TechSpot

A.doginhispen.com and his brothers

By kingsbishop
Jan 8, 2008
  1. Hello from Italy! About a.doginhispen.com, can anyone help me to delete this problem? I’ve attached the AWF file. Thanks a lot!
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi kingsbishop and welcome to techspot. =)

    I suggest you do the following before doing anything else

    Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system

    Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
    Do not copy and paste your logs if not they will be removed.

    Our experts here will tend to your queries thereafter.

    Also, please provide the results of the Antirootkit scan

    After that, please do the following.

    Run FindAWF again.

    1. Press 2 then Enter. A text file named files.txt will open:

    2. Copy and paste the following text from the quote box below into the text file.
      Next, close and click Yes to save the changes.

    3. Once files.txt is saved, FindAWF does the following:
      -It attempts to terminate the process represented by each filename on the list, if running
      -Deletes the rogue file from the parent folder, if present
      -Copies the original file to the parent folder

      When done with the above, it automatically runs a new scan and opens a new log.
      Please attach this new FindAWF log in your reply, along with the requested logs from the above instructions.
    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  3. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Thanks Momok for your help! :) Here is the new file.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You have not followed the instructions for the preliminary removal thread. Your system is not just infected with doginhispenl; I would need you to continue with the removal thread instructions and post the logs.

    Run FindAWF

    1. Press 3 then Enter. A text file named folders.txt will open.

    2. Copy and paste the following text from the quote box below into the text file.
      Next, close and click Yes to save the changes.

    3. Once folders.txt is saved, FindAWF does the following:
      -It deletes the contents of the bak folders
      -Removes the bak folders

      When done with the above, it automatically runs a new scan and opens a new log.
    Please attach this new FindAWF log in your reply, as well as the other required logs


    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  5. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok and excuse me for my misunderstanding!
    Here are the new files: I hope wold be all right this time :)

    Regards, kingsbishop
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your system has been reinfected with the whole thing all over again. That was because you did not post your logs earlier and allow me to fix the root of the problem.

    Also, I do not know what launguage that is, but I cannot read your AVG log. I suspect it says no action taken. Please run AVG again properly by setting all actions to quarantine; read through the instructions carefully and follow them exactly.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
      O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
      O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

      Close HJT.

    4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    5. Save this as CFScript on the desktop.
    6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    8. Reboot into normal mode and rehide your protected OS files.
    --------------------------------------------------------------
    Run FindAWF again.

    1. Press 2 then Enter. A text file named files.txt will open:

    2. Copy and paste the following text from the quote box below into the text file.
      Next, close and click Yes to save the changes.

    3. Once files.txt is saved, FindAWF does the following:
      -It attempts to terminate the process represented by each filename on the list, if running
      -Deletes the rogue file from the parent folder, if present
      -Copies the original file to the parent folder

      When done with the above, it automatically runs a new scan and opens a new log.
      Please attach this new FindAWF log in your reply.

    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log and AWF log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok,
    I’ve another problem. I’ve followed your instruction but when I’ve tried to run FindAWF again ( Press 2 and copy/paste the text ), the program runs and show me on the screen:

    Error: Cannot find a process with an image named CAPONN.exe

    After this, appear this message:

    Killing PID 560 ‘tfswctrl.exe’

    I’m sure I’ve done anything wrong, but where is the error?

    Thanks again, KsB
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Let's try this all over again. Remove AWF completely from your system.

    Please download FindAWF from HERE. Save the file to the Desktop and then complete the following instructions:
    1. Open the FindAWF program. If a Security Alert shows, allow the program to run.
    2. Press 1 then Enter. The scan may take a while, please be patient. When done, a text file, Find AWF report will be produced.
    3. Please remember to attach this report file in your reply along with all other required logs (ComboFix from before?).

    Regards,
    momok
     
  9. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello,
    I've downloaded FindAWF. Here are the file.


    Regards :) KsB
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Run FindAWF again.

    1. Press 2 then Enter. A text file named files.txt will open:

    2. Copy and paste the following text from the quote box below into the text file.
      Next, close and click Yes to save the changes.

    3. Once files.txt is saved, FindAWF does the following:
      -It attempts to terminate the process represented by each filename on the list, if running
      -Deletes the rogue file from the parent folder, if present
      -Copies the original file to the parent folder

      When done with the above, it automatically runs a new scan and opens a new log.
      Please attach this new FindAWF log in your reply.

    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  11. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok,
    nothing to do...same problem with new FindAWF too.

    Error: Cannot find a process with an image named CAPONN.exe

    Killing PID 560 ‘tfswctrl.exe’

    Regards, KsB :eek:
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Are you able to run the program in safe mode?

    Regards,
    momok
     
  13. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok,
    Done, seems it works! Here the file

    Regards, KsB
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Run FindAWF again in safe mode.

    1. Press 3 then Enter. A text file named folders.txt will open.

    2. Copy and paste the following text from the quote box below into the text file.
      Next, close and click Yes to save the changes.

    3. Once folders.txt is saved, FindAWF does the following:
      -It deletes the contents of the bak folders
      -Removes the bak folders

      When done with the above, it automatically runs a new scan and opens a new log.
      Please attach this new FindAWF log in your reply.

    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  15. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok,
    here is the file

    Thanks :) KsB
     
  16. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Run FindAWF

    Press 4 then Enter.

    This removes all entries from the domain zones.
    When the program returns to the main menu, use the following option:
    Press E then Enter to EXIT

    Delete the following folder:
    C:\QooBox\Quarantine\C\WINDOWS

    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok,
    seems I can not able to send you the requested files! When I try to attach combofix log, a message tells me that "You have already attached this file in thread : A.doginhispen.com and his brothers..."; also, when I try to attach the HJT log, this is the message: hijackthis_1.log:
    Attachment in Progress. Can be deleted here.", but can not do it!


    I don't know what can I do :-(

    Regards, KsB
     
  18. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I've removed your old logs. Try reposting the logs please. Thanks.

    Regards,
    momok
     
  19. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok,
    here are the files. I can not able to generate a report for AVG; about last scan, AVG finds and puts in quarantine “Heuristic.Win32.Dialer” located in C:\Documents and Settings\Mario\Impostazioni locali\Temp\860680202.exe.

    Hope this can help you, thanks a lot for your patience!
    Regards, KsB
     
  20. momok

    momok TS Rookie Posts: 2,265

    Hi,

    It appears that the ComboFix log is an old log. I need your to run a new scan and post a new log. Also, please run AVG anti spyware scan again, and try saving the report once more. Let me know the results. Your system is close to clean.

    Regards,
    momok
     
  21. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Hello Momok,
    here are the files you have requested!

    Regards :) KsB
     
  22. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now.

    1. Please download and run CCleaner via step 9 of the instructions HERE.

    2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    3. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    4. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Thanks a lot for your help and your patience Momok!
    Seems to be all right :)

    Best regards! KsB
     
  24. kingsbishop

    kingsbishop TS Rookie Topic Starter Posts: 24

    Seems I've spoken a little bit too early...
    A.doginhispen is again here...

    Regards, KsB :-(
     
  25. momok

    momok TS Rookie Posts: 2,265

    Gosh. Did you follow my instructions in the previous post? Which sites did you visit or programs installed which caused the reinfection?

    1. Open the FindAWF program. If a Security Alert shows, allow the program to run.
    2. Press 1 then Enter. The scan may take a while, please be patient. When done, a text file, Find AWF report will be produced.
    3. Please remember to attach this report file in your reply along with all other required logs.

    Regards,
    momok =)

    This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...