Doginhispen infection

[th1776]

I, too, am a victim of this infection. I have run all of the fifteen steps, and have attached my files. I could not get ComboFix to run (something about an illegal instruction in the 16-bit MS-DOS subsystem) so I went the dss route, and Panda Antirootkit did not detect or remove anything.

Symptoms:

Sluggish IE -- it takes almost a minute and a half to open new instances or tabs.

When I boot up and log on, I get a window with Photogallery in the title bar, and in the window a message saying "Preparing to install" and a progress bar. If I do not cancel, it goes on to ask me for the Photogallery disk, with a default browse location of "1". I have no idea what this is or where it came from, and I have no such disk. I have to cancel it three times to get it to go away.

I also get a Crash Recovery window saying "Your last session crashed. Please check and open last URLs." The only URL listed is either a.doginhispen.com, b.skitodayplease.com, or 88.80.7.66, and it can be different with every boot and logon. Sometimes after logon the window just appears out of nowhere whether I have IE open or not. Of course I do not select it.

I have installed and can run SpySweeper, SpyBot, SpyHunter, Windows Defender, AVG and they all show something different.

Thanks in advance for help with this.

 

[kritius]

Download the ATF cleaner programme and save it to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Reboot into normal mode.
-------------------------------------------------------------------------------------------------------
FindAWF

Click here to download FindAWF and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• Attach AWF.txt file in your next reply.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.



Warning! Do not click the links below in the qoute box.

------------------sites removed after reply-----------------------------------------------------------------------------

Click ok, then ok again and close IE. reboot your system.

This thread is for the use of th1776 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[th1776]

Here is the AWF file.

On the Privacy tab, sites list, there are a whole lot of sites listed that I did not put there. Did the ATF cleaner do that?

All of the sites you listed were already there because I had put them there before.

 

[th1776]

I just noticed that all of the zones on my IE Security tab are set to custom settings. That is new, and I did not do it myself. Could any of the diagnostic programs I ran have done this? I have temporarily disconnected the infected machine from the network and Internet while working from another machine.

 

[kritius]

probably a good idea for now, we'll worry about that once we get this sorted.

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\Apoint2K\bak\Apoint.exe"
"C:\Program Files\ltmoh\bak\Ltmoh.exe"
"C:\Program Files\Protector Suite QL\bak\launcher.exe"
"C:\WINDOWS\system32\bak\00THotkey.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\CA\eTrust Antivirus\bak\realmon.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Intel\AMT\bak\atchk.exe"
"C:\Program Files\Intel\Intel Matrix Storage Manager\bak\Iaanotif.exe"
"C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe"
"C:\Program Files\Toshiba\DualPointUtility\bak\TEDTray.exe"
"C:\Program Files\Toshiba\TAudEffect\bak\TAudEff.exe"
"C:\Program Files\Toshiba\TME3\bak\TMERzCtl.EXE"
"C:\Program Files\Toshiba\TME3\bak\TMESRV31.EXE"
"C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe"
"C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
"C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\bak\ddwmon.exe"
"C:\Program Files\Toshiba\Wireless Hotkey\bak\TosHKCW.exe"
"C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
"C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
"C:\Deckard\System Scanner\backup\DOCUME~1\Terry\LOCALS~1\Temp\bak\mcinfo_1191890596.exe"

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
  It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach AWF.txt file in your next reply along with a fresh HJT log

This thread is for the use of th1776 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[th1776]

Here they are.

 

[kritius]

Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Apoint2K\bak
C:\Program Files\ltmoh\bak
C:\Program Files\Protector Suite QL\bak
C:\WINDOWS\system32\bak
C:\Program Files\CA\eTrust Antivirus\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Intel\AMT\bak
C:\Program Files\Intel\Intel Matrix Storage Manager\bak
C:\Program Files\Microsoft Office\Office12\bak
C:\Program Files\Toshiba\DualPointUtility\bak
C:\Program Files\Toshiba\TAudEffect\bak
C:\Program Files\Toshiba\TME3\bak
C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak
C:\Program Files\Toshiba\TOSCDSPD\bak
C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\bak
C:\Program Files\Toshiba\Wireless Hotkey\bak
C:\TOSHIBA\IVP\ISM\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Intel\Wireless\Bin\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak
C:\Deckard\System Scanner\backup\DOCUME~1\Terry\LOCALS~1\Temp\bak

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Run Fix AWF one more time and press 4, then press Enter.

There are also quite a few nasties in your HJT log that we will sort out when this is done.

I have to head to sleep now, ill get back to you as soon as possible.

This thread is for the use of th1776 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[th1776]

For when you wake up. Thanks.

It is 6:40 pm or so my time (PDT). I won't be back on until around 8 am PDT.

 

[kritius]

Need to know what primarily this computer is used for? Is it a personal computer or a work one?

Disable the TeaTimer, you can re enable it when were done if you wish

• Run Spybot-S&D in Advanced Mode.
• If it is not already set to do this Go to the Mode menu select "Advanced Mode"
• On the left hand side, Click on Tools
• Then click on the Resident Icon in the List
• Uncheck "Resident TeaTimer" and OK any prompts.
• Restart your computer.<--You need to do this for it to take effect

Run Spybot and navigate to the advance settings where you will find Tools and Startups, disable any of the non essential ones and then reboot again. After doing that Run Spybot again and clean whatever it finds and then run HJT again and post a log back.

Thanks

This thread is for the use of th1776 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[th1776]

The computer is for work. I am a contractor who specializes in Data Architecture, Data Warehousing, and Data Modeling. I use this computer for my work. It might sound odd, but it is not easily reconfigured to its current software state.

I am still going through the System Startup settings in SpyBot, and I discovered an entry I wanted to tell you about right away.

The entry is for NvCplDaemon, RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup. The Spybot description has three different entries, the first two deal with a utility from nVidia. The description for the first entry tells me to disable the NVIDIA Driver Helper Service because it can re-enable this entry on reboot. I have done that.

Now, the third entry is the important one.

Database Status: Not required - virus, spyware, malware or other resource hog.
Value: NvCplDaemon
Filename: msmsgrs.exe

Description: Added by DLOADER-YI TROJAN!

I am turning off anything that has to do with nVidia.

Also found a description for msmmsgr.exe that it was

added by the ANNEW-FAM WORM! Note- this is not the valid MSNMessenter utility

ctfmon.exe is also corrupted.

While I am continuing going through these startup entries, maybe you could tell me more about those I have just described.

 

[th1776]

Here is the latest HJT log.

What time zone are you in? If you don't want to answer here, how about a PM? Maybe I can adjust to it.

 

[kritius]

Im GMT but I do have to work for a living, I try to fit this in around that.

Can you give me the exact file path for the msmsgrs.exe?

Can you go to add/remove programs and see if there is anything there to do with,
Spy Sweeper

If you dont think that you need it then get rid of it, it on the spyware warrior rogue spyware list.

I have to head out for a few hours but i'll be back as soon as I can.

 

[th1776]

What the hell is WinBudget? SpySweeper thinks it is a Trojan.

Its files are matrix.dat and matrix.dll.

 

[kritius]

WinBudget is an adware Browser Helper Object. WinBudget installs itself within Internet Explorer and is launched every time you open your Internet browser.

The most common way is to uninstall Adware.WinBudget by using the "Add/Remove Programs" utility. However, as there may still be hidden Adware.WinBudget files, it's possible that Adware.WinBudget will reappear after reboot. Follow the Adware.WinBudget detection and removal methods below.

Use Windows File Search Tool to Find Adware.WinBudget Path

• Go to Start > Search > All Files or Folders.
• In the "All or part of the the file name" section, type in "Adware.WinBudget" file name(s).
• To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
• When Windows finishes your search, hover over the "In Folder" of "Adware.WinBudget", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Adware.WinBudget in the following manual removal steps.

Use Registry Editor to Remove Adware.WinBudget Registry Values

• To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
• Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
• To delete "Adware.WinBudget" value, right-click on it and select the "Delete" option.
• Locate and delete "Adware.WinBudget" registry entries:

0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2

Use Windows Command Prompt to Unregister Adware.WinBudget DLL Files

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Adware.WinBudget DLL file is located and press the "Enter" button on your keyboard. If you don't know where Adware.WinBudget DLL file is located, use the "dir" command to display the directory's contents.
• To unregister "Adware.WinBudget" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Adware.WinBudget.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
• Search and unregister "Adware.WinBudget" DLL files: ie matrix.dll

Detect and Delete Other Adware.WinBudget Files

• To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
• Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
• To change directory, type in "cd name_of_the_folder".
• Once you have the file you're looking for type in "del name_of_the_file".
• To delete a file in folder, type in "del name_of_the_file".
• To delete the entire folder, type in "rmdir /S name_of_the_folder".
• Select the "Adware.WinBudget" process and click on the "End Process" button to kill it.
• Remove the "Adware.WinBudget" processes files: ie matrix.dll

After that boot into safe mode and do a search to see if there are any stragglers about.

This thread is for the use of th1776 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[th1776]

I can't find any adware.winbudget folders or files on the hard drive -- just the WinBudget folder with the matrix.dll and matrix.dat entries I mentioned, and SpySweeper can't find it anymore. A search of the registry turned up two entries, one for WinBudget and one for Adware.WinBudget. I deleted both. I found no references to any matrix files, so I deleted the WinBudget folder.

I installed a new version of Windows Live, including Windows Live Messenger, and a component called Photo Gallery (Don't know if there is any relationship to the window I would see on startup). I rebooted (not necesssary for the install, but I wanted to see where I was so far), and the symptoms I reported in my original post have gone away.

I do not know what has changed, but I have included a new HJT log in case there are still some other nasties in there.

 

[th1776]

Why is the AVG software (avgas.exe) always trying to make changes to my Hosts file?

 

[th1776]

Is there anybody home? I have posed several questions since your last response to me, and I have received absolutely no response.

Since my symptoms have disappeared, am I now persona no grata?

Let's have a positive resolution to this poblem.

 

[kritius]

Im sorry, ive been stuck doing overtime in work and havnt had a chance to reply,

Close all browser windows and run HJT and have it fix this entry,
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Other than that I dont see anything else.

Theres also no need to be sarky, I have to make a ling and this doesnt pay.

 

[th1776]

OK, I used HJT to remove the entry you suggested.

Not trying to be "sarky", but I have to make a living also, and I have to do it with this computer, and I can't bill anyone for fixing it.

You still did not answer my question about AVG's avgas.exe wanting to make changes to my Hosts file? It happens more than once a day. If this is going to continue for no appropriate reason, I want to get rid of it.

If it will take a while for a response, that is OK. All I ask is, please, just let me know.

 

[kritius]

Can you do a print screen of the message that AVG shows you?

If you are concerned about your Host file and are worried about any changes that have been made to it that you yourself havent made then we can reset it.

Please download HoxtXpert.

1. Unzip HostsXpert.zip
2. Double click on HostsXpert.exe
3. Then click on "Restore Original Hosts" to restore your Hosts file to its default condidtion..
4. Click on Make Hosts Read Only to secure it against further infection.
5. Close program when complete.

 

[th1776]

The next time it appears, I will do a print screen. The message comes from Spy Sweeper.

My concern is not that I do not know why software like AVG would be making changes to it. My real question is, is it legetimate for AVG to be making changes, or is this some kind of trojan acivity I should be concerned about?

I have downloaded HoxtXPert, but I have not run it. I am not sure you understand my question. Is it a threat that avgas.exe is wanting to make changes to my Hosts file? Recovering it because I am concerned or worried is a secondary issue. The real issue is whether or not it is expected behavior of AVG to make these changes in the first place.

 

[kritius]

Sometimes it can be legitimate,

for example, it will add known bad sites to your Hosts file like this,

127.0.0.1 hxxp://www.nastysite.com

That way if you were ever to have an infection that wanted you to be redirected to that site then it wouldnt be able to because your computer would see its IP address as 127.0.0.1 which is your own computer.

Have to head to work now, but ill edit this post if I have a chance to with something else.

EDIT|||||||||||||||||||||||||||||||
Run Kaspersky Online Scan
Please do an online scan with Kaspersky Online Scanner. Please use Internet Explorer as it uses ActiveX.

Click on Kaspersky Online Scanner and click Accept

You will be promted to install an ActiveX component from Kaspersky, so click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • 
      Extended (if available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer.
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button and save the file to your desktop.

Post the log back here. It wont clean anything but it will give us an idea if anything is lurking

 

[Zed]

I'm have heard that Spyhunter is not such a good choice in AV programs...just my unedumacated two cents.

 

[th1776]

Here is the Kaspersky report. The scan said if found 1 virus and 4 infected objects, but it did identify the troublesome objects.

I have not captured any attempts by Spy Sweeper to update the Hosts file, yet. I have be be at the computer to do that because after I minute, Spy Sweeper blocks the attempt and the alert goes away. I have to actually catch it in the act, so to speak.

 

[kritius]

The kaspersky log showed us that the only infections are really in the smitfraudfix quarantines,

We can get rid of it by this,
Delete the three tools from step 10 by dragging them to the recycle bin,

Empty the recycle bin

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"

Run the kaspersky scan agin and we'll see if it works.