Hi. Over the past few days I have developed a problem with Internet Explorer. I am not able to open any sites with Internet Explorer, however I am able to get online using MSN Explorer.

Until yesterday, I was using IE6. When the problem first developed I got an alert from Microsoft stating I needed to upgrade to IE7. I did that, but it did not solve the problem.

I've run spybot, and norton virus scans, then ran HJT and found doginhispen.com and aboutadog.com listed in my trusted sites.

I removed both of these, using HJT and rebooted. This solved the problem for about 24 hours, however today the problem suddenly redeveloped. I ran HJT again, and there they were. They've been removed again, and I went and entered these two sites in my listing of blocked sites, but am still not able to get online using IE. Once I open a window, it locks up and the only way to close it is using task manager to end the task.

Thank you in advance for any assistance anyone is able to offer.

MRD

You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Please ignore the instructions given by rik for now.

Your system is infected with a very nasty virus.

The virus takes legit .exe files and places them in bak(backupfolders) it then calls itself whatever .exe file it has moved.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, post a HJT log as per these instructions.

Once we`ve managed to get rid of that virus, we can then check your system for any other infections that may be present.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi Bobbye:

http://www.techspot.com/vb/topic88712.html

The above thread had the same infection. Removal is quite long winded, but can be achieved. Look at post#9 onwards in particular.

Regards Howard

Turning of system restore before cleaning is very risky. If something goes wrong during cleaning, the user won`t have any way to get back and will ultimately have to format.

Far better to be able to restore a system, even if that means restoring some infections, than not being able to restore at all.

Only once a system is clean, is it safe to turn system restore off and back on.

I first saw this virus a few weeks ago, I can`t remember which thread it was, but will try and find it, if I get time.

Found the thread.

http://www.techspot.com/vb/topic86461.html

Regards Howard

immediate setup to bypass these sites:

1) stop access by name
update host file
\windows\system32\drivers\etc\host (note missing extension)
set attrib -r, then edit the file and add

127.0.0.1 prq.se
127.0.0.1 b.whataboutadog.com
127.0.0.1 a.ciscering.com

save the file and set attrib +r

(nslookup 88.80.5.36 & 88.80.5.21 both ips point to prq.se)
b.whataboutadog.com ->8.80.5.21
a.ciscering.com ->209.62.20.154


2) stop access by ip-address
Unless you have fouled-up your firewall OR insist on running without one,
this should not be necessary at all. Otherwise, you can add these rules
near the top of the rule stack (to insure something else does not accidentily
allow traffic)
open your firewall and add rules

DENY out tcp/udp dest-ip 88.80.5.36 log
DENY out tcp/udp dest-ip 88.80.5.21 log
DENY in tcp/udp source-ip 88.80.5.36 log
DENY in tcp/udp source-ip 88.80.5.21 log

DENY out tcp/udp dest-ip 8.80.5.21 log
DENY in tcp/udp source-ip 8.80.5.21 log

DENY out tcp/udp dest-ip 209.62.20.154 log
DENY in tcp/udp source-ip 209.62.20.154 log

Do not add any reference to PORT(s)

Well isn't this just fun!

First of all, thank you all so very much for your assistance with this problem. My technical knowledge is at about the level where I know enough to do damage, so this is all quite intimidating to me... despite spending the last 5 years working (albiet in sales and marketing) for a dotcom and now an SEO firm. I just sell the stuff...

I am going through all the instructions in the thread referenced above by Howard, but am quite worried at the prospect of doing a system restore. I, as well as my boyfriend have both used that computer for both banking and credit card activity and I have some medical information saved on there as well. (In documents only.) I am also terrified at the thought of losing the massive amount of music, photos, old family movies I've transferred to DVD and have spent innumerable hours editing and creating movies with music and interviews of old relatives etc. I had all of this saved to an external hard drive, but about a month ago that froze and I'll have to spend an exorbitant amount of money to recover all of that. I do now have a new external hard drive that I can re-save all of my files to, so I've got that going for me... which is nice... I guess.

I have a couple of questions regarding doing a system restore. My apologies if they're really dumb.

If I do have to do a restore, will I then have to reinstall any programs that have been added "post OEM?"

Will I lose music, data files, photos etc, saved to my documents and if I first save them to an external hard drive, is there a risk of somehow moving the virus or part thereof to the hard drive? (I warned you these might be dumb questions! I've never had to do a restore.)

Thank you all once again for all your help... I hope I can get through this without too much loss!

Hi Mpls21:

The above instructions are what I`d like you to follow.

Just post the two requested log files and we`ll take it from there.

Regards Howard

Howard knows what he is doing with the type of infection you have, follow his instructions and with a little luck your pc should be fine.

issue is RESTORE vs. Restore Point(s)

Normally, we get System Restore Points everytime we do installs (it's the default option but can be disabled.)
Referencing one of these will ONLY change the registry, not your files.

A System Restore can only be done if you perform a System Backup.
Using one of these will overlay massive amounts of files, programs and system data.

on (1) the System Restore Points will track your registry over time --
which is why we typcially disable this option when removing virus/trojans;
if you don't, then you just waste time and reinstall the same problem.
It is possible, however, to pick a restore point which is not containated and
thus delete the offending virus/trojans -- it's just very difficult to find that correct instance.

A System Restore is whatever it is in time; it captures the state of your system at that time and rolls your system to that condition.

on (2) the virus/trojans seldomly attack files per se; they like to attack
the registry, configuration information and programs. *IF* you're careless
enough to click on any email attachments, then you will get some containated file -- typically located in the TEMP directories rather than you personal \Docs & Settings\yourloginId\My Documents\*

I've run HJT, (twice actually, I ran it again after kicking the dog out again.) I've attached both HJT files and the AWF file here.

Thanks.

Thank you for the information Joebeard. I think I'll be backing up the movies etc to the new hard drive and to DVDs... just to be safe. Thanks again!

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

I know all you guys are trying to help.

However this thread is in overkill with advice and it`s just getting confusing.

Anyone who has the same problem and looks at this thread, is gonna wonder what the hells going on.

Let`s at least try and get rid of the infection, then see what else needs to be done, if anything.

Regards Howard

I copied the info, ran the AWF tool as instructed, and am attaching the results from the file here.

Thank goodness I have my laptop to get online and do all of this!

Thank you.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log as well as a fresh HJT log.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.