TechSpot

Skitodayplease adoginhispen and 88.80.7.66

By Raiden528
Apr 3, 2008
  1. I have all three of these on my computer, but there's somthing strange. I never see the popup's open or anything else happen except for this. When ever I'm playing a game the window will randomly close. And if I alt+tab fast enough I can see that IE opened up to either adoginhispen b.skitodayplease.com or 88.80.7.66 . I looked at my FindAWF adn Hijackthis scans and didn't see anything but I'm not quite sure what to look for. I'll attach both and maybe someone can shed some ligh on this? :)
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:

    For Internet Explorer 7

    * Click Start, click Control Panel, and then double-click Internet Options.
    * On the General tab, click Delete... under Browsing History.
    * Next to Temporary Internet Files, click Delete files, and then click OK.
    * Next to Cookies, click Delete cookies, and then click OK.
    * Next to History, click Delete history, and then click OK.
    * Click the Close button.
    * Click OK.

    For Mozilla 1.x and Up

    * Click Edit from the Mozilla menubar.
    * Click Preferences... from the Edit menu.
    * Expand the Advanced menu by clicking the plus sign.
    * Click Cache.
    * Click the Clear Cache button.

    For Opera

    * Click File from the Opera menubar.
    * Click Preferences... from the File menu.
    * Click the History and Cache menu.
    * Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
    * Click Ok to close the Preferences menu.

    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


    Afterwards attach rapport.txt




    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Fix AWF Infection
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.


    Fix AWF Folders
    Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
    • Press 3, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the bad folders and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.

    Run another Hijackthis scan and attach here after.

    So
    1)Report.txt from Smitfraudfix
    2)AWF.txt after completing above
    3)hijackthis after everything else


    This thread is for the use of Raiden528 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    Dude I love you now :haha:

    Ok here's the stuff you asked for
     
  4. kritius

    kritius TS Guru Posts: 2,084

    FindAWF, Select Option 4 from the menu and press Enter.
    When it's finished the tool will return to the main menu.
    Press E to close FindAWF.

    Run HijackThis from Normal mode
     
  5. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    Ok I did

    Here's the latest Hijackthis file
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Do you still have Norton installed? If so uninstall it.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Run again and attach a fresh log.
     
  7. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    Roger here is the current one
     
  8. kritius

    kritius TS Guru Posts: 2,084

    here is a tool to help you, follow all the directions on the site,

    Norton Removal Tool

    I have to head to sleep now, so
    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Attach the report in your next post.
     
  9. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    Ok I ran it and it found alot of things, yes I do have norton and I'll get rid of it. Also whats your oppinion of Avast antivirus? Thats what I'm using at the moment.

    Ok here is the scan results
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
     
  11. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    I ran it but I get the feeling It didn't find abything. I'm gonna run a boottime scan with Avast to see if it will find this stuff.

    Here's the report
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Do you know what this is World Domination on your desktop

    I ask because the kaspersky scan wasn't that bad, we had a false positive on smitfraud tool, then most of the infections were in your old restore point which we will clear out soon.

    Then 2 other bad entries which I think we can remove easily
     
  13. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    Oh It's just a folder I named that, umm I ran Avast and it found 3 things and moved them to chest. They were named

    A7097377.exe was in system Volume information And was identified as Adaware-gen

    A0102094.dll Also in system volume info also adware-gen

    Keygen.exe Located in mydocuments\downloads Is identified as Trojan-gen

    These are only 3 files and kaspersky found like 32 so I'm beginning to think I should get another anti virus program.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Avenger by Swandog

    • Download Avenger by Swandog and unzip it to your Desktop.

      Note: This program must be run from an account with Administrator priviledges.

    • Open the Avenger folder and double click Avenger.exe to launch the programme.
    • Copy the text in the code box below and Paste it into the Input script here: box.
    Code:
    Files to delete:
    C:\Documents and Settings\Owner\Desktop\World Domination\ipscan.exe
    C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream/data0008
    C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream
    C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe
    C:\Program Files\APTE Software\SnapShots\xtras\regxtra121.x32
    C:\Program Files\mIRC\mirc.exe
    • Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    • Ensure the following:
      • Scan for Rootkits is checked.
      • Automatically disable any rootkits found is Unchecked.
    • Press the Execute key.
    • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
    • Attach the log back here please. (it can also be found at C:\avenger.txt)
     
  15. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    When I do it says error, A valid scrpit must begin with a command directive.
     
  16. kritius

    kritius TS Guru Posts: 2,084

    Try this,

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Documents and Settings\Owner\Desktop\World Domination\ipscan.exe
      C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream/data0008
      C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream
      C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe
      C:\Program Files\APTE Software\SnapShots\xtras\regxtra121.x32
      C:\Program Files\mIRC\mirc.exe
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window and choose Paste.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.
     
  17. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    C:\Documents and Settings\Owner\Desktop\World Domination\ipscan.exe moved successfully.
    < C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream/data0008 >

    It said somthing about an invalid time stamp
     
  18. kritius

    kritius TS Guru Posts: 2,084

    Is that all it said?

    try it with just this,

    Code:
    C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream
    C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe
    C:\Program Files\APTE Software\SnapShots\xtras\regxtra121.x32
    C:\Program Files\mIRC\mirc.exe
    
     
  19. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    < C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream >

    Invalid time stamp! [stream] Must be numerical

    It said that this time
     
  20. kritius

    kritius TS Guru Posts: 2,084

    I would leave it for now then till Blind Dragon has another look at it. Have to log off now.
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    *Removed after reply
     
  22. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It worked on most of them but appears I added to much to one of them.

    Avenger by Swandog


    • Note: This program must be run from an account with Administrator priviledges.

    • Open the Avenger folder and double click Avenger.exe to launch the programme.
    • Copy the text in the code box below and Paste it into the Input script here: box.
    • Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    • Ensure the following:
      • Scan for Rootkits is checked.
      • Automatically disable any rootkits found is Unchecked.
    • Press the Execute key.
    • Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
    • Attach the log back here please. (it can also be found at C:\avenger.txt)
     
  24. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    I got that same windows-no disk error message.

    And it failed to get it again but here is the log.

    BTW: I really appriciate your and the other guys help.
     
  25. Raiden528

    Raiden528 TS Rookie Topic Starter Posts: 18

    I found this in my Mirc folder.. I'm hoping this isn't what is on my computer.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...