Help: Possible doginhispen, whataboutadog Trojan

By lessthan
Mar 11, 2008
  1. Hello TechSpot. Earlier today I encountered a problem while online where while downloading a program I was told that the service had been reset. I then could not go into My Computer when clicking the icon. Windows also didn't shut down. I powered off the computer and then powerd it back on and ran an anti-spyware (AVG) and anti-virus check with said that user32.dll, kernel32.dll, shell32.dll, ntoskrnl.exe had been change though no updates took place (have automatic updates off). My browser is slow and I ran HijackThis...doginhispen and whataboutadog are showing up in my trusted sites. I would really appreciate some help. Lots of thanks in advance.

    Here is my HijackThis File:
    And AWF File:
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First of all don't use internet explorer unless you have to.

    That means you need to get firefox if you don't already have it from HERE
    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.
    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.

    Warning! Do not click the links below in the qoute box.
    ***Links removed after reply

    Click ok, then ok again and close IE. reboot your system.
    Post back here when you are done, I am reviewing your logs right now
  3. lessthan

    lessthan TS Rookie Topic Starter

    Thank you for the quick reply. I've followed your instructions so far and am now using FireFox.
    Maybe I should also mention the last few problems I have had before this involved AVG guard fingding: SHeur.AVT(? wrote it down, but can't read my handwriting), Obfustat.ETU, Generic 8.DHG and ProRat.256. I don't remember any of them being a problem -- they were quickly detected and removed before anything happened. But, in case it helps, I've listed them for you. Thank You.
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I noticed you have AVG from your log but I didn't see a Firewall

    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Online Armor
  5. lessthan

    lessthan TS Rookie Topic Starter

    I've installed a firewall. I had problems shutting down and restarting from Safe Mode. AVG detected that hosts has been changed (windows/system32/drivers/etc), though there is a backup in same folder. The hosts file contains a bunch of sites that it says spybot has added. doginhispen and whataboutadog no longer show up in my trusted sites anymore though...guard32.dll is a new find in hijack this however.
    Here is the new log:
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    We haven't repaired the damage from the infection yet.

    Also I noticed that you posted your logs on a different forum under the name O0000O . Please don't receive help from 2 different sites at once. It can cause conflicts because we don't know what they are suggesting and they don't know what we suggest. So you need to pick one or the other.

    Please let me know if would like to continue receiving advice here, or if you would prefer the other forum.
  7. lessthan

    lessthan TS Rookie Topic Starter

    Hello, again. I would definitely like to continue receiving advice from this forum. Yeah, I posted on both sites, though I was only planning on following the advice of one (which ever happened to be the quickest, of course).
    A few things...
    Comodo is showing many different connections being made through FireFox, while I only have two windows open. Svchost is also listening and making connections, though I tried looking some info up and it doesn't seem to be anything bad.
    More importantly, I ran CCleaner, SmitFruadFix, VundoFix, VirtumundoBeGone, Panda Antirootkit. Then, I ran AVG AntiVirus, Spybot SSD (both in safe modes) and they found nothing.
    Yet, I'm running Kaspersky Online Scanner right now and it has apparently found 13 Viruses. Wow, I think I need more help than I thought. I can post the details when it is completed if you want. What should I do?
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Absolutely attach the Kaspersky log here

    Also Go ahead
    Fix AWF Infection
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach AWF.txt file in your next reply along with a fresh HJT log
  9. lessthan

    lessthan TS Rookie Topic Starter

    Hey. Thanks.
    The viruses that Kaspersky Online Scanner detected were actually adware associated with two specific files. I downloaded the trial version of Kaspersky AntiVirus 7, ran a system scan, and removed them. So, I don't think that is a problem anymore.

    I went to follow your last instruction and TrojanHunter detected ProRat.256 when I opened FindAWF. It removed it, but when I redownloaded FindAWF I got the same warning. I ignored it, but while I was running FindAWF, TrojanHunter repreatedly kept alerting me that ProRat.256 is in memory. Is this a false positive? I finally just disabled TrojanHunter.

    Then, I recognized that these files you asked me to restore were once detected by AVG AntiVirus to have been infected. I'm almost positive that these files were put in quarantine by AVG and deleted a while ago:
    "C:\Documents and Settings\Richard\My Documents\Deamon Tools\DAEMON Tools\bak\daemon.exe"
    "C:\Documents and Settings\Richard\My Documents\EMS Free Surfer\Free Surfer\bak\fs.ini"
    "C:\Documents and Settings\Richard\My Documents\EMS Free Surfer\Free Surfer\bak\fs20.exe"
    "C:\Documents and Settings\Richard\My Documents\SystemClean\iISystem Wiper\bak\SystemWiper.exe"

    Is there any danger that restoring these files while come with infection? I didn't restore them.

    I also had to uninstall Comodo to put Kaspersky on my system (temporary).

    Here are new logs:
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    well daemon.exe is not an infection
    The 2 freesurfer files were known to cause false positives
    System wiper is a program to clear the history of your activites from you computer.

    If you don't use any of these programs, we can remove them and the bak folders also

    What made you think you were infected with doginhispen whataboutadog in the first place?
  11. lessthan

    lessthan TS Rookie Topic Starter

    Yea, whatever is left of them can be removed.
    I noticed something was wrong when I had connection issues and problems shutting down Windows. Then I found that whataboutadog and doginhispen were listed in my trusted internet sites.
    Is there nothing wrong with the logs?
    If it isn't whataboutadog or doginhispen trojan, could it be a firewall issue? How did they get into my trusted sites?
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok do you want to keep Erunt - it is a program used to back up the registry. I would not recommend it. Doesn't look like you have used it in years

    Go to Start -> Control Panel -> Add/remove programs
    Select Deamon Tools Then Remove if there
    Select EMS Free Surfer Then Remove if there
    Select System Clean Then Remove if there
    Select Xen Then Remove if there
    Select Erunt Then Remove if there

    Avenger by Swandog

    • Download Avenger by Swandog and unzip it to your Desktop.

      Note: This program must be run from an account with Administrator priviledges.

    • Open the Avenger folder and double click Avenger.exe to launch the program.
    • Copy the text in the code box below and Paste it into the Input script here: box.
    Folders to delete:
    C:\Program Files\Daemon Tools
    C:\Program Files\EMS Free Surfer or C:\Program Files\Free Surfer
    C:\Program Files\System Clean
    C:\Program Files\Xen
    C:\Program Files\Erunt
    C:\Documents and Settings\Richard\My Documents\Xen
    C:\Documents and Settings\Richard\My Documents\Deamon Tools
    C:\Documents and Settings\Richard\My Documents\EMS Free Surfer
    C:\Documents and Settings\Richard\My Documents\SystemClean
    • Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    • Ensure the following:
      • Scan for Rootkits is checked.
      • Automatically disable any rootkits found is Unchecked.
    • Press the Execute key.
    • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
    • Attach the log back here please. (it can also be found at C:\avenger.txt)
    Clear the cache, use this method:

    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
    • If desired, reset the folder options you changed in step 1.

    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.

    Warning! Do not click the links below in the qoute box.
    Click ok, then ok again and close IE. reboot your system.

    After your reply I will remove the above links.

    Crap Cleaner
    • Download from HERE
    • Close all browsers.
    • Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
    • Click the run cleaner button. Do this several times
    • Click on the registry Icon on the left panel
    • Scan for registry problems and have it fix what it finds.
    So in your next reply post the log from avenger and let me know if any of the above mentioned sites show up in the browsing history
  13. lessthan

    lessthan TS Rookie Topic Starter

    Ok. No, I don't see the sites in my browser history, though my history is cleared everyday.

    Also, are svchost.exe.mdmp and svchost.exe.hdmp normal files to have? A bunch of these two files are located in the TEMP directory under 18 different folders starting with the WER (ex: WER0e97.dir0).

    Here is the avenger log:
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The .mdmp files are an extension added to files to be sent to Microsoft. This is a compressed version of an .HDMP file. Basically when an error happens and it says would you like to send a report to Microsoft "Send" or "Dont Send" it creates these files, because they are attached to svchost it is from a svchost error. You can safely delete the contents of the temp folder.

    Same with WER = Windows Error Reporting

    Both of these are not necessary and in fact take up quite a lot of space as you may have noticed. I am listing the path to where I think you should be able to check the size, but you would have to change the name if you have other user accounts than just Richard. There should be one for each user.


    This makes me wonder though. Did you run CCleaner? I figured it would have removed those anyways.

    Oh yea, and what programs out of those were you able to uninstall through add/remove programs

    can you run Findawf again and attach the new log
  15. lessthan

    lessthan TS Rookie Topic Starter

    Hey. I can't find that path you just gave me.

    I had run CCleaner a few times over the past two days. If it is suppose to clean those directories then I don't know why it hasn't.

    I didn't remove any of them. They were already uninstalled. I think I deleted them after AVG found infections on those specific programs' executable files. Maybe FindAWF picks up those files because AVG deleted them (the executables) before I could uninstall the programs? I'm pretty sure I just ended up deleting the folders.

    FindAWF doesn't show anything anymore, but here is the AWF log anyway:
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I was playing around on Vista and found it another way. Start-> Run-> type cleanmgr when disk cleanup pops up select All users. Under the disk clean up tab at the bottom are 3 lines that can be checked.

    -Per user archived windows error reports
    -System archived windows error reports
    -System queued windows error reports

    I wasn't expecting anything to be in FindAWF but just wanted to be sure.

    I think we got everything. Check your browsing history and trusted sites and see if the websites show back up.

    Run Hijackthis again and attach the log
  17. lessthan

    lessthan TS Rookie Topic Starter

    Hey. Here is the HijackThis log:
    Hope everything looks good.
    Thank you very much for your time and help.
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I don't see an active Firewall.

    Other than that the logs look good. See my above post for recommendations on firewalls
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...