TechSpot

Help needed with 88.80.7.66/doginhispen/skitodayplease

By evh5150
Apr 5, 2008
  1. I'm a bit confused with previous posts on this subject and was wondering if anyone could lend me a hand with these viruses. I have gotten a log from hijackthis and am posting it. Thank you.
     
  2. kritius

    kritius TS Guru Posts: 2,084

    DELDOMAINS

    Download Deldomains.
    • Save it to your desktop.
    • Right-click DelDomains.inf and select: Install (no need to restart)
    • You may not see any noticeable changes or prompts; this is normal.
    Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

    ATF Cleaner

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:

      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.
      if you use Firefox:

      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
      if you use Opera:

      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program

    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.



    Warning! Do not click the links below in the qoute box.



    FindAWF

    Download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach the AWF.txt file in your next reply.

    Ill look over it in the morning for you.
     
  3. evh5150

    evh5150 TS Rookie Topic Starter

    AWF file

    I've attached my AWF file. Can't thank you enough for the help. I won't be available tomorrow till about noon Atlanta time (about 5 hours behind you, I believe). Hope this isn't a problem.
     
  4. kritius

    kritius TS Guru Posts: 2,084

    No problem at all, thats where my sister lives so I understand the time difference.

    Fix AWF Infection Step 2
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.
     
  5. evh5150

    evh5150 TS Rookie Topic Starter

    Awf2

    Ok, here you go
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Fix AWF Infection Step 3

    Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Select Option 3 from the menu and press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the folders and will perform another scan for bak folders.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.
    Before you close FindAWF, Select Option 4 from the menu and press Enter.
    When it's finished the tool will return to the main menu.
    Press E to close FindAWF.

    Have there been any instances of adoginhispen etc?
     
  7. evh5150

    evh5150 TS Rookie Topic Starter

    Here you go. And I'm happy to say that for the first time in about a month, no dihp/stp at all in the history this morning. Again, thanks alot.
     
  8. kritius

    kritius TS Guru Posts: 2,084

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Program Files\EarthLink TotalAccess\FastLane2\bak
      C:\Program Files\Spybot - Search & Destroy\bak
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    after this run FindAWF option 1 again and attach the log back here
     
  9. evh5150

    evh5150 TS Rookie Topic Starter

    Here is the OldTimer results. Hope I did it right.
    C:\Program Files\EarthLink TotalAccess\FastLane2\bak moved successfully.
    C:\Program Files\Spybot - Search & Destroy\bak moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04062008_140420

    And here's the AWF log.
     
  10. kritius

    kritius TS Guru Posts: 2,084

    Use Find AWF and use option 4 again.

    Post a fresh HijackThis log and we'll see how the rest is looking. By the way, this is my 1000th post.
     
  11. evh5150

    evh5150 TS Rookie Topic Starter

    Congratulations, my friend. Glad you were helping me out for it.

    Here's my HJT log.
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Go to add/remove programs and unistall anything to do with
    SurfMonkey

    If you have turned off your antivirus or firewall turn them on, if you have none then please let me know.

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {4AAE457A-BF4D-78C6-D423-615578F4224E} - C:\WINNT\System32\lnibnkpw.dll (file missing)
    O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Java Virtual Machine] msvmjava.exe (User 'Default user')
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [7C690661] C:\WINNT\System32\lbfmlmkckjwigr.exe
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft WinUpdate] bnvkscuu.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Updates] msupdate.exe (User 'Default user')
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O24 - Desktop Component 0: (no name) - http://images.kodakgallery.com/photos1797/1/58/6/41/53/3/353410658106_0_ALB.jpg
    O24 - Desktop Component 2: Intelligent Explorer[ieplugin.com] OnScreen Portal - http://active.ieplugin.com/active/?16213272

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Delete Files and Folders
    • Right Click on the start button and chose explore
    • Show all hidden files and folders, see how HERE
    • Navigate to the following files and folders and delete them(if still present)
    C:\WINNT\System32\lnibnkpw.dll<---------This File
    C:\WINNT\System32\lbfmlmkckjwigr.exe<---------This File
    C:\Program Files\eSoftware<---------This Folder

    • Empty the recycle bin.
    If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
    ***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

    Find and Delete Suspect File
    Using Start > Search > All Files and Folders
    Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
    Enter bnvkscuu.exe and msvmjava.exe in the 'All or part of file name' box
    Select C: in the 'Look in' dropdown box
    Click Search Now
    Right-click on bnvkscuu.exe and msvmjava.exe and select Delete
    Repeat for each copy of the file
    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

    Go here and scroll to find the orange bar Remove CoolWebSearch. Click on it and save cwshredder.exe on your desktop and have it ready to use.
    Don't use it yet.
    ------------------------------------------------------------------------------
    Now run cwshredder.
    Click Scan only and fix what ever it finds and click exit.

    Run HJT again and post a fresh log.
     
  13. evh5150

    evh5150 TS Rookie Topic Starter

    Few things I should let you know about:

    1) I wasn't able to find SurfMonkey in the Add/Remove Programs. I did a Search and found four matches for it. I was able to easily delete three applications of the files, but access was denied to a folder named surfmonkey. I went in and found six files in the folder. I was able to delete three of them, but the other three access was still denied. Hope this isn't a problem.

    2) I wasn't able to find TeaTimer in the System Tray, but I did disable it in the Spybot S&D main page and rebooted my system.

    3) I didn't find any of the files listed in the Hidden Files and Folders, though I enabled myself to access these files.

    4) I didn't find bnvkscuu.exe or msvmjava.exe in the Search.

    Here's the log.
     
  14. evh5150

    evh5150 TS Rookie Topic Starter

    Also, there is a strange new problem. In the address bar, I am only able to access sites if I type in the WWW signage (ex: www.yahoo.com works, but yahoo.com does not).
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...