TechSpot

Another aboutadog, and adoginhispen

By whosurpopi
Dec 11, 2007
  1. HI, I am new to this forum, and not what you would call a "computer guy".
    When the Cowboys played the Packers on the nfl network, that I dont have, I panicked and found a website that provided free streeming video of the game from denmark. Needless to say, that turned out to be a poor decision on my part, but a couple of days later I notices aboutadog, and adoginhispen in my history. I did a quick search and found this site that detailed what it is. I promptly downloaded avast security and zonealarm firewall that you suggested to somebody else, and they both have stopped showing up in my history. My computer seems fine, but my ebay email account was hacked so now I am very nervous about what else they might have gotten, and if they are done getting anything else. Any help would be appreciated.
    Steve
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi whosurpopi and welcome to techspot. =)

    I suggest you do the following before doing anything else

    Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system

    Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
    Do not copy and paste your logs if not they will be removed.

    Our experts here will tend to your queries thereafter.

    Also, please provide the results of the Antirootkit scan


    Regards,
    momok =)

    This thread is for the use of whosurpopi only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  3. whosurpopi

    whosurpopi TS Rookie Topic Starter

    scans are attached

    I had two logs from combofix, one regular and one for quarantined.
    The panda antiroot scan found nothing, and I am having no symptoms
     

    Attached Files:

  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      R3 - URLSearchHook: (no name) - ~00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
      R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
      O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
      O4 - Global Startup: VersionTrackerPro.lnk = ?
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O15 - Trusted Zone: *.doginhispen.com

      Close HJT.

    4. Navigate in Windows Explorer and delete the following files and folders in bold.

      C:\WINDOWS\Installer\{C1EDC38F-2760-4A4E-9CED-95B53024134C}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe

    5. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread. Do not copy and paste the logs.


    Regards,
    momok =)

    This thread is for the use of whosuropi only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. whosurpopi

    whosurpopi TS Rookie Topic Starter

    new scans

    Here is the latest, I tried to use combofix again, but I wasnt able to, so I used deckard.
     
  6. momok

    momok TS Rookie Posts: 2,265

    Have HijackThis fix the following entries:

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    Apart from that, your logs look fine to me. Are there any malware related issues you are facing?

    Regards,
    momok
     
  7. whosurpopi

    whosurpopi TS Rookie Topic Starter

    newest log

    I only have one issue with the cpu that started after getting the logs yesterday, but I doubt its malware. Everytime I open explorer, I get a message for totalaccess core applications, and when I click to continue, it tells me The path is not found, and I have to cancel out.
     
  8. momok

    momok TS Rookie Posts: 2,265

    That log looks clean to me. I'm not quite sure why you are facing that error message. I do know that it is related to your Earthlink TotalAccess software so you should probably contact your ISP for help on that.
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

  10. whosurpopi

    whosurpopi TS Rookie Topic Starter

    Thank you for all your help, I think I am done here now.
     
  11. baros1954

    baros1954 Banned Posts: 37

    Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    This thread is for the use of whosurpopi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. whosurpopi

    whosurpopi TS Rookie Topic Starter

    Why start over?

    I have been told by momok that everything looked good, why redo the scans when I have no symptoms, and nothing in my other logs?
     
  13. baros1954

    baros1954 Banned Posts: 37

    Of course it`s completely up to you, but the appearance of the O15 - Trusted Zone: *.doginhispen.com entry in your HJt log is a dead giveaway of the Downloader.Agent.awf infection. Unless you run and post the requested log file, there`s no way that anyone can say the infection is gone. This is due to the fact that the infection uses legit file names and therefore just looking won`t help.

    Believe me, I have a lot of experience with this particular infection and only the FindAWF programme will reveal it`s existence fully.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That entry isn't in his final clean log, im no expert though.
     
  15. baros1954

    baros1954 Banned Posts: 37

    Yes mate, you`re quite right, but that doesn`t mean the infection isn`t still there. Look at his combofix log in his post #3. Particularly under the AWF heading and you`ll see lot`s of bak entries as below.

    ----a-w 49,152 2004-05-25 13:16:56 C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe

    ----a-w 851,968 2004-07-20 13:34:28 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

    ----a-w 180,269 2005-03-16 19:59:35 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

    ----a-w 155,648 2003-10-14 14:22:30 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

    ----a-w 58,992 2005-03-23 20:34:32 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

    ----a-w 32,768 2003-11-01 03:42:40 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

    ----a-w 942,080 2005-09-01 19:24:56 C:\Program Files\EarthLink TotalAccess\bak\TaskPanl.exe

    ----a-w 267,064 2007-09-26 18:42:04 C:\Program Files\iTunes\bak\iTunesHelper.exe
    ----a-w 267,048 2007-11-02 23:36:42 C:\Program Files\iTunes\iTunesHelper.exe

    ----a-w 75,520 2006-12-15 08:23:27 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

    ----a-w 57,344 2004-01-16 10:04:08 C:\Program Files\Lexmark 4200 Series\bak\lxbmbmgr.exe

    ----a-w 151,552 2004-01-22 15:59:10 C:\Program Files\Lexmark 4200 Series\Fax\bak\fm3032.exe

    ----a-w 200,704 2003-06-18 20:00:00 C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe

    ----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\bak\qttask.exe
    ----a-w 286,720 2007-10-20 01:16:26 C:\Program Files\QuickTime\QTTask.exe

    ----a-w 40,960 2004-04-14 19:04:12 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

    ----a-w 57,393 2004-04-14 18:46:50 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

    ----a-w 100,056 2006-01-31 01:16:26 C:\Program Files\SymNetDrv\bak\SNDMon.exe
    ----a-w 111,840 2007-12-02 22:19:32 C:\Program Files\SymNetDrv\SNDMon.exe

    ----a-w 212,992 2002-09-13 20:42:26 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

    ----a-w 15,360 2004-08-04 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe

    ----a-w 118,784 2004-08-20 23:51:14 C:\WINDOWS\system32\bak\hkcmd.exe

    ----a-w 155,648 2004-08-20 23:55:14 C:\WINDOWS\system32\bak\igfxtray.exe

    ----a-w 155,648 2001-07-09 19:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

    That is the AWF infection. BTW: my name is Howard :)
     
  16. whosurpopi

    whosurpopi TS Rookie Topic Starter

    newest bak logs

    Do you see anything here that would concern you?
     
  17. baros1954

    baros1954 Banned Posts: 37

    Yes, you definitely have the AWF infection just as I said. Please do the following.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.
    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.
     
  18. whosurpopi

    whosurpopi TS Rookie Topic Starter

    here is the next one

    lets try this.
     
  19. baros1954

    baros1954 Banned Posts: 37

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.

    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:
    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log
     
  20. momok

    momok TS Rookie Posts: 2,265

    Thanks for helping. I wouldn't have found out about this peculiarity of this infection otherwise because I've been away from malware fixing for so many months. =)
     
  21. whosurpopi

    whosurpopi TS Rookie Topic Starter

    another log

    Hows we lookin now.
     
  22. baros1954

    baros1954 Banned Posts: 37

    There`s still three entries left to do.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.
     
  23. whosurpopi

    whosurpopi TS Rookie Topic Starter

    here is next one

    let me know
     
  24. baros1954

    baros1954 Banned Posts: 37

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log
     
  25. whosurpopi

    whosurpopi TS Rookie Topic Starter

    here it is

    here is the latest.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...