Help Please - 88.80.7.66, A.doginhispen.com, b.skitodayplease.com

Status
Not open for further replies.

Shayna1976

Posts: 10   +0
I have followed the instructions in this thread techspot.com/vb/topic58138

Here are the requested logs.

I thought I had gotten rid of it but apparently not as it showed up again today.

Please help

Thank you.
 

Attachments

  • ComboFix.txt
    19.8 KB · Views: 6
  • Report-Scan-20080228-234135.txt
    2 KB · Views: 7
  • hijackthis.log
    12.1 KB · Views: 5
Are you really attched to the Yahoo! Toolbar? Does it do that much for you?

Also fix these entries,
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {A93A3CC9-BA23-4d0d-9440-6A0148362B7E} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


O17 - HKLM\System\CCS\Services\Tcpip\..\{742E073D-F7C2-499C-93C1-874EAF0AAA60}: Domain = domain.invalid

The above has to do with Lop.com/Domain Hijacks, the next few steps are courtesy of Blind Dragon, see if they apply to you.

Do you have any of the following in your add/remove programs?

Netpumper
BitRoll
Browser Enhancer
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger Plus
Ultimate Browser Enhance
Window Search
Window Searching
Zone Media

If yes then,

1)Uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and

double-click on Add/Remove Programs. From within Add/Remove Programs

highlight each one and select Remove.

Netpumper
BitRoll
Browser Enhancer
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger Plus
Ultimate Browser Enhance
Window Search
Window Searching
Zone Media

2)Setup" is now displayed. Click on the Uninstall button. Note: options
displayed on the first screen are not related to the sponsor program.

3)The sponsor screen is now displayed (if you don't see it, search for it
in your Task Bar). To prove that someone is currently reading the screen,
you have to type the code that is displayed. Once you enter the code,
press Uninstall.

4)If you entered the code properly, the program will ask you to confirm that
you want to uninstall. You must answer "Yes" to this question,
else, you won't have another chance of uninstalling.


5)Reboot your computer

6)Run another scan with Hijackthis and attach a new log
 
I am not attached to the Yahoo bar. Is it bad? My spouse actually downloaded it. I hated it but finally gave in and started using it.

I didn't have any of those programs listed. I am pretty good about keeping things off of the computer but this one slipped by.

I have attached a new HJT log.

Just recently Spy Hunter has started saying "Your DNS settings have been modified. Do you want to accept the changes or restore your previous settings?" ( I attached a screen shot in PDF) What should I do?

Thank you for all of your help.
 

Attachments

  • Screen Shot.pdf
    23.4 KB · Views: 5
Have a look at what your DNS settings are, if you didnt change them then I wouldnt move to the new ones.

In regards to Spy Hunter 3 did you know that it used to be considered a rogue antispyware application, in my opinion I would never use something that is/was a rogue. There are better ones out there, superantispyware for instance.

In regards to the Yahoo bar, in most of the logs that have come through here almost all the infected ones have had the Yahoo bar or google desktop installed, its up to you though.

Your log looks better now, are you still having problems?
 
How do I check my DNS?

I am still seeing them in my history.

I came across something weird. I had, in task manager, 5 sessions of svchost running and I have never seen that before. One was over 25000kb and the others were 5000kb or just under. I also saw one that said services as well.

I uninstalled Spy Hunter and Yahoo toolbar.

I ran a new HJT and attached it.

Thank you again for your help.
 
To check DNS settings,

Click the "Start" button and select "Control Panel".
Double-click "Network Connections".
Right click the Local Area connection line or icon and select "Properties".
Click the "Internet Protocol(TCP/IP)" line.
Click the "Properties" button.
Select "Obtain an IP address automatically" and "Obtain DNS server address automatically".
Click "OK" and then click "OK" again and restart your computer.

The svchost is ok as is services.

Have HJT fix this entry
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

You could also use the advanced settings of Spybot to see about your startup programs as there seems to be a lot.

Have you considered using Firefox?

Your log is looking a lot better, ill post later on if I can think of anything new.

EDIT\\ Can you download findAWF

Double-click on FindAWF.exe to start.
If a "Security Alert" shows, allow the program to run.
Select option #1 - Scan for bak folders by typing 1 and press 'Enter'.
When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
Attach the awf.txt file in your next reply.

Were hopefully nearly there.
 
This will repair the damage that it has done

FindAWF

Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Attach AWF.txt file in your next reply.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.


Warning! Do not click the links below in the qoute box.
Then, click the privacy tab and click the sites button. In the address bar type

[ and click the Block button. Do this for

[ and [l] and [ as well.
********Links removed after reply*****************

Click ok, then ok again and close IE. reboot your system.
 
I blocked those sites through IE as directed.

I checked my DNS and the settings were already as instructed.

I deleted the requested file.

I have attached the requested AWF and a new HJT file.

Thank you both for your continued help.

What is the advantages of Firefox?
 

Attachments

  • awf.txt
    9 KB · Views: 5
Cheers Blind Dragon,

ok then Shayna1976,

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.


"C:\WINDOWS\bak\UpdReg.EXE"
"C:\Program Files\AIM6\bak\aim6.exe"
"C:\Program Files\Dell Photo AIO Printer 962\bak\dlbxmon.exe"
"C:\Program Files\DellSupport\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
"C:\Program Files\AWS\WeatherBug\bak\Weather.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\McAfee\MBK\bak\LogOnHook.exe"
"C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
"C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.


With regrads to firefox, I think that many people would agree with me in saying that its a far better and more secure browser than IE,, you can download it HERE.

This thread is for the use of Shayna1976 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I ran AWF as requested and attached the log.

I think I am going to give Firefox a chance.

Thank you again for your help.
 

Attachments

  • new awf.txt
    9.2 KB · Views: 5
Ok then,

Please double-click the FindAWF icon once again.

Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed: Again scroll down the file to where it says START HERE.

C:\WINDOWS\bak
C:\Program Files\AIM6\bak
C:\Program Files\Dell Photo AIO Printer 962\bak
C:\Program Files\DellSupport\bak
C:\Program Files\iTunes\bak
C:\Program Files\Messenger\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\QuickTime\bak
C:\Program Files\REGSHAVE\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\AWS\WeatherBug\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\McAfee\MBK\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Common Files\Adobe\Updater5\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log.

This thread is for the use of Shayna1976 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
This ones being sticky so we'll try it again,

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text below the line from the quote box (all except the word QUOTE) into the text file.

C:\Program Files\Messenger\bak\msmsgs.exe

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Hopefully just 2 more steps. Hows the computer running?

This thread is for the use of Shayna1976 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
The computer is running slow. I'm not sure if it is from all of the programs I've downloaded or if it's related to this problem. I tried opening my Outlook earlier and it locks up my computer everytime.

I attached the new AWF file.

Thanks for your help.
 
Almost, when you fix the files you leave the quote marks on, when you delete the folder you don't have quote marks

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please attach AWF.txt file in your next reply along with a fresh HJT log




Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\PROGRA~1\MESSEN~1\BAK
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.
  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please attach the AWF.txt file in your next reply.

Run Fix AWF one more time and press 4, then press Enter.
 
I ran AWF as instructed as well as HJT and attached the logs.

I have noticed that over the last two days 88.80.7.66, A.doginhispen.com, and b.skitodayplease.com have not shown up in my browser history.

I hope that means it's gone.

Thank you both for your help.
 
Ok, we just need to manually get rid of some files.

Could you please do the following?

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

Double click on the following service(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok to disable.

Messenger

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there)

Messenger

Locate and delete the following bold folders(if there).

C:\Program Files\Messenger\bak

Reboot into normal mode and rehide your protected OS files.

Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Please post a fresh HJT log as well.

Your log is looking a lot better, once this has gone it should be all good.
 
When I went into safe mode, messenger was already disabled and not in task manager. I deleted the Bak folder as requested.

I have attached a new AWF and HJT log.

I still haven't seen it in my history so hopefully we've gotten rid of it.

Thank you so much for all of your help.
 
That seems to have gotten rid of it,

The latest Java update just came out.
Update your Java Runtime Environment

* First try going to Start -> Control Panel -> double click Java
* Select the Update TAb at the top
* Click the Check for Updates button at the bottom
* If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
* After it installs the newest version Go back to Control Panel -> Add/remove programs
* Uninstall any older versions of Java


If for some reason you couldn't update through the above instructions.

* Click the following link
Java Runtime Environment 6 Update 5
* The 4th option down is the one you want (click Download)
* Check the box to agree to terms of service
* Check the box for your operating system and click 'Download selected'at the bottom
* After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
* Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

-------------------------------------------------------------------------------------------------------


Hopefully after you reboot, you should be ok.

Now to create a clean restore point,

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

That seems to be you all clean now, but if anything does come back then you know where we are.

Good luck.
 
I updated my Java and deleted the old stuff.

I also took care of the system restore as well.

So far everything looks good.

Thank you both again for all of your help.
 
Status
Not open for further replies.
Back