Newbie with adoginhispen virus

[calbear]

Hello All,
I googled adoginhispen, and saw that the only solution is to go to a tech forum and request for help. I read some of the others who have the same problem, and noted that the admin's require for us to create a new thread asking for help with this. Please let me know what I need to do.
It is a Dell Latitude D820 laptop that I have this virus on.

Thank you!

 

[kritius]

Hi calbear,

Download the ATF cleaner programme and save it to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Reboot into normal mode.
-------------------------------------------------------------------------------------------------------
FindAWF

Click here to download FindAWF and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• Attach AWF.txt file in your next reply.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.



Warning! Do not click the links below in the qoute box.

sites removed after reply

Click ok, then ok again and close IE. reboot your system.

This thread is for the use of calbear only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[calbear]

Thank you!

Thank you kritius!
I have done every step as you instructed. Attached is the report.

 

[kritius]

Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\Apoint\bak\Apoint.exe"
"C:\Program Files\BPK\bak\bpk.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe"
"C:\Program Files\NetWaiting\bak\netWaiting.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SalesLogix\bak\SyncClient.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Dell\QuickSet\bak\quickset.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
"C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\bak\docmgr.exe"

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

This thread is for the use of calbear only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[calbear]

Thanks kritius!

Here is the second file.

 

[kritius]

Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Apoint\bak
C:\Program Files\BPK\bak
C:\Program Files\iTunes\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\NetWaiting\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SalesLogix\bak
C:\WINDOWS\system32\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Dell\QuickSet\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\WINDOWS\system32\DLA\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Intel\Wireless\Bin\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\bak

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Select Option 3 from the menu and press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the folders and will perform another scan for bak folders.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.


This thread is for the use of calbear only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[calbear]

Thanks for your quick response.

 

[kritius]

Ok this ones being a bit sticky, if it doesnt work this time we'll get it manually,

Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\Apoint\bak\Apoint.exe"

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Apoint\bak

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Select Option 3 from the menu and press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the folders and will perform another scan for bak folders.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.


This thread is for the use of only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[calbear]

Thanks!
Here are files 4 and 5.

 

[kritius]

Right,

Boot into safe mode by pressing F8 as soon as the computer starts.

Show all hidden files and folders.

Navigate to here and delete this folder,

C:\Program Files\Apoint\bak

Then Reboot into normal mode and rehide your hidden files and run FindAWF option 1 again.

Post the log back here.


This thread is for the use of calbear only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[calbear]

Thanks! I did everything as you stated.
Here is the file.

 

[kritius]

Go him, run AWF one more time and select option 4.

Run HijackThis and select Do a system scan and save a log file then post the log back here.

This thread is for the use of calbear only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[calbear]

I am sorry, but I'm not sure what you mean by "Go him..."
I did run FindAWF option 4 and reset the domains.
Where do I find HijackThis?

 

[kritius]

Sorry meant to say "Got him"

As in got the annoying little blighter!


Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete attach the log in your reply.

Do not attempt to fix any item yet.
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.

If you have any problems or questions then please post back.

 

[calbear]

Thank you for clarifying.
Attached is the log for hijackthis.

Thanks!

 

[kritius]

This may take me somtime, that is the longest HJT log ive seen in sometime.

That is a lot of running processes!

Spybot Search & Destroy

Spybot S&D is available from [http://www.safer-networking.org/en/mirrors/index.html]here[/url].

Download and Install Spybot S&D (if you haven't already), accept the Default Settings
In the Menu Bar at the top of the Spybot window you will see Mode.
Make certain that 'Default Mode has a check mark beside it.
Close ALL windows except Spybot S&D
Click the button to 'Search for Updates' then download and install the updates.
-----------------------------
Next click the button 'Check for Problems'
When Spybot is complete, it will be showing 'RED' entries bold 'BLACK' entries and 'GREEN' entries in the window
Make certain there is a check mark beside all of the RED entries ONLY.
Choose 'Fix Selected Problems' and allow Spybot to fix the RED entries.

go to Mode and select Advanced. Then go to Tools, select System Startups. You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled.

This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

'To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Create a Startup List

• Open HiJackThis
• Click on the "Config..." button on the bottom right"
• Click on the tab "Misc Tools"
• Check the 2 boxes next to the Box that says "Generate StartupList log"
• attach the StartupList in your next post

 

[calbear]

Thank you kritius!
I followed every step as you suggested.
I have attached the startuplist file below.

Thank you!

 

[kritius]

Ok, have you disable some of the startup entries using SpyBot?

Once you have done that can you post me a fresh log along with an unistall list?

Create A LIST OF PROGRAMS USING HIJACKTHIS

• Open HijackThis.
• Click on Open the Misc Tools section.
• Look under System tools.
• Click on the Open Uninstall Manager... button.
• Click on the Save list... button.
• It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
• Notepad will open. Please attach this log in your next reply.

 

[calbear]

Thanks kritius!
I did disable quite a few of the startup items.
Here is the Save list.

 

[kritius]

Right, im looking over to what you can get rid of now, can you post a fresh HijackThis log for me please.

 

[calbear]

Hello kritius,
Thanks for your help.
Here is the scan and log for hijackthis.

 

[kritius]

Thats going to take me a while to get through because its still enormous!

Ill post back later.

 

[calbear]

No worries. Please get to it when you have time.

Thanks.

 

[kritius]

Quick question, what is SalesLogix?

 

[calbear]

Saleslogix is a work CRM (Customer Relationship Management) program. I can not take this off the computer, as came with it when my company issued this computer to me.

Thanks.