TechSpot

Dog in his pen removal help

By Coolball
May 6, 2008
Topic Status:
Not open for further replies.
  1. I've noticed some additions to my trusted sites zone, 3 total to include cisering, what about dog, and dog in his pen. I've moved the sites to the denied zones plus added a few more found in associaton with this malware after reading in the forums. Noticed an unknown device mac address on the home network a few days ago via windows notification and Kaspersky and blocked it. Could it be someone was jacked in remotely to my private network trying to capture information?

    Next step, remove any infected files with a little help from the forum. What's the next step?

    Thanks!
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    FindAWF

    Click here to download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach AWF.txt file in your next reply.

    -----------------------------------------------------------------------------

    Download the ATF cleaner program from HERE and save it to your desktop.

    *Run it after the next step while still in safe mode
    ---------------------------------------------------------------------------------

    *Copy and paste the next 2 section into notepad and save it to your desktop to have while in safe mode*

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
    ---------------------------------------------------------------------------------------
    While still in Safe Mode
    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    You can now boot into Normal Mode

    ------------------------------------------------------------------------

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    -------------------------------------------------------------------------

    Open Internet Explorer
    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.

    Warning! Do not click the links below in the qoute box.
    Click ok, then ok again and close IE. reboot your system.


    Attach back here FindAwf.log / Rapport.txt
  3. Coolball

    Coolball TS Rookie Topic Starter

    so far so good

    Couple oddities with Kaspersky saying Smitfraud app having riskware, and in the AWF-Cleaner the prefetch check box was (disabled)

    Should this be?

    Second thing, the original AWF.txt didn't save to my desktop? did a search and couldn't find it either. It read no bak files and had two what looked like IP addresses under the next line

    127.0.0.1 maybe? and 0.0.?


    Re-ran AWF and attached the second log
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Looks like you may have got off easy. Couple of things I wanted to bring up though.

    While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users' PCs (1), we can no longer classify this application as "rogue/suspect." Nonetheless, SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize (1). Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection.
    Source = http://spywarewarrior.com/viewtopic.php?t=5015

    I recommend either malwarebytes anti-malware or SUPERAntiSpyware

    Malwarebytes' Anti-Malware

    SUPERAntiSpyware
    ---------------------------------------------------------------------------------------

    I also recommend you don't use internet explorer unless you have to:
    Here are 2 more secure browsers to choose from
    1)Firefox -> http://www.mozilla.com/en-US/firefox/
    2)Opera -> http://www.opera.com/

    ------------------------------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    --------------------------------------------------------

    We should run an online scan for a 2nd opinion
    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  5. Coolball

    Coolball TS Rookie Topic Starter

    thanks for your reply

    I'll definately look into a spyware addition thanks for the tip
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Kaspersky was also obviously clean.

    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.


    I also recommend

    Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Guide to Using Winpatrol to protect your computer from malicious software[/list]
  7. Coolball

    Coolball TS Rookie Topic Starter

    Thnx Guru

    Finished all of the steps listed. i appreaciate you taking the time to help me with this. The entire process has made me much more aware of the importance of having security measures set up!

    Unless there's anything else you recommend further in the process, I'll leave this one as finished with cheers!

    Thnx
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.