that each item i…
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Articles on a wide range of technology and professional topics are available on Experts Exchange. These resources are written by members, for members, and can be written about any topic you feel passionate about. Learn how to best write an article t…
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now