Help needed with 88.80.7.66/doginhispen/skitodayplease

[evh5150]

I'm a bit confused with previous posts on this subject and was wondering if anyone could lend me a hand with these viruses. I have gotten a log from hijackthis and am posting it. Thank you.

 

[kritius]

DELDOMAINS

Download Deldomains.

• Save it to your desktop.
• Right-click DelDomains.inf and select: Install (no need to restart)
• You may not see any noticeable changes or prompts; this is normal.

Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

ATF Cleaner

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.



Warning! Do not click the links below in the qoute box.

sites removed after reply

FindAWF

Download FindAWF.exe and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• Attach the AWF.txt file in your next reply.

Ill look over it in the morning for you.

 

[evh5150]

AWF file

I've attached my AWF file. Can't thank you enough for the help. I won't be available tomorrow till about noon Atlanta time (about 5 hours behind you, I believe). Hope this isn't a problem.

 

[kritius]

No problem at all, thats where my sister lives so I understand the time difference.

Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\EarthLink TotalAccess\bak\TaskPanl.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
"C:\WINNT\system32\bak\ctfmon.exe"
"C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPClient.exe"
"C:\Program Files\EarthLink TotalAccess\FastLane2\bak\IPMon32.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe"

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

 

[evh5150]

Awf2

Ok, here you go

 

[kritius]

Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\EarthLink TotalAccess\bak
C:\Program Files\iTunes\bak
C:\Program Files\Microsoft IntelliType Pro\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\WINNT\system32\bak
C:\Program Files\EarthLink TotalAccess\FastLane2\bak
C:\Program Files\Yahoo!\Search Protection\bak
C:\Program Files\Common Files\AOL\Launch\bak

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Select Option 3 from the menu and press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the folders and will perform another scan for bak folders.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.

Have there been any instances of adoginhispen etc?

 

[evh5150]

Here you go. And I'm happy to say that for the first time in about a month, no dihp/stp at all in the history this morning. Again, thanks alot.

 

[kritius]

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Program Files\EarthLink TotalAccess\FastLane2\bak
  C:\Program Files\Spybot - Search & Destroy\bak

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

after this run FindAWF option 1 again and attach the log back here

 

[evh5150]

Here is the OldTimer results. Hope I did it right.
C:\Program Files\EarthLink TotalAccess\FastLane2\bak moved successfully.
C:\Program Files\Spybot - Search & Destroy\bak moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04062008_140420

And here's the AWF log.

 

[kritius]

Use Find AWF and use option 4 again.

Post a fresh HijackThis log and we'll see how the rest is looking. By the way, this is my 1000th post.

 

[evh5150]

Congratulations, my friend. Glad you were helping me out for it.

Here's my HJT log.

 

[kritius]

Go to add/remove programs and unistall anything to do with
SurfMonkey

If you have turned off your antivirus or firewall turn them on, if you have none then please let me know.

Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4AAE457A-BF4D-78C6-D423-615578F4224E} - C:\WINNT\System32\lnibnkpw.dll (file missing)
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Java Virtual Machine] msvmjava.exe (User 'Default user')
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [7C690661] C:\WINNT\System32\lbfmlmkckjwigr.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft WinUpdate] bnvkscuu.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Updates] msupdate.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O24 - Desktop Component 0: (no name) - http://images.kodakgallery.com/photos1797/1/58/6/41/53/3/353410658106_0_ALB.jpg
O24 - Desktop Component 2: Intelligent Explorer[ieplugin.com] OnScreen Portal - http://active.ieplugin.com/active/?16213272

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete Files and Folders

• Right Click on the start button and chose explore
• Show all hidden files and folders, see how HERE
• Navigate to the following files and folders and delete them(if still present)

C:\WINNT\System32\lnibnkpw.dll<---------This File
C:\WINNT\System32\lbfmlmkckjwigr.exe<---------This File
C:\Program Files\eSoftware<---------This Folder

• Empty the recycle bin.

If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

Find and Delete Suspect File
Using Start > Search > All Files and Folders
Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
Enter bnvkscuu.exe and msvmjava.exe in the 'All or part of file name' box
Select C: in the 'Look in' dropdown box
Click Search Now
Right-click on bnvkscuu.exe and msvmjava.exe and select Delete
Repeat for each copy of the file
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Go here and scroll to find the orange bar Remove CoolWebSearch. Click on it and save cwshredder.exe on your desktop and have it ready to use.
Don't use it yet.
------------------------------------------------------------------------------
Now run cwshredder.
Click Scan only and fix what ever it finds and click exit.

Run HJT again and post a fresh log.

 

[evh5150]

Few things I should let you know about:

1) I wasn't able to find SurfMonkey in the Add/Remove Programs. I did a Search and found four matches for it. I was able to easily delete three applications of the files, but access was denied to a folder named surfmonkey. I went in and found six files in the folder. I was able to delete three of them, but the other three access was still denied. Hope this isn't a problem.

2) I wasn't able to find TeaTimer in the System Tray, but I did disable it in the Spybot S&D main page and rebooted my system.

3) I didn't find any of the files listed in the Hidden Files and Folders, though I enabled myself to access these files.

4) I didn't find bnvkscuu.exe or msvmjava.exe in the Search.

Here's the log.

 

[evh5150]

Also, there is a strange new problem. In the address bar, I am only able to access sites if I type in the WWW signage (ex: www.yahoo.com works, but yahoo.com does not).