TechSpot

Doginhispen, skitodayplease problems

By intex2
Mar 10, 2008
  1. The following entries keep showing up in my browser history: 88.80.7.66; a.doginhispen.com; and b.skitodayplease.com. I know these are problems, but I have no idea how to get rid of them. I have run a hijack this log and have attached it for review. If someone could walk me through getting this cleaned up I would greatly appreciate it.
     
  2. kritius

    kritius TS Guru Posts: 2,084

    FindAWF

    Click here to download FindAWF and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach AWF.txt file in your next reply.
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.
    Then, click the privacy tab and click the sites button.
    In the address bar type the addresses of the offending websites

    Click ok, then ok again and close IE. reboot your system.
     
  3. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    Thanks Kritius - attached is the AWF Logfile. I have followed your other directions as well.
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Just make sure to paste it below the line.
    It may take a few minutes to complete, so please be patient.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    This thread is for the use of intex2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    Here is the resulting file
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Ok then,

    Please double-click the FindAWF icon once again.

    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed: Again scroll down the file to where it says START HERE.


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log. Post that log back here.

    This thread is for the use of intex2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    the results...
     
  8. kritius

    kritius TS Guru Posts: 2,084

    This ones being sticky so we'll try it again,

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text below the line from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    This thread is for the use of intex2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    here it is
     
  10. kritius

    kritius TS Guru Posts: 2,084

    Please double-click the FindAWF icon once again.

    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed: Again scroll down the file to where it says START HERE.


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log. Post that log back here.

    Hopefully were nearly there.

    This thread is for the use of intex2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    thanks for your persistence! The log is attached
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Good that got it,

    Run Fix AWF one more time and press 4, then press Enter.

    Then run Hijackthis and post a log.
     
  13. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    Here is the Hijackthis log
     
  14. kritius

    kritius TS Guru Posts: 2,084

    Go to add/remove programs and remove,
    PartyPoker

    Boot into safe mode and show hidden files and folders,
    do a search and delete all instances of party poker that you find.

    Boot back into normal mode and rehide your hidden files and folders.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Do another scan with HJT and post the log. How is the computer running now?

    Has there been any occurences of adoginhispen?
     
  15. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    Sorry for the delay - that took me a while. Attached is the Hijackthis log. So far, I have had no other problems with the computer and a look at the browser history does not show evidence of dog or ski.
     
  16. kritius

    kritius TS Guru Posts: 2,084

    ok then,

    Have HJT fix these entries by having doing a system scan only and placing a check beside them and selecting fix checked,
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)


    Do you know this file ok?
    http://onlinedesigner.hgtv.com

    Run Ccleaner and make sure that all the options are picked in the advanced tab except for the prefetch data, close all browsers and windows and run it through a couple of times until there are no more errors and then do the same for the registry.

    Do another HJT scan and post a log back.

    Hopefully were nearly there.
     
  17. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    I performed all your instructions and the latest HJT log is attached. Checked my browser history again and doginhispen has shown up again! I'm familiar with the onlinedesigner file - but it's not something I use - I downloaded it a long time ago and never deleted it.
     
  18. kritius

    kritius TS Guru Posts: 2,084

    Dam, sorry it took so long to get back, had to sleep.

    What browser are you using?

    Download the ATF cleaner programme and save it to your desktop.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Reboot into normal mode.
    -------------------------------------------------------------------------------------------------------

    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad.

    Post the log file created in your next post.


    This thread is for the use of intex2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    Good Morning - for my browser I use IE. Attached is the log from AWF. Checked my browser history and dog and ski are both on there this morning. Thanks again for all your help!
     
  20. kritius

    kritius TS Guru Posts: 2,084

    Did you run ATF cleaner?

    You may want to consider changing your browser to FireFox, its more secure than IE, this is pretty much a necessary step im afraid.

    Download SmitFraudFix.

    Search:
    • Double-click smitfraudfix.exe
    • Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Clean:
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click smitfraudfix.exe
    • Select 2 and hit Enter to delete infect files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit
    • Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
    • To restore Trusted and Restricted site zone, select 3 and hit Enter.
    • You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

    Post back with the logs and a fresh HJT.


    This thread is for the use of intex2 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Don't mean to interrupt you kritius but you may want to manually clear cookies through IE. Then try to remove all sites from the trusted zone again.

    So 1) Clear cookies through tools -> options

    2)Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.


    Links removed after reply.

    Click ok, then ok again and close IE. reboot your system.

    Check if it's still there
     
  22. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    OK - I followed the instructions - during cleaning, it did not prompt me to replace the infected file. During the process, the disk cleanup box (from ms utilities I guess) popped up and then disappeared. I don't know if that's relevant, but I want to give you the whole picture. Also, per my browser history, dog has been revisited and 88.80.7.66 has also appeared. I'm entirely open to using the firefox browser. Logs from smitfraud and HJT are attached.
     
  23. kritius

    kritius TS Guru Posts: 2,084

    Its never an interruption with you Blind.

    I always welcome the input.

    EDIT ||||||

    Blind would you have a look and see what you think?
     
  24. intex2

    intex2 TS Rookie Topic Starter Posts: 22

    I have followed Blind's instructions, rebooted and the sites are still listed on my privacy tab.
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    They should be on your privacy tab under blocked sites. Do you mean they are still in your browser history
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...