Help: Possible doginhispen, whataboutadog Trojan

Status
Not open for further replies.

lessthan

Posts: 11   +0
Hello TechSpot. Earlier today I encountered a problem while online where while downloading a program I was told that the service had been reset. I then could not go into My Computer when clicking the icon. Windows also didn't shut down. I powered off the computer and then powerd it back on and ran an anti-spyware (AVG) and anti-virus check with AVG...it said that user32.dll, kernel32.dll, shell32.dll, ntoskrnl.exe had been change though no updates took place (have automatic updates off). My browser is slow and I ran HijackThis...doginhispen and whataboutadog are showing up in my trusted sites. I would really appreciate some help. Lots of thanks in advance.

Here is my HijackThis File:
And AWF File:
 
First of all don't use internet explorer unless you have to.

That means you need to get firefox if you don't already have it from HERE
--------------------------------------------------------------------------------------------------------------
Next
Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.
-------------------------------------------------------------------------------------------------------------
Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.

Warning! Do not click the links below in the qoute box.
Then, click the privacy tab and click the sites button. In the address bar type

removed and click the Block button. Do this for
removed and removed and removed as well.
***Links removed after reply

Click ok, then ok again and close IE. reboot your system.
-------------------------------------------------------------------------------------------------------
Post back here when you are done, I am reviewing your logs right now
 
Thank you for the quick reply. I've followed your instructions so far and am now using FireFox.
Maybe I should also mention the last few problems I have had before this involved AVG guard fingding: SHeur.AVT(? wrote it down, but can't read my handwriting), Obfustat.ETU, Generic 8.DHG and ProRat.256. I don't remember any of them being a problem -- they were quickly detected and removed before anything happened. But, in case it helps, I've listed them for you. Thank You.
 
I noticed you have AVG from your log but I didn't see a Firewall

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm
 
I've installed a firewall. I had problems shutting down and restarting from Safe Mode. AVG detected that hosts has been changed (windows/system32/drivers/etc), though there is a backup in same folder. The hosts file contains a bunch of sites that it says spybot has added. doginhispen and whataboutadog no longer show up in my trusted sites anymore though...guard32.dll is a new find in hijack this however.
Here is the new log:
 
We haven't repaired the damage from the infection yet.

Also I noticed that you posted your logs on a different forum under the name O0000O . Please don't receive help from 2 different sites at once. It can cause conflicts because we don't know what they are suggesting and they don't know what we suggest. So you need to pick one or the other.

Please let me know if would like to continue receiving advice here, or if you would prefer the other forum.
 
Hello, again. I would definitely like to continue receiving advice from this forum. Yeah, I posted on both sites, though I was only planning on following the advice of one (which ever happened to be the quickest, of course).
A few things...
Comodo is showing many different connections being made through FireFox, while I only have two windows open. Svchost is also listening and making connections, though I tried looking some info up and it doesn't seem to be anything bad.
More importantly, I ran CCleaner, SmitFruadFix, VundoFix, VirtumundoBeGone, Panda Antirootkit. Then, I ran AVG AntiVirus, Spybot SSD (both in safe modes) and they found nothing.
Yet, I'm running Kaspersky Online Scanner right now and it has apparently found 13 Viruses. Wow, I think I need more help than I thought. I can post the details when it is completed if you want. What should I do?
 
Absolutely attach the Kaspersky log here

Also Go ahead
Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Documents and Settings\Richard\My Documents\Deamon Tools\DAEMON Tools\bak\daemon.exe"
"C:\Documents and Settings\Richard\My Documents\EMS Free Surfer\Free Surfer\bak\fs.ini"
"C:\Documents and Settings\Richard\My Documents\EMS Free Surfer\Free Surfer\bak\fs20.exe"
"C:\Documents and Settings\Richard\My Documents\SystemClean\iISystem Wiper\bak\SystemWiper.exe"
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please attach AWF.txt file in your next reply along with a fresh HJT log
 
Hey. Thanks.
The viruses that Kaspersky Online Scanner detected were actually adware associated with two specific files. I downloaded the trial version of Kaspersky AntiVirus 7, ran a system scan, and removed them. So, I don't think that is a problem anymore.

I went to follow your last instruction and TrojanHunter detected ProRat.256 when I opened FindAWF. It removed it, but when I redownloaded FindAWF I got the same warning. I ignored it, but while I was running FindAWF, TrojanHunter repreatedly kept alerting me that ProRat.256 is in memory. Is this a false positive? I finally just disabled TrojanHunter.

Then, I recognized that these files you asked me to restore were once detected by AVG AntiVirus to have been infected. I'm almost positive that these files were put in quarantine by AVG and deleted a while ago:
"C:\Documents and Settings\Richard\My Documents\Deamon Tools\DAEMON Tools\bak\daemon.exe"
"C:\Documents and Settings\Richard\My Documents\EMS Free Surfer\Free Surfer\bak\fs.ini"
"C:\Documents and Settings\Richard\My Documents\EMS Free Surfer\Free Surfer\bak\fs20.exe"
"C:\Documents and Settings\Richard\My Documents\SystemClean\iISystem Wiper\bak\SystemWiper.exe"

Is there any danger that restoring these files while come with infection? I didn't restore them.

I also had to uninstall Comodo to put Kaspersky on my system (temporary).

Here are new logs:
 
well daemon.exe is not an infection
The 2 freesurfer files were known to cause false positives
System wiper is a program to clear the history of your activites from you computer.

If you don't use any of these programs, we can remove them and the bak folders also

What made you think you were infected with doginhispen whataboutadog in the first place?
 
Yea, whatever is left of them can be removed.
I noticed something was wrong when I had connection issues and problems shutting down Windows. Then I found that whataboutadog and doginhispen were listed in my trusted internet sites.
Is there nothing wrong with the logs?
If it isn't whataboutadog or doginhispen trojan, could it be a firewall issue? How did they get into my trusted sites?
 
Ok do you want to keep Erunt - it is a program used to back up the registry. I would not recommend it. Doesn't look like you have used it in years

Go to Start -> Control Panel -> Add/remove programs
Select Deamon Tools Then Remove if there
Select EMS Free Surfer Then Remove if there
Select System Clean Then Remove if there
Select Xen Then Remove if there
Select Erunt Then Remove if there
----------------------------------------------------------------------------------------------------------

Next
Avenger by Swandog

  • Download Avenger by Swandog and unzip it to your Desktop.

    Note: This program must be run from an account with Administrator priviledges.

  • Open the Avenger folder and double click Avenger.exe to launch the program.
  • Copy the text in the code box below and Paste it into the Input script here: box.
Code:
Folders to delete:
C:\Program Files\Daemon Tools
C:\Program Files\EMS Free Surfer or C:\Program Files\Free Surfer
C:\Program Files\System Clean
C:\Program Files\Xen
C:\Program Files\Erunt
C:\Backup\_Backup\XP\RegBak
C:\Documents and Settings\Richard\My Documents\Xen
C:\Documents and Settings\Richard\My Documents\Deamon Tools
C:\Documents and Settings\Richard\My Documents\EMS Free Surfer
C:\Documents and Settings\Richard\My Documents\SystemClean

  • Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.
  • Press the Execute key.
  • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
  • Attach the log back here please. (it can also be found at C:\avenger.txt)
-----------------------------------------------------------------------------------------------------
Clear the cache, use this method:

  • Open an Explorer folder window (for example, double-click My Computer).
  • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
  • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
  • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
  • You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
  • If desired, reset the folder options you changed in step 1.

------------------------------------------------------------------------------------------------------
Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.


Warning! Do not click the links below in the qoute box.
Then, click the privacy tab and click the sites button. In the address bar type

www.whataboutadog.com and click the Block button. Do this for

www.whataboutarabbit.com and www.doginhispen.com and www.b.skitodayplease.com as well.

Click ok, then ok again and close IE. reboot your system.

After your reply I will remove the above links.
--------------------------------------------------------------------------------------------------------------------------------------------------

Crap Cleaner
  • Download from HERE
  • Close all browsers.
  • Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
  • Click the run cleaner button. Do this several times
  • Click on the registry Icon on the left panel
  • Scan for registry problems and have it fix what it finds.
------------------------------------------------------------------------------------------------------------------------------------------------------------------
So in your next reply post the log from avenger and let me know if any of the above mentioned sites show up in the browsing history
 
Ok. No, I don't see the sites in my browser history, though my history is cleared everyday.

Also, are svchost.exe.mdmp and svchost.exe.hdmp normal files to have? A bunch of these two files are located in the TEMP directory under 18 different folders starting with the WER (ex: WER0e97.dir0).

Here is the avenger log:
 
The .mdmp files are an extension added to files to be sent to Microsoft. This is a compressed version of an .HDMP file. Basically when an error happens and it says would you like to send a report to Microsoft "Send" or "Dont Send" it creates these files, because they are attached to svchost it is from a svchost error. You can safely delete the contents of the temp folder.

Same with WER = Windows Error Reporting

Both of these are not necessary and in fact take up quite a lot of space as you may have noticed. I am listing the path to where I think you should be able to check the size, but you would have to change the name if you have other user accounts than just Richard. There should be one for each user.

C:\Users\Richard\AppData\Local\Microsoft\Windows\WER\ReportQueue

This makes me wonder though. Did you run CCleaner? I figured it would have removed those anyways.

Oh yea, and what programs out of those were you able to uninstall through add/remove programs

can you run Findawf again and attach the new log
 
Hey. I can't find that path you just gave me.

I had run CCleaner a few times over the past two days. If it is suppose to clean those directories then I don't know why it hasn't.

I didn't remove any of them. They were already uninstalled. I think I deleted them after AVG found infections on those specific programs' executable files. Maybe FindAWF picks up those files because AVG deleted them (the executables) before I could uninstall the programs? I'm pretty sure I just ended up deleting the folders.

FindAWF doesn't show anything anymore, but here is the AWF log anyway:
 
I was playing around on Vista and found it another way. Start-> Run-> type cleanmgr when disk cleanup pops up select All users. Under the disk clean up tab at the bottom are 3 lines that can be checked.

-Per user archived windows error reports
-System archived windows error reports
-System queued windows error reports

I wasn't expecting anything to be in FindAWF but just wanted to be sure.

I think we got everything. Check your browsing history and trusted sites and see if the websites show back up.

Run Hijackthis again and attach the log
 
I don't see an active Firewall.

Other than that the logs look good. See my above post for recommendations on firewalls
 
Status
Not open for further replies.
Back