Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 132
  • Last Modified:

Annoying pest on my PC

A couple weeks ago I started working on a computer to remove all the spyware/viruses on it.  During this process I started to get a green flashing sign that pops up in the bottom right corner of the screen reading 'Take coffee break' (note, shows a crude pixel art shape of a coffee cup instead of the word coffee).  The person who had the computer didn't know what it was, and I've never seen anything like it before.  Every once in a while it will stop briefly before starting up again.  It kind of looks like something based out of DOS instead of windows, its just one solid dark green color and doesn't interact with the mouse or anything else.  I won't be back on the PC until this evening, but does this sound familiar to anyone?  Any help would be appreciated, this is driving me nuts.
0
memerot
Asked:
memerot
  • 5
  • 4
  • 2
  • +9
2 Solutions
 
SheharyaarSaahilCommented:
Hello memerot =)

It seems that u have run most of the tools already,,,,, so from my side, there is a tool which u have to download, run and Save the LOG file,,, then paste its contents here :)

Hijakcthis >> http://tools.radiosplace.com/HijackThis.exe
0
 
memerotAuthor Commented:
Will do.  I figured that would be the first thing I need to do.  Will do so this evening.  What I had done so far was first to run AdAware, then to go to PestPatrol and scan, then manually remove any of the listed programs.  Will post my HiJack this log here this evening.
0
 
SheharyaarSaahilCommented:
no problem..... i'll remain in touch :)
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
gecko_au2003Commented:
just outta curiousty , what operating system are you using? Also is there anything that starts up with windows?

to check that go to Start--> Run --> and type "msconfig" without quptes.

Also if you have windows xp then go to the following URL to see how to disable programs starting up with windows using the registry editor :

http://www.jsiinc.com/SUBL/tip5500/rh5550.htm

Also check the startup folder which is in start-->all programs -->startup

Other then that I would highly reccomend getting AVG , whether you get the free version or the Pro version is entirely up to you !!

I personally prefer the professional version that way I have peace of mind that nothing was left out !! This can be downloaded from :

http://www.grisoft.com/us/us_dwnl7.php


as for getting rid of spy ware and adaware:

www.webroot.com and get a program called spy sweeper , there is also spyware blaster which you can get from www.spywareblaster.net i think, if not just search for it on www.google.com. There is also a program called adaware which can be downloaded from :

http://www.lavasoftusa.com/support/download/

I am not sure if this will help much but if you clear out all your temp files:

for windows 98 if you just right click on your C drive and go to properties, click on disk cleanup and check all the check boxes that show there is stuff to delete. Then Click on ok.

For windows ME you do the same as far as I am aware.

Windows 2000 and xp both have Temp folders as well as doing the disk cleanup. I am not familiar with 2000 but I know for xp you can type "prefetch" ,"cookies" and "%Temp%" (without quotes) and clear out all of the stuff in them folders. Typing %Temp% in the run dialog box will take you to "C:\windows\prefetch" as far as I know.

Also you could check your add / remove programs to see if you have any program that are installed that would do something like that ?

I hope this helps !!


0
 
crazijoeCommented:
Make sure you turn off system restore before you run any spyware remover or anti virus software.
0
 
rayok123Commented:
I remember a little gimmicky bit of software that did this (windows 3.1 days) you could also get eyes that followed the mouse around the screen

The coffee cup thing told you to take a break every so often and the "hilarious" thing was that the mouse would knock the cup over and it would spill cofee.  If this is the same thing it was completely harmless - it was called coffee cup something or other - I've probably still got it in my collection of floppies !!!
0
 
gecko_au2003Commented:
hey rayok123, any chance you can send me that coffee break thing from the floppy disk to my email address which you can find in my profile. Any other stuff that isnt a virus that is funny that you can send me would be very much appreciated !!

thanks !!
0
 
memerotAuthor Commented:
My Hijack This log is below.  I also still have a problem with some crap called seekseek.com that I thought I was rid of, I'll open a new question and give 300 points to anyone who can help me with that too.  The computer is running Windows XP and zonealarm.

Logfile of HijackThis v1.98.2
Scan saved at 7:43:05 PM, on 8/30/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\jawa32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\bsqfvbcj.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3C8D460D-9446-5E97-8756-64550DA77D41} - C:\WINDOWS\System32\qrlty.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UsbD] C:\Documents and Settings\Salvation PC\Local Settings\Temp\Temporary Directory 1 for p_usb[1].zip\usb_d2.exe
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [VYB] C:\WINDOWS\VYB.exe
O4 - HKLM\..\Run: [WkTGu] C:\WINDOWS\sfbvcj.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn12.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Ygsbfc] C:\WINDOWS\System32\bsqfvbcj.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

0
 
SheharyaarSaahilCommented:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3C8D460D-9446-5E97-8756-64550DA77D41} - C:\WINDOWS\System32\qrlty.dll
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [VYB] C:\WINDOWS\VYB.exe
O4 - HKLM\..\Run: [WkTGu] C:\WINDOWS\sfbvcj.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn12.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Ygsbfc] C:\WINDOWS\System32\bsqfvbcj.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
=============================================

Check these lines and click on Fix Checked !!!!!
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine, Boot into safemode and Login as Administrator
2. Delete this file if present in ur C:\Windows folder >> jawa32.exe
3. Run ur AntiVirus tool and delete all viruses it found
4. Run ur Spyware Removal tools and delete everything they detect
5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.
0
 
memerotAuthor Commented:
These lines:
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
are for the lame ass and unhelpful comcast support agent, useless in my experience but not spyware.

Thanks for the tip on jawa32.exe
0
 
SheharyaarSaahilCommented:
no they are not spyawres,,, but the original files are misisng so they are useless and just taking up space in IE buttons :)
0
 
WillHudsonCommented:
tgcmd.exe is also a type of spyware, so get rid of it.
www.liutilities.com/products/ wintaskspro/processlibrary/tgcmd/
0
 
Hammadian2Commented:
You need to do 2 things:

1. Clean your system
2. Update your system so that these trojans do not get into it again

For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp

For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com

Then re-scan again and everything should be ok
0
 
andyalderSaggar makers bottom knockerCommented:
What on earth is C:\WINDOWS\System32\bsqfvbcj.exe that you have running? I'd get rid of that unless it's some process you wrote yourself.
0
 
wileyaCommented:
O4 - HKCU\..\Run: [hpzisn12] C:\WINDOWS\System32\hpzisn12.exe
are we sure this isn't a printer? HP maybe? i don't know just thought it might be

i would also like to add a word of caution here - from a guy that can crash any box

protect that registry - backup it up before you start punching that delete key -
you can always delete - and delete one item at a time and if you backup the registry each time between deletes,
you always have several working copies to fall back on if one of delete screws something up

do the regedit and export a copy - many times it saved my butt and also serves as proof
of your starting point if needed for clients or just today as a mater of fact,
i had to prove to a DFEU 'self-proclaimed power-user' non-tech, nosy, narcesstic warehouse manager'
just how many damn trojans & dialer prgs i cleaned off his
"i can handle it, theres too many high level confidencial files that you could see"  XP laptop - (translation - porn)
(he gave in after i created a form for his signature verifing that he refused me access to maintanence the laptop,
just for my records, ah.. its a warranty thing, yea... oh damn, it seems i still have a copy of that registry)
sorry, bad day

www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame

i've located nasty trojans -  by left window, left click, terminate -
and then watching the unknown pgm rename & restart themselves -
but i knew the what, the where and the how the trojan was called -
then did a search in the registry for each file and bada boom bada boom

click on the program or whatever thats running in the left hand window
and in the lower right hand box will show you what command called the program, what file was called,  version, etc.

left hand window also shows how much ram, both phy & vir it uses, its run priority, number of threads,
and more than you need, lot more infor than i have ever needed,

its simple, its one the first clean up rograms i put on all PCs that i work on for several years now,
as far as i'm concerned, its equal to the WRKACTJOB (*ALL) screen on an AS400

eh, sorry... i'll get off my horse now and take my medication




0
 
kganjeiCommented:
Hey Wileya... Completely unrelated, but have you tested the taskinfo software on an HT processor, or a multiCPU machine.  I was thinking of writing something like this myself, as typically above the standard single processor these things don't know what to do.

Thanks
K
0
 
RDAdamsCommented:
Hi Wileya taskinfo is not a free program it is shareware.  If you are going to use it you should pay for it.

>www.iarsn.com has a free program called taskinfo - it puts windows task manager to shame
0
 
wileyaCommented:
kganjei
no, haven't tried it on a multi-processor box

RDAdams
yea, i know it's shareware, i paid for my version, for your information the older versions were shareware with unlimited use, i don't know if the newer versions are unlimited
0
 
memerotAuthor Commented:
I don't know how to end this question.  The blinking sign disappeared before I did any of the above, and I don't know that it's related to any of them.  But I got a couple of good tips on processes I hadn't noticed.

SheharyaarSaahil and WillHudson I'd like to split this between you two.  Do you know how one does that?
0
 
SheharyaarSaahilCommented:
Yes u can do that..... u can see a Split Points link above the box u type ur comments,,, hit it and then assign points for the experts according to ur wish :)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
0
 
zoltankisCommented:
A Belinea monitor has a "coffee break" function in its own push-button menu :)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
  • +9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now