Another aboutadog, and adoginhispen

[whosurpopi]

HI, I am new to this forum, and not what you would call a "computer guy".
When the Cowboys played the Packers on the nfl network, that I dont have, I panicked and found a website that provided free streeming video of the game from denmark. Needless to say, that turned out to be a poor decision on my part, but a couple of days later I notices aboutadog, and adoginhispen in my history. I did a quick search and found this site that detailed what it is. I promptly downloaded avast security and zonealarm firewall that you suggested to somebody else, and they both have stopped showing up in my history. My computer seems fine, but my ebay email account was hacked so now I am very nervous about what else they might have gotten, and if they are done getting anything else. Any help would be appreciated.
Steve

 

[momok]

Hi whosurpopi and welcome to techspot. =)

I suggest you do the following before doing anything else

Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system

Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
Do not copy and paste your logs if not they will be removed.

Our experts here will tend to your queries thereafter.

Also, please provide the results of the Antirootkit scan


Regards,
momok =)

This thread is for the use of whosurpopi only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

 

[whosurpopi]

scans are attached

I had two logs from combofix, one regular and one for quarantined.
The panda antiroot scan found nothing, and I am having no symptoms

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   R3 - URLSearchHook: (no name) - ~00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
   R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
   O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
   O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
   O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
   O4 - Global Startup: VersionTrackerPro.lnk = ?
   O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O15 - Trusted Zone: *.doginhispen.com
   
   Close HJT.
   
   
4. Navigate in Windows Explorer and delete the following files and folders in bold.
   
   C:\WINDOWS\Installer\{C1EDC38F-2760-4A4E-9CED-95B53024134C}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe
   
   
5. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread. Do not copy and paste the logs.


Regards,
momok =)

This thread is for the use of whosuropi only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[whosurpopi]

new scans

Here is the latest, I tried to use combofix again, but I wasnt able to, so I used deckard.

 

[momok]

Have HijackThis fix the following entries:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Apart from that, your logs look fine to me. Are there any malware related issues you are facing?

Regards,
momok

 

[whosurpopi]

newest log

I only have one issue with the cpu that started after getting the logs yesterday, but I doubt its malware. Everytime I open explorer, I get a message for totalaccess core applications, and when I click to continue, it tells me The path is not found, and I have to cancel out.

 

[momok]

That log looks clean to me. I'm not quite sure why you are facing that error message. I do know that it is related to your Earthlink TotalAccess software so you should probably contact your ISP for help on that.

 

[Blind Dragon]

http://www.earthlink.net/software/

 

[whosurpopi]

Thank you for all your help, I think I am done here now.

 

[baros1954]

Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

This thread is for the use of whosurpopi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[whosurpopi]

Why start over?

I have been told by momok that everything looked good, why redo the scans when I have no symptoms, and nothing in my other logs?

 

[baros1954]

Of course it`s completely up to you, but the appearance of the O15 - Trusted Zone: *.doginhispen.com entry in your HJt log is a dead giveaway of the Downloader.Agent.awf infection. Unless you run and post the requested log file, there`s no way that anyone can say the infection is gone. This is due to the fact that the infection uses legit file names and therefore just looking won`t help.

Believe me, I have a lot of experience with this particular infection and only the FindAWF programme will reveal it`s existence fully.

 

[Blind Dragon]

That entry isn't in his final clean log, im no expert though.

 

[baros1954]

Yes mate, you`re quite right, but that doesn`t mean the infection isn`t still there. Look at his combofix log in his post #3. Particularly under the AWF heading and you`ll see lot`s of bak entries as below.

----a-w 49,152 2004-05-25 13:16:56 C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe

----a-w 851,968 2004-07-20 13:34:28 C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe

----a-w 180,269 2005-03-16 19:59:35 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 155,648 2003-10-14 14:22:30 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 58,992 2005-03-23 20:34:32 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 32,768 2003-11-01 03:42:40 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 942,080 2005-09-01 19:24:56 C:\Program Files\EarthLink TotalAccess\bak\TaskPanl.exe

----a-w 267,064 2007-09-26 18:42:04 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-02 23:36:42 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 75,520 2006-12-15 08:23:27 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

----a-w 57,344 2004-01-16 10:04:08 C:\Program Files\Lexmark 4200 Series\bak\lxbmbmgr.exe

----a-w 151,552 2004-01-22 15:59:10 C:\Program Files\Lexmark 4200 Series\Fax\bak\fm3032.exe

----a-w 200,704 2003-06-18 20:00:00 C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe

----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-10-20 01:16:26 C:\Program Files\QuickTime\QTTask.exe

----a-w 40,960 2004-04-14 19:04:12 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

----a-w 57,393 2004-04-14 18:46:50 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

----a-w 100,056 2006-01-31 01:16:26 C:\Program Files\SymNetDrv\bak\SNDMon.exe
----a-w 111,840 2007-12-02 22:19:32 C:\Program Files\SymNetDrv\SNDMon.exe

----a-w 212,992 2002-09-13 20:42:26 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

----a-w 15,360 2004-08-04 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe

----a-w 118,784 2004-08-20 23:51:14 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2004-08-20 23:55:14 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 155,648 2001-07-09 19:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

That is the AWF infection. BTW: my name is Howard

 

[whosurpopi]

newest bak logs

Do you see anything here that would concern you?

 

[baros1954]

Yes, you definitely have the AWF infection just as I said. Please do the following.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\EarthLink TotalAccess\bak\TaskPanl.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Lexmark 4200 Series\bak\lxbmbmgr.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SymNetDrv\bak\SNDMon.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Brother\Brmfl04a\bak\BrStDvPt.exe"
"C:\Program Files\Brother\ControlCenter2\bak\brctrcen.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
"C:\Program Files\Lexmark 4200 Series\Fax\bak\fm3032.exe"
"C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

 

[whosurpopi]

here is the next one

lets try this.

 

[baros1954]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
C:\Program Files\Java\jre1.5.0_11\bin\bak
C:\Program Files\EarthLink TotalAccess\bak
C:\Program Files\iTunes\bak
C:\Program Files\Lexmark 4200 Series\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SymNetDrv\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\Program Files\Brother\Brmfl04a\bak
C:\Program Files\Brother\ControlCenter2\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Lexmark 4200 Series\Fax\bak
C:\Program Files\Microsoft Money\System\ba
C:\Program Files\ScanSoft\PaperPort\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

 

[momok]

Thanks for helping. I wouldn't have found out about this peculiarity of this infection otherwise because I've been away from malware fixing for so many months. =)

 

[whosurpopi]

another log

Hows we lookin now.

 

[baros1954]

There`s still three entries left to do.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

 

[whosurpopi]

here is next one

let me know

 

[baros1954]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Microsoft Money\System\bak
C:\Program Files\ScanSoft\PaperPort\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

 

[whosurpopi]

here it is

here is the latest.