A.doginhispen.com and his brothers

Status
Not open for further replies.
K

kingsbishop

Posts: 24   +0
Hello from Italy! About a.doginhispen.com, can anyone help me to delete this problem? I’ve attached the AWF file. Thanks a lot!
 
Hi kingsbishop and welcome to techspot. =)

I suggest you do the following before doing anything else

Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system

Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
Do not copy and paste your logs if not they will be removed.

Our experts here will tend to your queries thereafter.

Also, please provide the results of the Antirootkit scan

After that, please do the following.

Run FindAWF again.

  1. Press 2 then Enter. A text file named files.txt will open:

  2. Copy and paste the following text from the quote box below into the text file.
    C:\WINDOWS\bak\CameraFixer.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\CAPONN.EXE
    C:\WINDOWS\system32\dla\bak\tfswctrl.exe
    C:\WINDOWS\system32\bak\ctfmon.exe
    C:\WINDOWS\bak\vsnpstd3.exe
    C:\WINDOWS\bak\tsnpstd3.exe
    C:\WINDOWS\bak\CameraFixer.exe
    C:\Programmi\Toshiba\Windows Utilities\bak\Hotkey.exe
    C:\Programmi\Toshiba\Touch and Launch\bak\PadExe.exe
    C:\Programmi\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe
    C:\Programmi\Toshiba\TOSCDSPD\bak\toscdspd.exe
    C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe
    C:\Programmi\QuickTime\bak\qttask.exe
    C:\Programmi\Nero\Nero8\Nero BackItUp\bak\NBKeyScan.exe
    C:\Programmi\Lexmark X1100 Series\bak\lxbkbmgr.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\bak\kav.exe
    C:\Programmi\iTunes\bak\iTunesHelper.exe
    C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
    C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe
    C:\Programmi\File comuni\Nero\Lib\bak\NeroCheck.exe
    C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
    C:\Programmi\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
    C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
    Click to expand...
    Next, close and click Yes to save the changes.

  3. Once files.txt is saved, FindAWF does the following:
    -It attempts to terminate the process represented by each filename on the list, if running
    -Deletes the rogue file from the parent folder, if present
    -Copies the original file to the parent folder

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach this new FindAWF log in your reply, along with the requested logs from the above instructions.
Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
 
Hi,

You have not followed the instructions for the preliminary removal thread. Your system is not just infected with doginhispenl; I would need you to continue with the removal thread instructions and post the logs.

Run FindAWF

  1. Press 3 then Enter. A text file named folders.txt will open.

  2. Copy and paste the following text from the quote box below into the text file.
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
    C:\WINDOWS\system32\dla\bak
    C:\WINDOWS\system32\bak
    C:\WINDOWS\bak
    C:\Programmi\Toshiba\Windows Utilities\bak
    C:\Programmi\Toshiba\Touch and Launch\bak
    C:\Programmi\Toshiba\TOSHIBA Zooming Utility\bak
    C:\Programmi\Toshiba\TOSCDSPD\bak
    C:\Programmi\Synaptics\SynTP\bak
    C:\Programmi\QuickTime\bak
    C:\Programmi\Nero\Nero8\Nero BackItUp\bak
    C:\Programmi\Lexmark X1100 Series\bak
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\bak
    C:\Programmi\iTunes\bak
    C:\Programmi\Google\GoogleToolbarNotifier\bak
    C:\Programmi\File comuni\Real\Update_OB\bak
    C:\Programmi\File comuni\Nero\Lib\bak
    C:\Programmi\ATI Technologies\ATI Control Panel\bak
    C:\Programmi\Adobe\Reader 8.0\Reader\bak
    C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
    Click to expand...
    Next, close and click Yes to save the changes.

  3. Once folders.txt is saved, FindAWF does the following:
    -It deletes the contents of the bak folders
    -Removes the bak folders

    When done with the above, it automatically runs a new scan and opens a new log.
Please attach this new FindAWF log in your reply, as well as the other required logs


Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
 
Hello Momok and excuse me for my misunderstanding!
Here are the new files: I hope wold be all right this time :)

Regards, kingsbishop
 
Hi,

Your system has been reinfected with the whole thing all over again. That was because you did not post your logs earlier and allow me to fix the root of the problem.

Also, I do not know what launguage that is, but I cannot read your AVG log. I suspect it says no action taken. Please run AVG again properly by setting all actions to quarantine; read through the instructions carefully and follow them exactly.

You may wish to copy and paste these instructions on notepad for easier reference later.

  1. Boot into safe mode under your normal user name. See how HERE
  2. Next turn on "Show all files and folders, including hidden and system". See how HERE

  3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [CameraFixer] C:\WINDOWS\CameraFixer.exe
    O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
    O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

    Close HJT.

  4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    File::
    C:\WINDOWS\CameraFixer.exe
    C:\WINDOWS\vsnpstd3.exe
    C:\WINDOWS\tsnpstd3.exe
    C:\WINDOWS\system32\drivers\sptd8365.sys
    C:\WINDOWS\GPInstall.exe
    C:\WINDOWS\bak\vsnpstd3.exe
    C:\WINDOWS\bak\tsnpstd3.exe
    C:\WINDOWS\bak\CameraFixer.exe
    Folder::
    C:\WINDOWS\bak
    Click to expand...
  5. Save this as CFScript on the desktop.
  6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
    CFScript.gif

  7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

  8. Reboot into normal mode and rehide your protected OS files.
--------------------------------------------------------------
Run FindAWF again.

  1. Press 2 then Enter. A text file named files.txt will open:

  2. Copy and paste the following text from the quote box below into the text file.
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\CAPONN.EXE
    C:\WINDOWS\system32\dla\bak\tfswctrl.exe
    C:\WINDOWS\system32\bak\ctfmon.exe
    C:\Programmi\Toshiba\Windows Utilities\bak\Hotkey.exe
    C:\Programmi\Toshiba\Touch and Launch\bak\PadExe.exe
    C:\Programmi\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe
    C:\Programmi\Toshiba\TOSCDSPD\bak\toscdspd.exe
    C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe
    C:\Programmi\QuickTime\bak\qttask.exe
    C:\Programmi\Nero\Nero8\Nero BackItUp\bak\NBKeyScan.exe
    C:\Programmi\Lexmark X1100 Series\bak\lxbkbmgr.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\bak\kav.exe
    C:\Programmi\iTunes\bak\iTunesHelper.exe
    C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
    C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe
    C:\Programmi\File comuni\Nero\Lib\bak\NeroCheck.exe
    C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
    C:\Programmi\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
    C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
    Click to expand...
    Next, close and click Yes to save the changes.

  3. Once files.txt is saved, FindAWF does the following:
    -It attempts to terminate the process represented by each filename on the list, if running
    -Deletes the rogue file from the parent folder, if present
    -Copies the original file to the parent folder

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach this new FindAWF log in your reply.

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log and AWF log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hello Momok,
I’ve another problem. I’ve followed your instruction but when I’ve tried to run FindAWF again ( Press 2 and copy/paste the text ), the program runs and show me on the screen:

Error: Cannot find a process with an image named CAPONN.exe

After this, appear this message:

Killing PID 560 ‘tfswctrl.exe’

I’m sure I’ve done anything wrong, but where is the error?

Thanks again, KsB
 
Hi,

Let's try this all over again. Remove AWF completely from your system.

Please download FindAWF from HERE. Save the file to the Desktop and then complete the following instructions:
  1. Open the FindAWF program. If a Security Alert shows, allow the program to run.
  2. Press 1 then Enter. The scan may take a while, please be patient. When done, a text file, Find AWF report will be produced.
  3. Please remember to attach this report file in your reply along with all other required logs (ComboFix from before?).

Regards,
momok
 
Hi,

Run FindAWF again.

  1. Press 2 then Enter. A text file named files.txt will open:

  2. Copy and paste the following text from the quote box below into the text file.
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\CAPONN.EXE
    C:\WINDOWS\system32\dla\bak\tfswctrl.exe
    C:\WINDOWS\system32\bak\ctfmon.exe
    C:\Programmi\Toshiba\Windows Utilities\bak\Hotkey.exe
    C:\Programmi\Toshiba\Touch and Launch\bak\PadExe.exe
    C:\Programmi\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe
    C:\Programmi\Toshiba\TOSCDSPD\bak\toscdspd.exe
    C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe
    C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe
    C:\Programmi\QuickTime\bak\qttask.exe
    C:\Programmi\Nero\Nero8\Nero BackItUp\bak\NBKeyScan.exe
    C:\Programmi\Lexmark X1100 Series\bak\lxbkbmgr.exe
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\bak\kav.exe
    C:\Programmi\iTunes\bak\iTunesHelper.exe
    C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
    C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe
    C:\Programmi\File comuni\Nero\Lib\bak\NeroCheck.exe
    C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
    C:\Programmi\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
    C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe
    Click to expand...
    Next, close and click Yes to save the changes.

  3. Once files.txt is saved, FindAWF does the following:
    -It attempts to terminate the process represented by each filename on the list, if running
    -Deletes the rogue file from the parent folder, if present
    -Copies the original file to the parent folder

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach this new FindAWF log in your reply.

Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
 
Hello Momok,
nothing to do...same problem with new FindAWF too.

Error: Cannot find a process with an image named CAPONN.exe

Killing PID 560 ‘tfswctrl.exe’

Regards, KsB :eek:
 
Hi,

Run FindAWF again in safe mode.

  1. Press 3 then Enter. A text file named folders.txt will open.

  2. Copy and paste the following text from the quote box below into the text file.
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
    C:\WINDOWS\system32\dla\bak
    C:\WINDOWS\system32\bak
    C:\Programmi\Toshiba\Windows Utilities\bak
    C:\Programmi\Toshiba\Touch and Launch\bak
    C:\Programmi\Toshiba\TOSHIBA Zooming Utility\bak
    C:\Programmi\Toshiba\TOSCDSPD\bak
    C:\Programmi\Synaptics\SynTP\bak
    C:\Programmi\Synaptics\SynTP\bak
    C:\Programmi\QuickTime\bak
    C:\Programmi\Nero\Nero8\Nero BackItUp\bak
    C:\Programmi\Lexmark X1100 Series\bak
    C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus Personal\bak
    C:\Programmi\iTunes\bak
    C:\Programmi\Google\GoogleToolbarNotifier\bak
    C:\Programmi\File comuni\Real\Update_OB\bak
    C:\Programmi\File comuni\Nero\Lib\bak
    C:\Programmi\ATI Technologies\ATI Control Panel\bak
    C:\Programmi\Adobe\Reader 8.0\Reader\bak
    C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
    Click to expand...
    Next, close and click Yes to save the changes.

  3. Once folders.txt is saved, FindAWF does the following:
    -It deletes the contents of the bak folders
    -Removes the bak folders

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach this new FindAWF log in your reply.

Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
 
Hi,

Run FindAWF

Press 4 then Enter.

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Delete the following folder:
C:\QooBox\Quarantine\C\WINDOWS

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hello Momok,
seems I can not able to send you the requested files! When I try to attach combofix log, a message tells me that "You have already attached this file in thread : A.doginhispen.com and his brothers..."; also, when I try to attach the HJT log, this is the message: hijackthis_1.log:
Attachment in Progress. Can be deleted here.", but can not do it!


I don't know what can I do :-(

Regards, KsB
 
Hi,

I've removed your old logs. Try reposting the logs please. Thanks.

Regards,
momok
 
Hello Momok,
here are the files. I can not able to generate a report for AVG; about last scan, AVG finds and puts in quarantine “Heuristic.Win32.Dialer” located in C:\Documents and Settings\Mario\Impostazioni locali\Temp\860680202.exe.

Hope this can help you, thanks a lot for your patience!
Regards, KsB
 
Hi,

It appears that the ComboFix log is an old log. I need your to run a new scan and post a new log. Also, please run AVG anti spyware scan again, and try saving the report once more. Let me know the results. Your system is close to clean.

Regards,
momok
 
Hi,

Your logs look clean now.

  1. Please download and run CCleaner via step 9 of the instructions HERE.

  2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

  3. Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

  4. After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

  5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Gosh. Did you follow my instructions in the previous post? Which sites did you visit or programs installed which caused the reinfection?

  1. Open the FindAWF program. If a Security Alert shows, allow the program to run.
  2. Press 1 then Enter. The scan may take a while, please be patient. When done, a text file, Find AWF report will be produced.
  3. Please remember to attach this report file in your reply along with all other required logs.

Regards,
momok =)

This thread is for the use of kingsbishop only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
 
Status
Not open for further replies.

Similar threads

notamer
Cpu and vram light on motherboard system won't power keyboard or mouse nothing displayed on monitor
Replies
0
Views
307
notamer
notamer
B
Help with PUBG Mobile Pc
Replies
0
Views
416
basitdogar
B
D
Italy seizes $836 million from Airbnb for alleged tax evasion
Replies
3
Views
301
sdms96825
S

Latest posts

Back