Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Doginhispen Trojan


  • Please log in to reply
25 replies to this topic

#1 Kanii

Kanii

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 29 February 2008 - 02:56 PM

Hello~ I'm kind of new here but I found this site because I Googled the search word "doginhispen" and it showed an earlier incident where someone else had posted regarding an infection. I only recently noticed it when I start my computer (Win XP) and IE takes about 2 minutes to fully load. When I browsed the History after opening a new browser, it said i already visited 4 sites: 88.80.7.66, b.skitodayplease.com, doginhispen and rad.msn.com when I had just loaded a blank homepage. This had been ongoing for several weeks so I just installed Mozilla Firefox to use as a new browser. Now, my IE is opening up by itself, except the URL address is "C:\WINDOWS\system32\@#$#.htm" which really scares me and there is a "Remote Assistance" icon on my startup menu. I already ran several virus scan with AVG 7.5 and Ad-Aware but it came up with no results. If you can provide any technical support as soon as possible, it would be gladly appreciated. Thank you for your time.

Edited by Kanii, 29 February 2008 - 02:57 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 AM

Posted 29 February 2008 - 04:40 PM

Hello and welcome .Please run this program and see what you get back.

Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kanii

Kanii
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 29 February 2008 - 07:51 PM

Thank you for your help :D Here is the AWF report.


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Fri 02/29/2008
The current time is: 19:40:40.73


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 06:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\CREATOR\BAK

02/09/2006 11:52 AM 643,072 Remind_XP.exe
1 File(s) 643,072 bytes

Directory of C:\WINDOWS\SMINST\BAK

10/11/2005 12:23 PM 1,187,840 RecGuard.exe
1 File(s) 1,187,840 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

07/13/2005 11:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

08/13/2007 07:48 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/08/2007 03:24 PM 54,840 HPWuSchd2.exe
1 File(s) 54,840 bytes

Directory of C:\PROGRA~1\HP\QUICKP~1\BAK

12/12/2005 01:39 PM 94,208 QPService.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

02/17/2005 04:01 PM 233,534 cpqset.exe
1 File(s) 233,534 bytes

Directory of C:\PROGRA~1\HPQ\HPWIRE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

12/22/2005 10:57 AM 405,504 EabServr.exe
1 File(s) 405,504 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

02/02/2005 07:11 AM 692,316 SynTPEnh.exe
02/02/2005 07:12 AM 102,492 SynTPLpr.exe
2 File(s) 794,808 bytes

Directory of C:\WINDOWS\PIXART\PAC7311\BAK

11/03/2006 10:01 AM 319,488 Monitor.exe
1 File(s) 319,488 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/16/2006 01:56 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK

09/25/2007 12:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Feb 26 2008 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
14348 Feb 26 2008 "C:\WINDOWS\CREATOR\Remind_XP.exe"
643072 Feb 9 2006 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
14348 Feb 26 2008 "C:\WINDOWS\SMINST\RecGuard.exe"
1187840 Oct 11 2005 "C:\WINDOWS\SMINST\bak\RecGuard.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 Feb 26 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Jul 13 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
52272 Aug 12 2007 "C:\Program Files\Google\googletoolbar1user.exe"
14348 Feb 26 2008 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
583696 Nov 16 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Aug 12 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Aug 13 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
14348 Feb 26 2008 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
54840 May 8 2007 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
14348 Feb 26 2008 "C:\Program Files\HP\QuickPlay\QPService.exe"
94208 Dec 12 2005 "C:\Program Files\HP\QuickPlay\bak\QPService.exe"
14348 Feb 26 2008 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
233534 Feb 17 2005 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
14348 Feb 26 2008 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
405504 Dec 22 2005 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
692316 Feb 2 2005 "C:\SWSetup\Touchpad\SynTPEnh.exe"
14348 Feb 26 2008 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
692316 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
692316 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
102492 Feb 2 2005 "C:\SWSetup\Touchpad\SynTPLpr.exe"
14348 Feb 26 2008 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
102492 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
102492 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
319488 Nov 3 2006 "C:\Program Files\Common Files\PAC7311\Monitor.exe"
14348 Feb 26 2008 "C:\WINDOWS\PixArt\PAC7311\Monitor.exe"
319488 Nov 3 2006 "C:\WINDOWS\PixArt\PAC7311\bak\Monitor.exe"
14348 Feb 26 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Nov 16 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
14348 Feb 26 2008 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 AM

Posted 29 February 2008 - 09:32 PM

Tou're welcome,let's do the next step,
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\HP\QuickPlay\bak\QPService.exe"
"C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
"C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\WINDOWS\PixArt\PAC7311\bak\Monitor.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Kanii

Kanii
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 29 February 2008 - 09:54 PM

Here is the second AWF file that you requested. :thumbsup:


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Fri 02/29/2008
The current time is: 21:44:26.51


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 06:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\CREATOR\BAK

02/09/2006 11:52 AM 643,072 Remind_XP.exe
1 File(s) 643,072 bytes

Directory of C:\WINDOWS\SMINST\BAK

10/11/2005 12:23 PM 1,187,840 RecGuard.exe
1 File(s) 1,187,840 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

07/13/2005 11:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

08/13/2007 07:48 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/08/2007 03:24 PM 54,840 HPWuSchd2.exe
1 File(s) 54,840 bytes

Directory of C:\PROGRA~1\HP\QUICKP~1\BAK

12/12/2005 01:39 PM 94,208 QPService.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

02/17/2005 04:01 PM 233,534 cpqset.exe
1 File(s) 233,534 bytes

Directory of C:\PROGRA~1\HPQ\HPWIRE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

12/22/2005 10:57 AM 405,504 EabServr.exe
1 File(s) 405,504 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

02/02/2005 07:11 AM 692,316 SynTPEnh.exe
02/02/2005 07:12 AM 102,492 SynTPLpr.exe
2 File(s) 794,808 bytes

Directory of C:\WINDOWS\PIXART\PAC7311\BAK

11/03/2006 10:01 AM 319,488 Monitor.exe
1 File(s) 319,488 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/16/2006 01:56 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK

09/25/2007 12:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
14348 Feb 26 2008 "C:\WINDOWS\CREATOR\Remind_XP.exe"
643072 Feb 9 2006 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
14348 Feb 26 2008 "C:\WINDOWS\SMINST\RecGuard.exe"
1187840 Oct 11 2005 "C:\WINDOWS\SMINST\bak\RecGuard.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
344064 Jul 13 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Jul 13 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
52272 Aug 12 2007 "C:\Program Files\Google\googletoolbar1user.exe"
68856 Aug 13 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
583696 Nov 16 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Aug 12 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Aug 13 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
54840 May 8 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
54840 May 8 2007 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
94208 Dec 12 2005 "C:\Program Files\HP\QuickPlay\QPService.exe"
94208 Dec 12 2005 "C:\Program Files\HP\QuickPlay\bak\QPService.exe"
233534 Feb 17 2005 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
233534 Feb 17 2005 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
405504 Dec 22 2005 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
405504 Dec 22 2005 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
692316 Feb 2 2005 "C:\SWSetup\Touchpad\SynTPEnh.exe"
692316 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
692316 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
692316 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
102492 Feb 2 2005 "C:\SWSetup\Touchpad\SynTPLpr.exe"
102492 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
102492 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
102492 Feb 2 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
319488 Nov 3 2006 "C:\Program Files\Common Files\PAC7311\Monitor.exe"
319488 Nov 3 2006 "C:\WINDOWS\PixArt\PAC7311\Monitor.exe"
319488 Nov 3 2006 "C:\WINDOWS\PixArt\PAC7311\bak\Monitor.exe"
185896 Nov 16 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Nov 16 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 AM

Posted 29 February 2008 - 10:47 PM

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\Program Files\Windows Defender\bak
C:\WINDOWS\CREATOR\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\HP\QuickPlay\bak
C:\Program Files\HPQ\Default Settings\bak
C:\Program Files\HPQ\Quick Launch Buttons\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Synaptics\SynTP\bak
C:\WINDOWS\PixArt\PAC7311\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Kanii

Kanii
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 29 February 2008 - 11:08 PM

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Fri 02/29/2008
The current time is: 23:06:50.50


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\HPQ\HPWIRE~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 AM

Posted 29 February 2008 - 11:17 PM

Good work !!!
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Press 4, then press Enter.
Press 1 then Enter to continue.
When done, you will receive similar message like this:Done! Zones have been reset
Press E then Enter to exit.

Next:
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Kanii

Kanii
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 29 February 2008 - 11:33 PM

Is this the final step? Or do we have to check in tomorrow to see the results? Thank you for all your help, btw.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 AM

Posted 01 March 2008 - 12:02 AM

Yep all done,was waiting to see if you brought anything back. But you're good to go !! :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Kanii

Kanii
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 01 March 2008 - 12:08 AM

I rebooted my computer and I don't have that doginhispen & co. url addresses anymore but I still have that popup of "C:\WINDOWS\system32\@#$#.htm." I don't know if they're related and is "Remote Assistance Control" a plausible program? It's not spyware is it?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 AM

Posted 01 March 2008 - 11:18 AM

Does the icon look like this one?
http://www.windowsnetworking.com/articles_...s/wxprmass.html

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Kanii

Kanii
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 04 March 2008 - 09:48 PM

I am really sorry for the lack of reply :flowers: I had a lot of papers and exams this past weekend and I couldn't run a virus scan because it consumes too much time especially since safe mode prohibited me from using the internet. Here is the SUPER AntiSpyware log. If you can resume helping me, I would appreciate it a lot. If you can't, I'll understand too :thumbsup: Thank you for your time and sorry for the inconvenience I've caused.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2008 at 09:17 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 03:31:01

Memory items scanned : 164
Memory threats detected : 0
Registry items scanned : 4912
Registry threats detected : 22
File items scanned : 73786
File threats detected : 1

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}#AppID
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\InprocServer32#ThreadingModel
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ProgID
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\Programmable
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\TypeLib
HKCR\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\VersionIndependentProgID
C:\PROGRAM FILES\WINBUDGET\BIN\MATRIX.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}

Trojan.VideoCach/Gen
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS
HKCR\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
HKCR\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib#Version

#14 Kanii

Kanii
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 04 March 2008 - 10:00 PM

Btw, does running the log only provide information on what was infected or does it actually remove things? Because I am still getting that popup from "C:\WINDOWS\system32\@#$#.htm." but I saw the information loading onto that page from a URL called "u.7town.com/fjelajrlkearje etc. stuff" and I did a google for the "u.7town.com" page but I couldn't find any connection with it to a Trojan unfortunately.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:08 AM

Posted 04 March 2008 - 10:11 PM

What the SAS scan log shows is what it has removed, I know it is tough sometimes but the more malware there is to be removed the longer it takes. Plus a complete scan will be the longest as we wanted it to look at every file on the PC ot can.
Safe mode is an important factor in a scan ,especially if you know it is infected. As in SM only the minimal amount of files are running on the PC. The malware is easier to remove and correct in that condition.
You have removed some pretty bad stuff there. Looks like one is from a Video codec. perhaps installed or packaged with something that was viewed.
How's the PC now? I'm looking at the other thing yet..

Edited by boopme, 04 March 2008 - 10:11 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users