[prdaler143]

Hey there,

I think I have a.doginhispen....not sure though. My system seems to be running fine but my PC-cillin keeps warning me with a pop-up stating that I'm trying to open this URL even when my browser is closed...using ie7 BTW. Anyway, I have attached FindAWF and HJT logs hoping to find out what to do. Any info would be greatly appreciated.

Thanks in advance.

[Howard]

Hello and welcome to

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

viewpoint

Close control panel.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

Quote:

"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[prdaler143]

Thanks for the quick response...very much appreciated! Anyway, here is the info you requested.

Thanks again.

[Howard]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

Quote:

C:\Program Files\CyberLink\PowerDVD\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Java\jre1.5.0_11\bin\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[prdaler143]

Looks good....no?

[Howard]

Yes, that looks clean now mate.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

I`d like to check your system for any other infections, so please do the following.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Please post the Combofix log as well as a fresh HJT log.

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[prdaler143]

Thanks again Howard, I really appreciate all your help.
Here are the logs you requested.

[Howard]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

kmd.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\system32\kmd.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[prdaler143]

Here is the new HJT log...no KMD or Viewpoint present in task manager or otherwise. Although...upon reboot in normal mode.. still received a.doginhispen pop-up from Tren micro PC-Cillin.? Not sure what that means. HELP!!

[Howard]

Your HJT log is now clean.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.

I`m not sure why PC-Cillin is giving you that warning. Can you not tell PC-Cillin to block it and not ask you again?

I can`t see anything in your log files to suggest you`re still infected.

However, if you could give the exact details of what PC-Cillin is alerting you to, then that may be helpful.

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[prdaler143]

Thanks again Howard, all of your help is very much appreciated. I took care of the Java download/removal this morning so that's all set. The details of the Trend pop-up are..."You have attempted to open a dangerous website" a.doginhispen...close you web browser and don't open this site again. I also noticed that a.doginhispen, the 88. IP address AND b.skitodayplease were in my browser history this morning. I deleted the entry and restarted the computer but when I reopened IE they were right back in the history. This was not the case prior to the cleaning, I would get the Trend warning but not the history entries. I'm not sure what's going on now but I'm concerned that I have made things worse.?

[Howard]

Ok, please try the following.

Open IE and click tool/internet options.

Click the Security tab and click on the Trusted sites icon. Click the sites button and remove all sites from the trusted zone by selecting them and clicking the remove button. Once done, click ok.

Warning! Do not click the links below in the qoute box.

Quote:

Then, click the privacy tab and click the sites button. In the address bar type www.whataboutadog.com and click the Block button. Do this for www.whataboutarabbit.com and http://www.doginhispen.com and any o...f that nature. as well.

Click ok/ok and close IE. reboot your system.

Post back when done and I`ll remove the above links to stop anyone from clicking on them.

There is a new variant of this infection that isn`t showing up in the FindAWF tool. So far, I`ve been unable to find a cure for the new variant.

You can also edit your hosts file to block the above addresses.

Click mycomputer/c drive/windows/system32/drivers/etc Open the host file in note pad and add the lines thus:

127.0.0.1 doginhispen.com
127.0.0.1 whataboutarabbit.com
127.0.0.1 whataboutadog.com
127.0.0.1 a.doginhispen.com
127.0.0.1 b.skitodayplease.com do this for any other address of the nature you come accross.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer.

Delete any versions you already have of the FindAWF tool.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Let me know if any of the above has helped.

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[prdaler143]

Did all of the above but haven't restarted so I'm not sure of the results. I'll post back after restart but I wanted to post awf log. Also, ATF cleaner didn't remove any files.

I think we finally got it No dangerous URLs in the history and no Trend pop-up. I'll check back after some time using the system.

Thanks again for all of the support.

[Howard]

That`s clean mate. Hopefully(fingers crossed) that`ll be it.

Once you`ve restarted the system, please let me know the outcome.

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[prdaler143]

Hi again Howard,

I just wanted to check back to let you know everyhting seems to be fine with the exception of the 88.80.7.66 IP address.....It's back in my browser history from yesterday and this morning. What do you think?

[Howard]

Go and read this HERE and see if it helps.

Please let me know the outcome.

Edit: Forgot to add, clear your browser history and see if it comes back.

Regards Howard

This thread is for the use of prdaler143 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[Howard]

Due to lack of feedback, this thread is now closed.

If you need this thread re-opened please contact a moderator or PM me.

Regards Howard