Skitodayplease adoginhispen and 88.80.7.66

[Raiden528]

I have all three of these on my computer, but there's somthing strange. I never see the popup's open or anything else happen except for this. When ever I'm playing a game the window will randomly close. And if I alt+tab fast enough I can see that IE opened up to either adoginhispen b.skitodayplease.com or 88.80.7.66 . I looked at my FindAWF adn Hijackthis scans and didn't see anything but I'm not quite sure what to look for. I'll attach both and maybe someone can shed some ligh on this?

 

[Blind Dragon]

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

For Internet Explorer 7

* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete... under Browsing History.
* Next to Temporary Internet Files, click Delete files, and then click OK.
* Next to Cookies, click Delete cookies, and then click OK.
* Next to History, click Delete history, and then click OK.
* Click the Close button.
* Click OK.

For Mozilla 1.x and Up

* Click Edit from the Mozilla menubar.
* Click Preferences... from the Edit menu.
* Expand the Advanced menu by clicking the plus sign.
* Click Cache.
* Click the Clear Cache button.

For Opera

* Click File from the Opera menubar.
* Click Preferences... from the File menu.
* Click the History and Cache menu.
* Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
* Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


Afterwards attach rapport.txt




Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
"C:\Program Files\DNA\bak\btdna.exe"
"C:\Program Files\Napster\bak\napster.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Steam\bak\steam.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Bellsouth\HelpCenter\bin\bak\sprtcmd.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.

Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Digital Media Reader\bak
C:\Program Files\DNA\bak
C:\Program Files\Napster\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Steam\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Bellsouth\HelpCenter\bin\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please attach the AWF.txt file in your next reply.

Run another Hijackthis scan and attach here after.

So
1)Report.txt from Smitfraudfix
2)AWF.txt after completing above
3)hijackthis after everything else


This thread is for the use of Raiden528 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Raiden528]

Dude I love you now :haha:

Ok here's the stuff you asked for

 

[kritius]

FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.

Run HijackThis from Normal mode

 

[Raiden528]

Ok I did

Here's the latest Hijackthis file

 

[kritius]

Do you still have Norton installed? If so uninstall it.

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Run again and attach a fresh log.

 

[Raiden528]

Roger here is the current one

 

[kritius]

Do you still have Norton installed? If so uninstall it.

here is a tool to help you, follow all the directions on the site,

Norton Removal Tool

I have to head to sleep now, so
I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  o Extended (If available, otherwise use standard)
  o Scan Options:
  o Scan Archives
  o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Attach the report in your next post.

 

[Raiden528]

Ok I ran it and it found alot of things, yes I do have norton and I'll get rid of it. Also whats your oppinion of Avast antivirus? Thats what I'm using at the moment.

Ok here is the scan results

 

[Blind Dragon]

Download and Install SDFix

• Download SDFix and save it to your Desktop.
  
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

 

[Raiden528]

I ran it but I get the feeling It didn't find abything. I'm gonna run a boottime scan with Avast to see if it will find this stuff.

Here's the report

 

[Blind Dragon]

Do you know what this is World Domination on your desktop

I ask because the kaspersky scan wasn't that bad, we had a false positive on smitfraud tool, then most of the infections were in your old restore point which we will clear out soon.

Then 2 other bad entries which I think we can remove easily

 

[Raiden528]

Oh It's just a folder I named that, umm I ran Avast and it found 3 things and moved them to chest. They were named

A7097377.exe was in system Volume information And was identified as Adaware-gen

A0102094.dll Also in system volume info also adware-gen

Keygen.exe Located in mydocuments\downloads Is identified as Trojan-gen

These are only 3 files and kaspersky found like 32 so I'm beginning to think I should get another anti virus program.

 

[Blind Dragon]

Avenger by Swandog

• Download Avenger by Swandog and unzip it to your Desktop.
  
  Note: This program must be run from an account with Administrator priviledges.
  
  
• Open the Avenger folder and double click Avenger.exe to launch the programme.
• Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\Documents and Settings\Owner\Desktop\World Domination\ipscan.exe
C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream/data0008
C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream
C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe
C:\Program Files\APTE Software\SnapShots\xtras\regxtra121.x32
C:\Program Files\mIRC\mirc.exe

• Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  
  
• Ensure the following:
  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.
• Press the Execute key.
• Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
• Attach the log back here please. (it can also be found at C:\avenger.txt)

 

[Raiden528]

When I do it says error, A valid scrpit must begin with a command directive.

 

[kritius]

Try this,

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Documents and Settings\Owner\Desktop\World Domination\ipscan.exe
  C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream/data0008
  C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream
  C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe
  C:\Program Files\APTE Software\SnapShots\xtras\regxtra121.x32
  C:\Program Files\mIRC\mirc.exe

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.

 

[Raiden528]

C:\Documents and Settings\Owner\Desktop\World Domination\ipscan.exe moved successfully.
< C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream/data0008 >

It said somthing about an invalid time stamp

 

[kritius]

Is that all it said?

try it with just this,

C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream
C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe
C:\Program Files\APTE Software\SnapShots\xtras\regxtra121.x32
C:\Program Files\mIRC\mirc.exe

 

[Raiden528]

< C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe/stream >

Invalid time stamp! [stream] Must be numerical

It said that this time

 

[kritius]

I would leave it for now then till Blind Dragon has another look at it. Have to log off now.

 

[Blind Dragon]

*Removed after reply

 

[Raiden528]

Well at least it did somthing this time... But when I started windows back up I got this error messege like 5 times in a row.


http://s87.photobucket.com/albums/k126/raiden500/?action=view&current=error.jpg

And here is the Avenger file

 

[Blind Dragon]

It worked on most of them but appears I added to much to one of them.

Avenger by Swandog

• 
  Note: This program must be run from an account with Administrator priviledges.
  
  
• Open the Avenger folder and double click Avenger.exe to launch the programme.
• Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\Documents and Settings\Owner\Desktop\World Domination\mirc621.exe

• Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  
  
• Ensure the following:
  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.
• Press the Execute key.
• Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
• Attach the log back here please. (it can also be found at C:\avenger.txt)

 

[Raiden528]

I got that same windows-no disk error message.

And it failed to get it again but here is the log.

BTW: I really appriciate your and the other guys help.

 

[Raiden528]

I found this in my Mirc folder.. I'm hoping this isn't what is on my computer.