Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Doginhispen, Skitodayplease


  • Please log in to reply
9 replies to this topic

#1 forpetesake

forpetesake

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 04 March 2008 - 10:16 PM

Hello, I'm new here and like many other posters I seem to be having issues with a doginhispen and skitodayplease. I noticed my computer getting slower about a week ago. I have tried the avast scan, superantispyware, and spyhunter to no avail. None of the scans or the searches that I have performed have found the file. However, when I first log on (using IE) a doginhispen comes up and the files show up in my history. I went ahead and did what I believe is the first step and ran the findawf.exe. The findings can be found below. I thank anyone who can help me in advance! :thumbsup:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 03/04/2008
The current time is: 19:12:32.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/22/2007 10:07 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

06/21/2007 02:06 PM 1,318,912 SUPERAntiSpyware.exe
1 File(s) 1,318,912 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

12/04/2007 05:00 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\BELLSO~1\HELPCE~1\BAK

12/07/2007 02:56 PM 884,736 ssGet.exe
1 File(s) 884,736 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

01/18/2008 10:39 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Feb 26 2008 "C:\Program Files\QuickTime\qttask.exe"
77824 Jul 22 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Feb 26 2008 "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
14348 Feb 26 2008 "C:\Program Files\Bellsouth\HelpCenter\ssGet.exe"
884736 Dec 7 2007 "C:\Program Files\Bellsouth\HelpCenter\bak\ssGet.exe"
14348 Feb 26 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
52272 Jan 18 2008 "C:\Program Files\Google\googletoolbar1user.exe"
138168 Jan 18 2008 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
14348 Feb 26 2008 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
171448 Jan 18 2008 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
14348 Feb 26 2008 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 06 March 2008 - 12:57 AM

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\Bellsouth\HelpCenter\bak\ssGet.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 forpetesake

forpetesake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 06 March 2008 - 10:07 AM

You have no idea of the amount of gratitude I have for your help! I did as you instructed and here is what it came up with.

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 03/06/2008
The current time is: 7:01:51.85


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/22/2007 10:07 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

06/21/2007 02:06 PM 1,318,912 SUPERAntiSpyware.exe
1 File(s) 1,318,912 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

12/04/2007 05:00 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\BELLSO~1\HELPCE~1\BAK

12/07/2007 02:56 PM 884,736 ssGet.exe
1 File(s) 884,736 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

01/18/2008 10:39 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

77824 Jul 22 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Jul 22 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
884736 Dec 7 2007 "C:\Program Files\Bellsouth\HelpCenter\ssGet.exe"
884736 Dec 7 2007 "C:\Program Files\Bellsouth\HelpCenter\bak\ssGet.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
52272 Jan 18 2008 "C:\Program Files\Google\googletoolbar1user.exe"
138168 Jan 18 2008 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Jan 18 2008 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
171448 Jan 18 2008 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 06 March 2008 - 11:40 AM

You're quite welcome and let's hope we get this in one shot..

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\Program Files\QuickTime\bak
C:\Program Files\SUPERAntiSpyware\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Bellsouth\HelpCenter\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 forpetesake

forpetesake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 06 March 2008 - 02:48 PM

Okay, done. Here is what it came up with.

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 03/06/2008
The current time is: 11:45:39.16


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 06 March 2008 - 02:58 PM

Looks good !! Now do these and you should be done.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Press 4, then press Enter.
Press 1 then Enter to continue.
When done, you will receive similar message like this:Done! Zones have been reset
Press E then Enter to exit.

Then:
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 forpetesake

forpetesake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 06 March 2008 - 03:11 PM

:thumbsup: YOU ARE A ROCKSTAR!!!! Thank you so much. I was able to reply to an email without it taking 5 minutes!
When this all started I had adware and avast running and it didn't catch it. Is there something else that I should have done to prevent this?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 06 March 2008 - 08:47 PM

You're welcome and thanks you for your kind words. This is a Trojan virus. Which as it 's name implies(Trojan Horse) it came bearing surprises. You may have gotten this from peer-to-peer sites, video codecs, or gaming downloads. So you must be more careful in what you do. Those 3 areas can cary a lot of malware. Anything you download should be scanned before opening with your antivirus and/or a program as SUPERAntispyware.

Was this an XP system?
Please read thru these

How did I get infected?

Best Practices - Internet Safety For 2008
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 forpetesake

forpetesake
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 06 March 2008 - 10:35 PM

I read through the sites and took the suggestions. I am thinking that my problem may have stemmed from my children ~ imagine that :thumbsup: We are going to go over the rules again and add some new ones. As stated before, you have been a tremendous help!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 06 March 2008 - 10:47 PM

Thanks for using Bleeping Computer and happy to have been a help.

Safety Tips - Keeping Children Safe On The Internet

IF this was an XP machine,then......

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users