88.80.7.66, doginhespen Removal Help

Discussion in 'Malware Help (A Specialist Will Reply)' started by hussell, Feb 28, 2008.

  1. hussell

    hussell Private E-2

    These keep showing up in my browser history (IE7) and occasionally shut down the browser at will. I did all the READ AND RUN ME FIRST for my Windows XP Service Pack 2 machine but Doginhispen, skitodayplease and 88.80.7.66 keep showing up in my history. I also noticed when I run Task Manager, Processes tab, although I have all browser windows closed iexplore is listed there with about 38000K mem usage. While the mem usage when I actually open the browser is over 50000K. It shows them both simultaneously until I End Process of the smaller mem user. Then things seem to go ok. Can anyone help get rid of this please? Here are results of the scans performed: (I need to start a new thread for three as I have six attachment scans)
     

    Attached Files:

    hussell, Feb 28, 2008
    #1
  2. hussell

    hussell Private E-2

    88.80.7.66, doginhespen Removal Help #2

    I think I got these from a site similar to UTUBE but located in Japan and following links from it several weeks ago. I got popups saying Danger Infected so download this software!! Here are the results of the other 3 scans....
     

    Attached Files:

    hussell, Feb 28, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks

    If you ran the READ ME, then you should be attaching only the logs that were requested in the READ ME. You still need to attach the
    MGlogs.zip file from running MGtools.exe
     
    chaslang, Feb 29, 2008
    #3
  4. hussell

    hussell Private E-2

    Sorry newbie to Forums. Also hiding in Root Dir and out of sight out of mind I guess. Well I have attached it here and hope this is the right place to put it. Thank you for reading my post so soon... hussell
     

    Attached Files:

    hussell, Feb 29, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Double-click the FindAWF icon.
    • If a Security Alert shows, allow the program to run.
    • As instructed, press any key to continue.
    • Use the following option: Press 2 then Enter to restore files from bak folders
    • A text file opens called: files.txt
    • Click below the line and paste the following list of files to be restored:

    • Next, close and click Yes to save the changes.
    • Once files.txt is saved, FindAWF does the following:
      • It attempts to terminate the process represented by each filename on the list, if running
      • Deletes the rogue file from the parent folder, if present
      • Copies the original file to the parent folder
    • When done with the above, it automatically runs a new scan and opens a new log.
    • Please attach the new FindAWF log to your next message.
    Now Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    File::
C:\Documents and Settings\Rusty\Local Settings\Temp\1626308814.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe4059705924
 
Folder::
C:\Program Files\SpyDefender Pro
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\UnH Solutions\IE Privacy Keeper\bak
C:\Program Files\Java\jre1.6.0_03
C:\WINDOWS\system32\bak
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • FindAWF
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 29, 2008
    #5
  6. hussell

    hussell Private E-2

    :) I did the above procedures you suggested and VIOLA!! a.doginhispen, b.skitodayplease and 88.80.7.66 are no longer showing up in my browser history when I rebooted and started IE Explorer. I notice now too that iexplore.exe is no longer running in Task Manager, process, without the browser being first opened by me. Chaslang thank you very much for holding my hand through that proceedure to remove that Trojan parasite. Also for analysing my logs and unbeliveably fast response. Major Geeks ROCKS!

    When I did the MGtools analyse SpyDefender Pro entry did not show up in the text list. Perhaps it was removed by one of the other programs I ran? While those Trojans were present I was paranoid about logging on and doing online banking. Could they have recorded my keystrokes and then later accessed my online accounts?

    Now I will go back to READ AND RUN ME FIRST and deal with the restore points as suggested and see what it says about further protection against Trojans etc.
    Thank you again for your solution. Sincerely,
    hussell
     

    Attached Files:

    Last edited by a moderator: Mar 4, 2008
    hussell, Mar 2, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These are not known as keyloggers.

    You should wait until we are finished fixing everything.

    Rename the this file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe4059705924
    To: C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    Rename the this file: C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe1316381514
    To: C:\Program Files\UnH Solutions\IE Privacy Keeper\bak\IEPrivacyKeeper.exe


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it :

    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 4, 2008
    #7
  8. hussell

    hussell Private E-2

    I did not find the file "IEPrivacyKeeper.exe1316381514" with that particular number but found one with a different number so I used it instead. I notice after doing the above procedure you suggested the bak folder I created for it is now deleted. Also I had to reboot before GetLogs.bat would update the MGlogs.zip file. Thank you for your help. Machine seems to be running fine.........
     

    Attached Files:

    Last edited by a moderator: Mar 17, 2008
    hussell, Mar 16, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Now delete the below folder:
    C:\Program Files\Enigma Software Group

    Don't ever install this Spy Hunter application again.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Mar 17, 2008
    #9
  10. hussell

    hussell Private E-2

    Ok got all the steps completed have Superantispy..Spybot..Avast..installed, flushed restore and removed Java VM. Updated Sun Java. I created a user with limited access for surfing. Thank you again for guiding me through the steps. Hussell :)
     
    Last edited by a moderator: Mar 19, 2008
    hussell, Mar 19, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely.
     
    chaslang, Mar 19, 2008
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds