[CriticalOvrLoad]

I would like to first thank Tech Support Team for helping all us peeps who have been infected. You all are most generous for taking the time to assist everyone!

I too was infected with the doginhispen trojan. I utilized FindAWF.exe (Steps 1-4) to remove the infected directoried and files. I wanted to post my awf and hijackthis logs for final reveiw to ensure that this nasty little bugger is gone. I look forward to your response!

Cheers!
CriticalOvrload

[evilfantasy]

Download OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  C:\PROGRA~1\ZONELA~1\ZONEAL~1\BAK
  

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.

• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Please post the OTMoveIt log in the next post.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

The HJT log is clean, are you still having any problems?

[CriticalOvrLoad]

Not having any issues really even when Trojan was on the system. Just happened to notice the a.doginhispen URL in IE history last night and was lucky enough to find TST forums.

Done as suggested and log posted.

Cheers!

[evilfantasy]

The strange thing is that there is no doginhispen or whataboutdog entries in the HJT log so I am puzzled.

Lets take a closer look with a combofix log.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Next post please add
Combofix log

[CriticalOvrLoad]

HJ log was run after the FindAWF procedure. If the FindAWF.exe got rid of the issue, would I still expect to see the doginthepen in the HJ log? Thanks!

Cheers!

[evilfantasy]

Quote:

would I still expect to see the doginthepen in the HJ log?

Yes, FindAWF is used to repair the damage done by whataboutdog. It doesn't cure the infection.

[CriticalOvrLoad]

ComboFix log attached. Thanks!

[evilfantasy]

Let's get the recovery console installed.

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website here --> http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Choose Windows XP Service Pack 2 (SP2)




Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Thanks to Bleeping Computer for the guide.

----------

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
• Make sure the arrow is set to Standard CleanUp!
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility


----------

Download SUPERAntispyware Free Edition (SAS)

• Double-click the icon on your desktop to run the installer.
• When asked to Update the program definitions, click Yes
• Next click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure only the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
• Click the Close button to leave the control center screen.
• On the main screen click Scan your computer
• On the left check C:\Fixed Drive
• On the right choose Perform Complete Scan
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK
• Make sure everything in the white box has a check next to it, then click Next
• It will quarantine what it found and if it asks if you want to reboot, click Yes
• To retrieve the removal information please do the following:
  • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Save the notepad file to your desktop by clicking (in notepad) File > Save As...
• Save the log somewhere you can easily find it. (normally the desktop)
• Click close and close again to exit the program.
• Please copy and then paste the log in your post.

----------

Next post please add
SuperAntispyware log

[CriticalOvrLoad]

Done as instructed and new log files attached.

Cheers!

[evilfantasy]

I have to say I think you are in the clear.

I would advise to install these two programs in order to help stop the malicious entries like whataboutdog from installing themselves to your browser. They are both free. SpywareBlaster doesn't use any resources whatsoever unless you are updating it and BOClean is lightweight but very effective.

• Comodo BOClean Anti-Malware Stops identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Guide: Installing your BOClean
• Javacool SpywareBlaster SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • Guide: How to use SpywareBlaster to secure browser

Time to cleanup and secure the work you have done

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Next

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Another good read is Slow Computer? Check here first; it may not be malware



Let us know how everything is now and if anything else comes up.

[CriticalOvrLoad]

Just a quick question. Are you suggesting that Comodo & JavaCool be run in coordination with SuperAnitSpyWare?

I really do appreciate all you assistance!

Cheers!

[evilfantasy]

Yes, they will both be safe. SuperAnitSpyWare is an on-demand scanner. It only runs when you want it to. And SpywareBlaster doesn't actually run. It sets restrictions in the browser to block known malware. BOClean does run and you will see it in the System Tray but it uses little resources so you won't notice it.

My setup at one point included SpywareBlaster, BOClean and SuperAntispyware along with my antivirus and other on-demand scanners.
I still use everything but BOClean, but that's because I now use licensed (not free) real time maware blocker called MalwareBytes Anti-Malware.

I also use WinPatrol 2007 which is a security monitor and also free. It alerts you to anything trying to install itself to the computer and also has some other handy features.

With all of that said. You only need one real time malware blocker, one antivirus, one firewall and a mix of on-demand spyware/malware scanners to use. SuperAnitSpyWare, Spybot S&D and AD-Aware are among the best and most popular.

[CriticalOvrLoad]

So by adding those tools to my current protection <see below>, will I able to keep the nasties out? Just looking for any recommendations so I won't have to bother you fine folks again!

Ad-Aware
Spybot S&D
ZoneAlarm
AVG Anti-Virus
SuperAnitSpyware

[evilfantasy]

Yep, those two will fit in nicely with what you are using now. Should round out your security very nicely.

Remember that SpywareBlaster does not autoupdate. I try to remember to open it and check for updates every other week or so.

And the most important thing to know is that no security set up is bullet proof. Safe surfing and safe (clean) downloads are the key to a clean computer.

Here are two download sites that are guaranteed to have malware free downloads.

www.majorgeeks.com <<- A huge variety of "stuff" to download.
www.filehippo.com <<- A smaller selection but they only have the best and they are usually available in older versions also if needed.

No problem on the questions, the more you are prepared the better.

[evilfantasy]

CriticalOvrLoad if you need this thread reopened PM me or another moderator.

I am marking this thread as solved.