TechSpot

Help Please - 88.80.7.66, A.doginhispen.com, b.skitodayplease.com

By Shayna1976
Mar 1, 2008
  1. I have followed the instructions in this thread techspot.com/vb/topic58138

    Here are the requested logs.

    I thought I had gotten rid of it but apparently not as it showed up again today.

    Please help

    Thank you.
     

    Attached Files:

  2. kritius

    kritius TS Guru Posts: 2,084

    Are you really attched to the Yahoo! Toolbar? Does it do that much for you?

    Also fix these entries,
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    O17 - HKLM\System\CCS\Services\Tcpip\..\{742E073D-F7C2-499C-93C1-874EAF0AAA60}: Domain = domain.invalid

    The above has to do with Lop.com/Domain Hijacks, the next few steps are courtesy of Blind Dragon, see if they apply to you.

    Do you have any of the following in your add/remove programs?

    Netpumper
    BitRoll
    Browser Enhancer
    CiD Help
    CiD Manager
    Download Plugin for Internet Explorer
    Lop.com
    LOP SEARCH
    Messenger Plus
    Ultimate Browser Enhance
    Window Search
    Window Searching
    Zone Media

    If yes then,

    1)Uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and

    double-click on Add/Remove Programs. From within Add/Remove Programs

    highlight each one and select Remove.

    Netpumper
    BitRoll
    Browser Enhancer
    CiD Help
    CiD Manager
    Download Plugin for Internet Explorer
    Lop.com
    LOP SEARCH
    Messenger Plus
    Ultimate Browser Enhance
    Window Search
    Window Searching
    Zone Media

    2)Setup" is now displayed. Click on the Uninstall button. Note: options
    displayed on the first screen are not related to the sponsor program.

    3)The sponsor screen is now displayed (if you don't see it, search for it
    in your Task Bar). To prove that someone is currently reading the screen,
    you have to type the code that is displayed. Once you enter the code,
    press Uninstall.

    4)If you entered the code properly, the program will ask you to confirm that
    you want to uninstall. You must answer "Yes" to this question,
    else, you won't have another chance of uninstalling.


    5)Reboot your computer

    6)Run another scan with Hijackthis and attach a new log
     
  3. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    I am not attached to the Yahoo bar. Is it bad? My spouse actually downloaded it. I hated it but finally gave in and started using it.

    I didn't have any of those programs listed. I am pretty good about keeping things off of the computer but this one slipped by.

    I have attached a new HJT log.

    Just recently Spy Hunter has started saying "Your DNS settings have been modified. Do you want to accept the changes or restore your previous settings?" ( I attached a screen shot in PDF) What should I do?

    Thank you for all of your help.
     

    Attached Files:

  4. kritius

    kritius TS Guru Posts: 2,084

    Have a look at what your DNS settings are, if you didnt change them then I wouldnt move to the new ones.

    In regards to Spy Hunter 3 did you know that it used to be considered a rogue antispyware application, in my opinion I would never use something that is/was a rogue. There are better ones out there, superantispyware for instance.

    In regards to the Yahoo bar, in most of the logs that have come through here almost all the infected ones have had the Yahoo bar or google desktop installed, its up to you though.

    Your log looks better now, are you still having problems?
     
  5. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    How do I check my DNS?

    I am still seeing them in my history.

    I came across something weird. I had, in task manager, 5 sessions of svchost running and I have never seen that before. One was over 25000kb and the others were 5000kb or just under. I also saw one that said services as well.

    I uninstalled Spy Hunter and Yahoo toolbar.

    I ran a new HJT and attached it.

    Thank you again for your help.
     
  6. kritius

    kritius TS Guru Posts: 2,084

    To check DNS settings,

    Click the "Start" button and select "Control Panel".
    Double-click "Network Connections".
    Right click the Local Area connection line or icon and select "Properties".
    Click the "Internet Protocol(TCP/IP)" line.
    Click the "Properties" button.
    Select "Obtain an IP address automatically" and "Obtain DNS server address automatically".
    Click "OK" and then click "OK" again and restart your computer.

    The svchost is ok as is services.

    Have HJT fix this entry
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

    You could also use the advanced settings of Spybot to see about your startup programs as there seems to be a lot.

    Have you considered using Firefox?

    Your log is looking a lot better, ill post later on if I can think of anything new.

    EDIT\\ Can you download findAWF

    Double-click on FindAWF.exe to start.
    If a "Security Alert" shows, allow the program to run.
    Select option #1 - Scan for bak folders by typing 1 and press 'Enter'.
    When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
    Attach the awf.txt file in your next reply.

    Were hopefully nearly there.
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This will repair the damage that it has done

    FindAWF

    Click here to download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach AWF.txt file in your next reply.
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.


    Warning! Do not click the links below in the qoute box.
    ********Links removed after reply*****************

    Click ok, then ok again and close IE. reboot your system.
     
  8. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    I blocked those sites through IE as directed.

    I checked my DNS and the settings were already as instructed.

    I deleted the requested file.

    I have attached the requested AWF and a new HJT file.

    Thank you both for your continued help.

    What is the advantages of Firefox?
     

    Attached Files:

  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I think kritius wanted to do the instructions for this so I will just keep an eye on the thread.
     
  10. kritius

    kritius TS Guru Posts: 2,084

    Cheers Blind Dragon,

    ok then Shayna1976,

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.



    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.


    With regrads to firefox, I think that many people would agree with me in saying that its a far better and more secure browser than IE,, you can download it HERE.

    This thread is for the use of Shayna1976 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Just make sure to paste it below the line.
    It may take a few minutes to complete, so please be patient.
     
  12. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    I ran AWF as requested and attached the log.

    I think I am going to give Firefox a chance.

    Thank you again for your help.
     

    Attached Files:

  13. kritius

    kritius TS Guru Posts: 2,084

    Ok then,

    Please double-click the FindAWF icon once again.

    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed: Again scroll down the file to where it says START HERE.


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log.

    This thread is for the use of Shayna1976 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    I ran option 3 and attached the log.

    Thank you.
     
  15. kritius

    kritius TS Guru Posts: 2,084

    This ones being sticky so we'll try it again,

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text below the line from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Hopefully just 2 more steps. Hows the computer running?

    This thread is for the use of Shayna1976 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    The computer is running slow. I'm not sure if it is from all of the programs I've downloaded or if it's related to this problem. I tried opening my Outlook earlier and it locks up my computer everytime.

    I attached the new AWF file.

    Thanks for your help.
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Almost, when you fix the files you leave the quote marks on, when you delete the folder you don't have quote marks

    Fix AWF Infection
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach AWF.txt file in your next reply along with a fresh HJT log




    Fix AWF Folders
    Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
    • Press 3, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the bad folders and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.

    Run Fix AWF one more time and press 4, then press Enter.
     
  18. kritius

    kritius TS Guru Posts: 2,084

    Cheers Blind Dragon, that was an error on my part.
     
  19. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    I ran AWF as instructed as well as HJT and attached the logs.

    I have noticed that over the last two days 88.80.7.66, A.doginhispen.com, and b.skitodayplease.com have not shown up in my browser history.

    I hope that means it's gone.

    Thank you both for your help.
     
  20. kritius

    kritius TS Guru Posts: 2,084

    Ok, we just need to manually get rid of some files.

    Could you please do the following?

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    Double click on the following service(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok to disable.

    Messenger

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there)

    Messenger

    Locate and delete the following bold folders(if there).

    C:\Program Files\Messenger\bak

    Reboot into normal mode and rehide your protected OS files.

    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Please post a fresh HJT log as well.

    Your log is looking a lot better, once this has gone it should be all good.
     
  21. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    When I went into safe mode, messenger was already disabled and not in task manager. I deleted the Bak folder as requested.

    I have attached a new AWF and HJT log.

    I still haven't seen it in my history so hopefully we've gotten rid of it.

    Thank you so much for all of your help.
     
  22. kritius

    kritius TS Guru Posts: 2,084

    That seems to have gotten rid of it,

    The latest Java update just came out.
    Update your Java Runtime Environment

    * First try going to Start -> Control Panel -> double click Java
    * Select the Update TAb at the top
    * Click the Check for Updates button at the bottom
    * If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    * After it installs the newest version Go back to Control Panel -> Add/remove programs
    * Uninstall any older versions of Java


    If for some reason you couldn't update through the above instructions.

    * Click the following link
    Java Runtime Environment 6 Update 5
    * The 4th option down is the one you want (click Download)
    * Check the box to agree to terms of service
    * Check the box for your operating system and click 'Download selected'at the bottom
    * After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    * Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    -------------------------------------------------------------------------------------------------------


    Hopefully after you reboot, you should be ok.

    Now to create a clean restore point,

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    That seems to be you all clean now, but if anything does come back then you know where we are.

    Good luck.
     
  23. Shayna1976

    Shayna1976 TS Rookie Topic Starter

    I updated my Java and deleted the old stuff.

    I also took care of the system restore as well.

    So far everything looks good.

    Thank you both again for all of your help.
     
  24. kritius

    kritius TS Guru Posts: 2,084

    You are very welcome indeed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...