[mastermind42691]

I noticed the adoginhispen in my browsing history, and have been trying to get rid of it. I followed the "Steps 1 through 4" at this page:

Whataboutadog/Whataboutarabbit/Adoginhispen removal instructions

...and after Step 4, noticed that there were still some files that hadn't been fixed. My hijackthis log is attached. If someone could help and walk me through this, I'd really appreciate it.

This is the awf file I got after going through the first step again.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 03/02/2008
The current time is: 16:49:54.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT2K\BAK

07/02/2004 06:48 AM 163,840 Apoint.exe
1 File(s) 163,840 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SVREMOTE\BAK

02/13/2006 08:59 PM 24,576 USB20Remote.exe
1 File(s) 24,576 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 07:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

163840 Jul 2 2004 "C:\Program Files\Apoint2K\Apoint.exe"
163840 Jul 2 2004 "C:\Program Files\Apoint2K\bak\Apoint.exe"
24576 Feb 13 2006 "C:\Program Files\SVRemote\USB20Remote.exe"
24576 Feb 13 2006 "C:\Program Files\SVRemote\bak\USB20Remote.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"


end of report

[Howard]

Hello and welcome to

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

Quote:

"C:\Program Files\Apoint2K\bak\Apoint.exe"
"C:\Program Files\SVRemote\bak\USB20Remote.exe"
"C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

OK, here it is. Thank you very much.

[Howard]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

Quote:

C:\Program Files\Apoint2K\bak
C:\Program Files\SVRemote\bak
C:\Program Files\Common Files\AOL\ACS\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

Here it is.

[Howard]

Ok, we need to manually remove some files. Please do the following.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Viewpoint Manager Service

Close the services window.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
SpyDefender Pro
WinBudget

Apoint2K
SVRemote

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Apoint.exe
USB20Remote.exe
AOLDial.exe

ViewpointService.exe
SpyDefender.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\_matrix.dll

O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2

O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\Viewpoint<Delete the entire folder.
C:\Program Files\SpyDefender Pro<Delete the entire folder.
C:\Program Files\WinBudget<Delete the entire folder.

C:\Program Files\Apoint2K<Delete the entire folder.
C:\Program Files\SVRemote<Delete the entire fiolder.
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Common Files\AOL\ACS\bak

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Please post a fresh HJT log as well.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

OK, here are the files.

I still see the adoginhispen and bskitodayplease when I type "a" and "b" into my address bar. Does this mean they are still there?

[Howard]

Your log files are now clean.

Your system is infected with a new variant and it has so far proved very difficult to get rid of.

Please try the following.

Run Smitfaudfix as per the instructions on the page.

Download and run the ATF cleaner programme from HERE and save it to your desktop..

Boot into safe mode.

Double-click ATF-Cleaner.exe to run the program.

* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
* NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
* NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

If my instructions above don`t help, go and read THIS and follow the manual removal instructions exactly.

Let me know if any of the above helps.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

I did all of the steps in the above.

It seems to have gotten rid of the bskitodayplease. However, when I go to my address bar and type "a" I still get the following:

a.doginhispen.com/153/in/htmlg771589442.html?cid=48826446&aid=10374&time=77 1589442&fw=6208&v=153&m=0

When I click on it, I get a blank page with the number 14400 on it.

Is the virus still there?

[Howard]

First, do not click on it.

I can`t see any infection in your log files. However, that doesn`t necessarily mean it isn`t there.

Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Please post the Combofix log as an attachment.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

Before I do anything, let me ask. This warning says only 1 in 100 machines make it through this process unharmed. Could this hurt my computer?

[Howard]

Your system was and maybe still is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

See HERE for a full description of the infection.

In this thread HERE, the situations was only solved by the OP using a different browser, rather than IE. In his case Opera.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

Well, I'd like to continue using IE7 if I can.

So, should I go ahead and run that scan? The one you recently suggested, with the scary warning? It did say that 99 out of 100 computers are harmed, so I was just nervous. Was that warning normal? Should I go ahead and try it anyway?

[Howard]

Yes, please run the Combofix scan and post the log file.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

I did the scan. Here is the log file, and the HJT log.

Thank you for all of your help.

[Howard]

Please do the following.

Open notepad and copy/paste the text in the quote box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

Quote:

File::
C:\CF1990.exe
C:\CF31029.exe
C:\WINDOWS\ns.dll
C:\info.exe
C:\WINDOWS\1197-AC57-15DC-74A8.dat
Folder::
C:\97feaf1225122b1acd42091799654ee8
C:\Documents and Settings\Craig\Application Data\Viewpoint
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your reply.

Then, go HERE and install an Antivrius and a firewall programme.

Run the AV updates and run a complete system scan.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

OK, I am currently downloading the AntiVirus program, but attached is the log from the scan.

[Howard]

Ok, that`s clean now.

Click start/run and type combofix /u into the run box and hit the enter key. Note the space between combofix and forward slash. This will uninstall Combofix and all it`s folders etc.

Please let me know the results of the anitvirus scan.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[mastermind42691]

Combofix is uninstalled. I'm about 60% done downloading the anti-virus software. Can I delete all the old log files, and some of the other things on my desktop? Or should I wait?

Again, thak you for your help.

[Howard]

Yes, you can delete those.

Regards Howard

This thread is for the use of mastermind42691 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.