# TechSpot

By cristawool · 26 replies
Mar 24, 2008
1. My computer is acting funny. Cannot get anything but blanks on IE. I saw these on my history and have deleted them but they keep showing up. I have followed instructions and have hijackthis info on a notepad and also awf on the notepad. Please let me know what to do now. I am sorry to be lost, this is all new to me and it took my awhile to get this far. I appreciate any and all help! Thank you!

2. ### kritiusTS GuruPosts: 2,084

Hi cristawool,

DELDOMAINS

• Save it to your desktop.
• Right-click DelDomains.inf and select: Install (no need to restart)
• You may not see any noticeable changes or prompts; this is normal.
Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

Open Internet Explorer

click tools -> internet options.

Click the Security tab
Click on the Trusted sites icon.
Click the sites button and remove all sites from the trusted zone by selecting
them and clicking the remove button.
Once done, click ok.

Warning! Do not click the links below in the qoute box.

Click ok, then ok again and close IE. reboot your system.

Check if it's still there

FindAWF

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• post the AWF.txt file in your next reply as an attachment.

3. ### cristawoolTS RookieTopic Starter

Thank you for your help so far. I do not see doginhispen now, but still have something that says 88.80.7.66 that seems to be a problem, and still have skitodayplease. I am also getting a pop up about my virus protrection being out of date. I have attached my awf.txt also. Please advise about what else I can do. Thank you so much!

4. ### kritiusTS GuruPosts: 2,084

Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.

5. ### cristawoolTS RookieTopic Starter

I have followed your instructions and attached the awf.txt file. Thank you again for your help. Please continue to advise on what to do!

6. ### kritiusTS GuruPosts: 2,084

Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Select Option 3 from the menu and press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the folders and will perform another scan for bak folders.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
Before you close FindAWF, Select Option 4 from the menu and press Enter.
Press E to close FindAWF.

7. ### cristawoolTS RookieTopic Starter

Here are the results from option 3:
Thank you again for your help. Please let me know if I need to do more.

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 03/24/2008
The current time is: 17:04:55.24

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 08:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\acs\AOLDial.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\acs\bak\AOLDial.exe"

end of report

8. ### kritiusTS GuruPosts: 2,084

Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.

Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Select Option 3 from the menu and press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the folders and will perform another scan for bak folders.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
Before you close FindAWF, Select Option 4 from the menu and press Enter.
Press E to close FindAWF.

If it doesnt work again we'll get it another way.

9. ### cristawoolTS RookieTopic Starter

I have perform step 2 and 3 again. I have attached the notepad files. Sorry about not responding yesterday. I see no sign of the earlier problems anymore, so please let me know what I need to do now. Thank you!

10. ### kritiusTS GuruPosts: 2,084

Boot into safe mode by tapping F8 as soon as the computer starts

Show all hidden files and folders,

C:\Program Files\Common Files\AOL\acs\bak<----------------Delete this file

Boot back into normal mode and rehide your protected files.

Run FindAWF option 1 again and post the log back here.

Run HijackThis again and post the log back too.

11. ### cristawoolTS RookieTopic Starter

I apologize again for taking so long to respond. I have followed the most recent instructions and have attached the logs. Thank you for your continued help.

12. ### kritiusTS GuruPosts: 2,084

Run FindAWF option 4.

Have there been any problems?

Next please follow these instructions. Your version of Hijackthis is out of date and installed in wrong folder

First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

Highjackthis Instructions
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log

Are you running Macafee and AVG?

If so remove one.

Ill post back more instructions when I see a fresh log.

13. ### cristawoolTS RookieTopic Starter

I did FindAWF option 4.
The only problem I seem to have lately is getting common notices that mim.exe has to close and that it seems to have some memory problem. I am guessing this is not due to any of the original issues, right?
I uninstalled Hijackthis and installed a new one in program files. I have attached a log.
I deleted mcafee as it has annoying pop ups. But, it said I would be losing virus scan, firewall, spam killer, privacy service, and security center. Does AVG cover all of this or do I need better protection?

14. ### kritiusTS GuruPosts: 2,084

Looking over now.

15. ### kritiusTS GuruPosts: 2,084

Would advise unistalling this, SpyHunter the company behind it doesnt have the best reputation and it was formerly on SpywareWarriors rogue program list.

O24 - Desktop Component 0: (no name) - http://www.buildabear.com/email/2006/images/081506_Mid-August_US_03.gif
O24 - Desktop Component 1: (no name) - http://www.cityguideny.com/listingscoupons/buildabear0906.jpg

Fix entries using HiJackThis
• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - Startup: PowerReg Scheduler V3.exe
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

You should get a firewall as well, either, these firewalls are all free,

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
o Extended (If available, otherwise use standard)
o Scan Options:
o Scan Archives
o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)

• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)

• Attach the report in your next post.

• Download this file from either of the two below listed places :

HERE or HERE
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply as well as a fresh HijackThis scan
WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

1) Kaspersky Scan
2) ComboFix log
3) Fresh HijackThis scan

16. ### cristawoolTS RookieTopic Starter

I feel like I got the Spyhunter suggestion from a reputable site, maybe even here. I think I even paid for it. It seems to get more spyware than adaware or spybot. Should I just get rid of it?
I may have added those two items you mentioned, but went ahead and got rid of them.
I have attached those 3 logs you wanted. Kaspersky seemed to think there were problems though I could not determine how to get rid of them.
I really do appreciate the help. Please let me know what to do next.

17. ### kritiusTS GuruPosts: 2,084

If you paid for it then leave it, as I said they used to be a rogue program but have apparently cleaned there act up, the problem they had was reporting lots of false positives

These two files have infections and should be deleted

Move ComboFix to the desktop, then we'll do the next bit.

EDIT|||||||||||||||||||||||||||||||||||||||||||||||

Once you have moved ComboFix to the desktop, and only after you have done this you can move onto these instructions,

Disable your resident AV and disconnect from the internet,

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:
File::c:\program files\mcafee.com\vso\mcmnhdlr.exe

Folder::
c:\program files\mcafee.com
C:\Documents and Settings\All Users\Application Data\McAfee


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Attach the log in your next reply along with a fresh HijackThis log.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Make sure that all browser windows are closed.

• Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
• Click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you use Opera browser
• Click Opera at the top and choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Manually clear cache
• Open an Explorer folder window (for example, double-click My Computer).
• From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
• Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
• IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
• You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
• If desired, reset the folder options you changed in step 1.

We are so nearly done.

Also to help us understand the infection that you had if you have the time would you reply to this thread?

https://www.techspot.com/vb/topic102515.html

Thank you.

18. ### cristawoolTS RookieTopic Starter

Before I move on, I tried to figure this out last night and could not. How do I disable the AV? Thanks!

19. ### cristawoolTS RookieTopic Starter

Reading on with what you wrote, not sure I know how to diable the AV, script blocking or anti-malware real-time protection. Can you walk me through how to do this? Thanks!

20. ### kritiusTS GuruPosts: 2,084

The castlecops list is quite comphrensive

See HERE

For AVG free just right click on the icon beside the clock and select quit avg free control centre, do the same for Comodo.

Just make sure your not on line when you do it.

Did you get ComboFix moved to the desktop?

21. ### cristawoolTS RookieTopic Starter

I think I have a handle on everything you asked. However, I did not do so well with the last thing, the manually clear cache. I cleared the whole temporary internet files I think. I did not see anything that resembled what you mentioned. Hope that does not cause problems. I deleted the files you mentioned. I have attached the logs.
I will do that questionairre that you directed me to also. Thanks for your help!

22. ### kritiusTS GuruPosts: 2,084

They look good,

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
o Extended (If available, otherwise use standard)
o Scan Options:
o Scan Archives
o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)

• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)

• Attach the report in your next post.

How is the computer running now? It may be a bit slow but that could be because of the tools were using but we delete those at the end.

23. ### cristawoolTS RookieTopic Starter

The Kaspersky scan looks like there are still problems. I have attached it. However, the computer seems much better, though it does seem to run quite slow now. Just let me know what the next step should be. Thanks!

24. ### kritiusTS GuruPosts: 2,084

Actually your all good, the infected points where in the system restore, how is the computer running?

• Double-click OTMoveIt2.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide

or

Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D

• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
• <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

25. ### cristawoolTS RookieTopic Starter

Sorry I am just getting to this now. I have looked through my computer and do not seem to have OTMoveit2.exe. That was not a link in your note so I assumed it was something I had. Am I missing it somehow?

Topic Status:
Not open for further replies.