Stupid Dog! (doginhispen and aboutadog problem)

[howard_hopkinso]

Delete the cyberrape.com and doggystyle.com entries and any other entries which are obviously bad.

In fact, do the following.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Regards Howard

 

[DelJo63]

if you browse thru the registry, you'll find many domain names -- some real and
necessary (like your ISP) and some as blacklist entries (like those created by Spywareblaster).

The big issue is "Under which registry key(s) do you find them? (that's a retorical question!) "

Say with the HJT process for now ....

 

[Mpls21]

OK, here is the AWF and HJT logs from after the last fixes in HJT and deleting the dog entries in the registry.

I'm downloading and saving the Del015 program to a disc so I can open it on my other computer.

 

[howard_hopkinso]

Your HJT log is clean.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Microsoft ActiveSync\bak\Wcescomm.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\PSDrvCheck.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\support.com\bin\bak\tgcmd.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Also, please post a fresh HJT log.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Mpls21]

When I ran the AWF as instructed, it ran through that "killing 3964" whatever it said. I ran AWF again and then it worked fine. I've attached the latest AWF and HJT files.

One other question. I'm using Norton System for my internet protection/firewall etc, and running Spybot regularly. Is there something else I should be using (either instead of Norton or in addition to Norton) and Spybot that would have better protected me from getting this? I never open email attachments from unknown senders, and am concerned about getting something again. Thanks.

(After seeing that registry, I think I'm going to have a little chat with my 15 year old son about the places he's been visiting on mom's office computer!! I have a feeling he's not going to be seeing a computer for a while... ah gee, what will his friends on that darn Warcraft game do without him? )

 

[howard_hopkinso]

Your HJT log is still clean.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak
C:\Program Files\Windows Media Player\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\support.com\bin\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Reboot your system and see if you can post from it.

Let me know what problems you`re having.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Mpls21]

I am posting this from my home computer! I've attached the AWF file.

Thank you so very much for all the help! You certainly invested a great deal of time in assisting me with this! I can't tell you how greatful I am.

:grinthumb

 

[howard_hopkinso]

That`s looking much better.

Just one bak file left to deal with.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Microsoft ActiveSync\bak\Wcescomm.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

 

[Mpls21]

Here is the AWF file.

 

[howard_hopkinso]

Hopefully, this`ll be the last time you need to run FindAWF.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Microsoft ActiveSync\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Mpls21]

Here is the AWF file.

 

[howard_hopkinso]

That`s now clean.

Now, in the interests of making sure your system is really clean, please do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

I know it`s a pain, but after all the hard work you`ve put in, it`d be a shame if there was still some malware lurking on your system. So better safe than sorry.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Mpls21]

I'll have to do these steps tomorrow. I'll shut down my computer for the night, and get on this in the morning.

You're certainly right about this being a "pain," and a lot of hard work! Now I know why I stick to sales and not the technical aspects!

Thank you again. I'll post results tomorrow.

 

[howard_hopkinso]

Ok, no worries.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bobbye]

You surely are having to keep busy with all the 'dog' infections Howard. I'll refrain from entering into the conversations- just saying hello.

 

[howard_hopkinso]

Hiya mate.

Yeah, this infection is sure doing the rounds at the moment.

It`s a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.