Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A.doginhispen.com


  • Please log in to reply
8 replies to this topic

#1 dz4920

dz4920

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 13 February 2008 - 09:46 PM

I have these 3 websites continually appearing in my browser history. "a.doginhispen.com" "b.skitodayplease.com" and "88.80.7.66" This happened on Feb 04, 2008. Since I have run many virus, spyware scans, etc. I have deleted the temp internet files, cookies but still they come back about every 2 hours. I have Windows XP Home and Trend Micro Internet Security which indicates that it is blocking the website "a.doginhispen.com/favicon.ico" and "a.doginhispen.com/150/in/htmlg" About the time this happened I could not sign in to AOL Instant Messenger so I downloaded a new version and it appears to work. I also got error messages about Adobe, Omniscan, and the JAVA icon disappeared from the bottom bar of my computer. I have read some of the other posts about this and it seems very difficult to fix. I am relatively new at this troubleshooting so I need help. I did run Find AWF and I noticed 5 duplicate files with the same number 14860 and date of Feb 4 2008. Please help and thanks.

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 02/13/2008
The current time is: 18:32:54.24


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

04/27/2007 03:17 PM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/11/2007 07:29 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 11:00 AM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


08/01/2002 12:14 AM 684,032 DirectCD.exe
1 File(s) 684,032 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50528 Jan 3 2008 "C:\Program Files\AIM6\aim6.exe"
50736 Apr 27 2007 "C:\Program Files\AIM6\bak\aim6.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\qttask.exe"
282624 May 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14860 Feb 4 2008 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
39792 Jan 11 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
14860 Feb 4 2008 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
14860 Feb 4 2008 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 Aug 1 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
14860 Feb 4 2008 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:05 PM

Posted 14 February 2008 - 11:16 AM

Double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 2 then 'Enter' to restore files from bak folders
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\Program Files\AIM6\bak\aim6.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"

  • Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list (if running).
    • Deletes the rogue file from the parent folder (if present).
    • Copies the original file to the parent folder.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 dz4920

dz4920
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 14 February 2008 - 07:21 PM

Thank you for your help. The results are below.

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 02/14/2008
The current time is: 18:12:04.91


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

04/27/2007 03:17 PM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/11/2007 07:29 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 11:00 AM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


08/01/2002 12:14 AM 684,032 DirectCD.exe
1 File(s) 684,032 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50736 Apr 27 2007 "C:\Program Files\AIM6\aim6.exe"
50736 Apr 27 2007 "C:\Program Files\AIM6\bak\aim6.exe"
282624 May 11 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 May 11 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
684032 Aug 1 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 Aug 1 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

Can I still use the computer while I wait?

#4 dz4920

dz4920
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 14 February 2008 - 10:27 PM

Quietman7

I wanted to add something to the previous post. Those three "dog, ski, 88" were reappearing in the web browser history about every two hours-last one at 1634. I ran the program in the previous post and they did not appear for about 5 hours. Then Trend Micro ran a scan and quarantined 6 viruses identified as "TROJ_KILLAV.NX" at 1953. At 2104 the websites reappeared. Is this related? Also should I keep deleting these sites?
Thank you for your help!!!

dz4920

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:05 PM

Posted 14 February 2008 - 10:38 PM

This infection is persistent and has been known to return even after completing all the steps with this fix tool. You have to be just as persistent with removing it. Where did Trend find these files and did it provide a specific file name associated with the threat?

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 3 then 'Enter' to remove bak folders.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\Program Files\AIM6\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 dz4920

dz4920
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 14 February 2008 - 11:12 PM

This is the result of the FindAWF.
Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 02/14/2008
The current time is: 22:03:44.90


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Trend Micro identified it as TROJ_KILLAV.NX and infected file as A0000082.exe and location as C:\System Volume Information\_restore (bunch of numbers). Actually there were only 5 viruses.

Thanks again.
dz4920

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:05 PM

Posted 15 February 2008 - 08:57 AM

The infected RP***\A00*****.exe file(s) identified by Trend Micro are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it. System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. We will be cleaning out this folder before we are done.

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 4 then 'Enter' to reset domain zones.
  • You will receive a warning to reset domain zones.
  • Press 1 then 'Enter'.
  • When done, you will receive a message: "Done! Zones have been reset".
  • After resetting the domain zones, the program will return to the main menu.
  • Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 dz4920

dz4920
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 15 February 2008 - 06:11 PM

Hi quietman,

I followed your instructions and everything worked OK. There has been no further appearance of "dog, ski, or 88" for 20 hours, but I am monitoring it. Thank you so very much - I was at a loss and had struggled with this for over a week. I found this site by doing a search for these website problems and I am so glad I did.

I have many antispyware programs on my desktop now due to other suggestions before I came to this site. SuperAntiSpyware, 2 versions of Spybot Search and Destroy, TrojanHunter, Smitfraud fix, Del Domains, ComboFix, CCcleaner, Hijackthis, VundoFix, FindAWF, ATF Cleaner. I will leave the last two, but is there a problem with having all those on the computer. The TrojanHunter program was a 30-day trial so I will have to remove it. If they won't interfere with each other and cause no problems, should I leave them. What would you suggest? I also have TrendMicro Internet Security (my paid program). I also have JAVA 6 Update 2 and Update 3. How do I remove the ones not listed in the Add/Remove programs. Just delete from the Desktop?

Can the computer be rebooted without those sites reappearing? Hopefully, they are completely off the computer. So the computer should be able to be restarted, correct. All the programs should be back to what they were before Feb 4th? What can I do so this does not happen again? I think this happened when I clicked a picture of a little white dog - then all the problems started. I will not make that mistake again. I thought TrendMicro would stop this; it did block the websites, but not the changes. Any suggestions you might have would be great.

Your instructions were great and I certainly could not have done this without you. I will continue to watch BleepingComputer.com. If you could just answer the questions above, I would really appreciate it.

Again, THANK YOU!!! THANK YOU!!! THANK YOU!!!

dz4920

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:05 PM

Posted 16 February 2008 - 09:10 AM

If there are no more signs of infection you should be ok but this infection is persistent and has been known to return even after completing all the steps with this fix tool.

You can delete Vundofix, FindAWF, Smitfraudfix, del domains and combofix. Some of these tools may at times be detected by anti-virus programs as riskware, malware or potentially wanted programs when that is not the case. Also, several of these tools are regularly updated so if you need to use any again, its best to download the latest version. If your using Spybot S&D you should be using v1.5.2.20.

Removing older versions of JAVA
JAVA uninstallation instructions

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users