Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dogsinhispen.com, Skitodayplease.com Infection


  • Please log in to reply
10 replies to this topic

#1 Larry5712

Larry5712

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 30 March 2008 - 04:45 PM

I recently started seeing "a.dogsinhispen.com", "b:skidodayplease.com", and "88.80.7.6" in my history file immediately upon launching MSN Explorer.

I'm not sure just when this first occured. I first noticed when looking at a browser page, all of a sudden I couldn't navigate around the page with up or down arrows. If I clicked anywhere on the page, everything again seemed normal. I later found that when this problem existed, if I performed an alt-tab I would see an Internet Explorer symbol in the list of application programs. If I selected this symbol, I would see that one of the above web addresses would appear in the description box. If I selected my original window, then again the navigation arrows would work normally, and the Internet Explorer symbol would disappear if I repeated the alt-tab.

Other than this, I can't really put my finger on anything unusual that has happened.

I am running Windows XP Sp2, and is up to date.

I running McAfee Virus Scan and McAfee Firewall. I recently ran a full scan and saw nothing unusual.

Yesterday, I ran a full scan with Ad-Aware 2007, and found nothing.

I would appreciate help in getting rid of this virus/malware/trojan or whatever it is.

Edited by Larry5712, 30 March 2008 - 04:46 PM.


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:50 PM

Posted 30 March 2008 - 04:56 PM

Hi Larry5712, welcome,let's start with this proceedure.

First run an Online scan with BitDefender Online Scanner and post back the Scan log.

Next:

Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Edited by boopme, 30 March 2008 - 05:00 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Larry5712

Larry5712
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 30 March 2008 - 07:18 PM

Thanks boopme for responding.

Following are the log files from BitDefender Online and FindAWF.exe:


_____________________________________________________________________________________

BitDefender Online Scanner

Scan report generated at: Sun, Mar 30, 2008 - 18:45:16

Scan path: C:\;D:\;


Statistics

Time
01:12:08

Files
321945

Folders
5655

Boot Sectors
2

Archives
19747

Packed Files
8935




Results

Identified Viruses
1

Infected Files
34

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
33




Engines Info

Virus Definitions
1061246

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Infected with: Trojan.Zonebac.D

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Disinfection failed

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Deleted

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Infected with: Trojan.Zonebac.D

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Disinfection failed

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Deleted

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
Infected with: Trojan.Zonebac.D

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
Disinfection failed

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
Deleted

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
Infected with: Trojan.Zonebac.D

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
Disinfection failed

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
Deleted

C:\Program Files\iTunes\iTunesHelper.exe
Infected with: Trojan.Zonebac.D

C:\Program Files\iTunes\iTunesHelper.exe
Disinfection failed

C:\Program Files\iTunes\iTunesHelper.exe
Deleted

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
Infected with: Trojan.Zonebac.D

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
Disinfection failed

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
Delete failed

C:\Program Files\QuickTime\qttask.exe
Infected with: Trojan.Zonebac.D

C:\Program Files\QuickTime\qttask.exe
Disinfection failed

C:\Program Files\QuickTime\qttask.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP917\A0035319.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP917\A0035319.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP917\A0035319.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP917\A0035320.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP917\A0035320.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP917\A0035320.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035418.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035418.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035418.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035421.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035421.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035421.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035511.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035511.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035511.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035513.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035513.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035513.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035514.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035514.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035514.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035515.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035515.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035515.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035518.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035518.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035518.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035519.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035519.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035519.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035520.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035520.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035520.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035521.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035521.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035521.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035522.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035522.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035522.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035523.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035523.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP926\A0035523.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP940\A0035657.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP940\A0035657.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP940\A0035657.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP940\A0035658.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP940\A0035658.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP940\A0035658.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035727.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035727.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035727.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035729.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035729.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035729.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035761.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035761.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035761.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035786.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035786.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP950\A0035786.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP956\A0037189.rbf
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP956\A0037189.rbf
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP956\A0037189.rbf
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039534.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039534.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039534.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039535.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039535.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039535.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039536.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039536.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039536.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039537.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039537.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039537.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039538.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039538.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039538.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039539.exe
Infected with: Trojan.Zonebac.D

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039539.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP964\A0039539.exe
Deleted


_________________________________________________________________________________________________


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 03/30/2008
The current time is: 19:09:41.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

06/04/2004 03:38 PM 286,720 iTunesHelper.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/17/2005 04:29 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

12/22/2004 12:05 AM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

12/03/2004 04:24 PM 290,816 EabServr.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

04/05/2005 02:41 PM 950,272 MpfTray.exe
1 File(s) 950,272 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

11/04/2004 01:38 PM 688,218 SynTPEnh.exe
11/04/2004 01:40 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 04:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jun 4 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
98304 Feb 17 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
344064 Dec 22 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
950272 Apr 5 2005 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
688218 Nov 4 2004 "C:\SWSETUP\SP29294\SynTPEnh.exe"
688218 Nov 4 2004 "C:\SWSETUP\Touchpad\SynTPEnh.exe"
688218 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98394 Nov 4 2004 "C:\SWSETUP\SP29294\SynTPLpr.exe"
98394 Nov 4 2004 "C:\SWSETUP\Touchpad\SynTPLpr.exe"
98394 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
303104 Apr 16 2004 "C:\Program Files\Adobe\Photoshop Album Starter Edition\2.0\Apps\AdobeUpdateManager.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
36972 Feb 17 2005 "C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
14348 Feb 23 2008 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:50 PM

Posted 31 March 2008 - 11:07 AM

Hi Larry are thins a bit better,,you've removeda lot. But there is still more.
You have and Old version and anew version of Java installed. You need to remove the one Older than 1.6....
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs .
Check the Show updates box at the top if not checked and remove all older versions of Java. (NOT 1.6)
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Reboot your computer once all Java components are removed.


You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
"C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Larry5712

Larry5712
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 31 March 2008 - 12:21 PM

Hi boopme,

I removed the Java components of version 1.5xx per your instructions. There are a couple updates for v1.6 that I left as is.

Following is the logfile from FindAWF:



Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Mon 03/31/2008
The current time is: 12:01:50.95


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

06/04/2004 03:38 PM 286,720 iTunesHelper.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/17/2005 04:29 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

12/22/2004 12:05 AM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\HPQ\QUICKL~1\BAK

12/03/2004 04:24 PM 290,816 EabServr.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

04/05/2005 02:41 PM 950,272 MpfTray.exe
1 File(s) 950,272 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

11/04/2004 01:38 PM 688,218 SynTPEnh.exe
11/04/2004 01:40 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 04:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jun 4 2004 "C:\Program Files\iTunes\iTunesHelper.exe"
286720 Jun 4 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
98304 Feb 17 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Feb 17 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
344064 Dec 22 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
290816 Dec 3 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
950272 Apr 5 2005 "C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe"
950272 Apr 5 2005 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
688218 Nov 4 2004 "C:\SWSETUP\SP29294\SynTPEnh.exe"
688218 Nov 4 2004 "C:\SWSETUP\Touchpad\SynTPEnh.exe"
688218 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98394 Nov 4 2004 "C:\SWSETUP\SP29294\SynTPLpr.exe"
98394 Nov 4 2004 "C:\SWSETUP\Touchpad\SynTPLpr.exe"
98394 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
303104 Apr 16 2004 "C:\Program Files\Adobe\Photoshop Album Starter Edition\2.0\Apps\AdobeUpdateManager.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:50 PM

Posted 31 March 2008 - 02:21 PM

Forgot to Mention that older versions of Java are security risks. That is why Sun updates them. I also hope we get this in one shot,but we'll see.
Next Step:

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\HPQ\Quick Launch Buttons\bak
C:\Program Files\McAfee.com\Personal Firewall\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Larry5712

Larry5712
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 31 March 2008 - 04:26 PM

Hi again boopme,

It looks like we (you) are making some progress!

A couple of questions:
What in your opinion was the vehicle for this infection getting into my computer?
How do I prevent this (or something similar) from happening again?

Thanks so much for your expert help.





Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 03/31/2008
The current time is: 16:14:44.93


bak folders found
~~~~~~~~~~~



Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
303104 Apr 16 2004 "C:\Program Files\Adobe\Photoshop Album Starter Edition\2.0\Apps\AdobeUpdateManager.exe"


end of report

#8 Larry5712

Larry5712
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 31 March 2008 - 04:30 PM

Oops - I hit Submit twice

Edited by Larry5712, 31 March 2008 - 04:37 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:50 PM

Posted 31 March 2008 - 09:09 PM

Ok not bad you are doing well. Unfortunately the penalty for double submitting is a forum ban before finihing the fix :thumbsup:
There are many ways to pick up malware so it's hard to say exactly. Usually I post this when we're done but you my as well have a read while you wait. the 1-10 in this link.
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

I also want you to run a dfferent scan and post that log also, after you do AWF #3 again.

Let's try to get with only running # 3 again,

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\Program Files\Adobe\Acrobat 7.0\Reader\bak


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

***
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Edited by boopme, 31 March 2008 - 09:30 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Larry5712

Larry5712
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 01 April 2008 - 04:47 PM

Hi boopme,

Some good news: This morning (before doing the scans from your last post), after bootup and launching MSM Explorer, I found that these pesky web sites (a.dogsinhispen,com, b.skitodayplease.com, 88.80.7.66) did NOT show up in the history list for Today. This is the first time I have noted this since this problem first showed its ugly head.

I see that Malwarebytes' Anti-Malware found some infections. Are these related to what we are working on, or are they something else?

Here are the logfiles you requested:


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Tue 04/01/2008
The current time is: 15:59:58.28


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
303104 Apr 16 2004 "C:\Program Files\Adobe\Photoshop Album Starter Edition\2.0\Apps\AdobeUpdateManager.exe"


end of report




Malwarebytes' Anti-Malware 1.09
Database version: 580

Scan type: Quick Scan
Objects scanned: 33070
Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\toolbar.tb (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{b0e43034-50f5-1f84-8098-824b44f2dbc3} (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\setup.player (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\setup.player.2k2 (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35b7e48b-9d81-4c6c-9578-5fd4f620d886} (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.TB (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.TB.1 (Adware.AdMedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\WinBudget\bin\matrix.dat (Adware.AdMedia) -> Quarantined and deleted successfully.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:50 PM

Posted 01 April 2008 - 08:30 PM

Probably as this is a Downloader trojan, a little info on it here Info World


Open Windows Explorer, navigate to and delete the following bak folder:
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Press 4, then press Enter.
Press 1 then Enter to continue.
When done, you will receive similar message like this:Done! Zones have been reset
Press E then Enter to exit.


Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users