[dfj4541]

Attached is the HJT log for verification that a.doginhispen has been removed.

Background
My PC's Internet Explorer (IE) had been running very slow since 1/30/2008. Once when trying to reach my router, IE instead went to a link at a.doginhispen.com I found a file named abc123.pid in the temp directory and deleted it. McAfee's site says that is an indication of Downloader-BEW, but I didn't have the registry keys they mentioned. Perhaps they were removed when I ran a full scan with Norton 360 which didn't say what it found or corrected.

I followed your Whataboutadog etc removal instructions for running FindAWF. It fixed 21 bak directories created on 1/30/2008. The HJT log is attached for review. My PC seems to be running fine now. THANK YOU SO MUCH! You are the best!

[Howard]

Hello and welcome to

Please do the following.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - S-1-5-18 Startup: Windows Task Manager.lnk = C:\WINDOWS\SYSTEM32\TASKMGR.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: Windows Task Manager.lnk = C:\WINDOWS\SYSTEM32\TASKMGR.EXE (User 'Default user')

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://166.82.128.235/controls/prntpro2.CAB

Click on the fix checked button, close HJT and reboot your computer.

We need you to rename HijackThis.exe as some malware can hide from that file name.

You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

You can now close the HJT directory.

Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.


Post the Combofix and awf.txt logs as well as a fresh HJT log.

Regards Howard

This thread is for the use of only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[dfj4541]

Attached are the three logfiles from Combofix, FindAWF and HJT.

Summary
I renamed HijackThis.exe to Crusty.exe then used it to fix the 5 listed files. At first, combofix.exe gave the following Windows error dialog:

"Windows cannot find 'kmd.exe'. Make sure you typed the namme correctly, and then try again. To search for a file, click the Start button, and then click Search."

When I started it again, it ran okay taking 14 minutes to finish. Then I ran FindAWF and finally ran HJT again. My PC would not connect to the Internet until I rebooted.

Thanks for the help!

[Howard]

Your log files are clean.

Click start/run and type combofix /u into the runbox and press the enter key. This will uninstall combofix and all it`s folders etc. You can also delete the AWF tool.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

If you have no further questions could you please mark this topic Solved by going to the top of this thread and click Thread tools, then select Mark this thread as solved As seen in the image below:

If you need this thread re-opened please contact a moderator or PM me.

Regards Howard

This thread is for the use of dfj4541 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[dfj4541]

When trying to uninstall ComboFix, I get the following error:

"You cannot rename ComboFix as ComboFix
Please use another name"

Any ideas?

[Howard]

Just delete it and all it`s folders manually.

Regards Howard

This thread is for the use of dfj4541 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[dfj4541]

In a previous post, I followed the instructions for removing a.doginhispen and we verified that it was gone. However, this morning (two days later), it came back and replaced the same 21 executables and created the same 21 bak directories. I've again followed your Whataboutadog etc removal instructions for running FindAWF. Attached is a new HJT log for verification that a.doginhispen has been removed. Where else can it be hiding? Thanks for the help.

[Howard]

Original thread re-opened and new thread merged.

Please post an awf.txt after running option 1 of the FindAWF tool.

Regards Howard

This thread is for the use of dfj4541 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[dfj4541]

The attached awf.txt file shows that's its clean. As a precaution, I added the following entries to the HOSTS file in C:\WINDOWS\SYSTEM32\DRIVERS\ETC:

127.0.0.1 a.doginhispen.com #[Downloader-BEW]
127.0.0.1 b.skitodayplease.com #[Downloader-BEW]
127.0.0.1 88.80.7.66 #[Downloader-BEW]
127.0.0.1 85.17.221.28 #[Downloader-BEW]

My Internet Explorer history shows that I had both a.doginhispen.com and a variant b.skitodayplease.com

[Howard]

All clean mate.

Unless you`re still having problems, you should be good to go.

Regards Howard

This thread is for the use of dfj4541 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[dfj4541]

Thanks. Any idea where I could have picked up the reinfection? The bak directories were created at 10:47 PM last night. The last thing I did was edit a document in Microsoft Publisher. Earlier I had checked some mainstream news websites, nothing seedy.

I assume I should stop and restart System Restore. Any other suggested precautions? I'm planning to get McAfee. My Norton 360 expires this month. Norton didn't prevent this trojan or even detect it.

[Howard]

I don`t think there`s very many AV programmes if any that would prevent that particular infection. It must be down to something you`re doing, though I have no idea what that may be..

Turning system restore off and on may well be a good idea.

Maybe you`d like to take a look at this thread HERE.

Regards Howard

This thread is for the use of dfj4541 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.