[IL-02]

Hi, I've read the post that Howard_Hopkinso made regarding the FindAWF tool and how to use it regarding this pest. For some reason, it always pops up everytime I start my computer and access the internet for the first time, always popping up as a separate page in the browser. After following his instructions, I still have a few duplicate bak folders that didn't go away. Here is the attached files according to his specifications. Any help would be greatly appreciated.

[Howard]

Hello and welcome to

Please do the following exactly.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
HSN

Close control panel.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

Quote:

"C:\WINDOWS\bak\UpdReg.EXE"
"C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE "

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Hi Howard, thanks for the welcome. Here's the new report. I deleted the Viewpoint media player but I did not see anything pertaining to HSN in Add/Remove Programs.

[Howard]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

Quote:

C:\WINDOWS\bak
C:\WINDOWS\system32\IME\TINTLGNT\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log, as well as a fresh HJT log.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Okay, I did what you said. Here's the new files.

[Howard]

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Your system was infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Now, let`s continue to get rid of any other nasties atht may be on your system.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

hsnSkPly.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\3.bin\hsnSkPly.exe" Alerts

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\HSN<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Download combofix.exe and save it to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Then run a fresh HJT scan.

Post the Combofix log and a fresh HJT log.

Regards Howard

This thread is for the use of IL-02's only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Okay, I got that done. I had to restart the computer after ComboFix and HJT because I could not access the Internet afterwards. Here are the logs.

[Howard]

All clean mate.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have no further questions could you please mark this topic Solved by going to the top of this thread and click Thread tools, then select Mark this thread as solved As seen in the image below:

If you need this thread re-opened please contact a moderator or PM me.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Well Howard, by this point I really wish I could mark this thread as solved. Unfortunately, that same page is still popping up everytime I access the Internet for the first time with each restart of the machine. I'm under the impression that this is a relatively new and unknown threat because my internet security software is continually updated daily. I appreciate your help thus far, if you have anymore solutions don't be afraid to fill me in.

[Howard]

Ok, please do the following.

Open IE and click tool/internet options.

Click the Security tab and click on the Trusted sites icon. Click the sites button and remove all sites from the trusted zone by selecting them and clicking the remove button. Once done, click ok.

Warning! Do not click the links below in the quote box.



Click ok/ok and close IE. reboot your system.

Post back when done and I`ll remove the above links to stop anyone from clicking on them.

Once done, right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Reboot your computer.

Post a fresh HJT log.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Okay, I noticed that after I blocked the quoted sites the doginhispen page didn't appear after I restarted the computer. However, installing the DelDomains file caused it to spring back up again. I tried removing and adding the sites again but this time it didn't work.

[Howard]

This is proving a little troublesome.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Done.

[Howard]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Locate and delete the following bold files and/or folders(if there).


C:\PROGRA~1\BITTOR~1\BAK

Open IE and click tool/internet options.

Click the Security tab and click on the Trusted sites icon. Click the sites button and remove all sites from the trusted zone by selecting them and clicking the remove button. Once done, click ok.

Warning! Do not click the links below in the quote box.



Click ok/ok and close IE. reboot your system.

Post back and let me know if your problem is still there.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

After doing this, the doginhispen page wasn't there when I first opened IE. However, it was in the address bar. It caused IE to freeze and I had to restart. After this, the page was back up again. Also, the doginhispen websites are variants of the one you listed. Strangely enough, I also can't seem to block them in Internet Options.

Again, this site is not to be clicked on.

[Howard]

Locate your hosts file c:\windows\system32\drivers\etc\hosts open it in notepad and add the following lines.

127.0.0.1 doginhispen.com

Do this for the other dodgy sites whatabotadog etc.

Once done save and exit the hosts file and reboot your system.

Let me know if that helps.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Nope, that didn't work either I'm afraid. I put the sites underneath the localhost, I hope that's where it was supposed to go. Here is the full-length address that keeps appearing in my browser:

Again, do not click this site.

[Howard]

It looks to me like you may have a new variant of the infection.

Go and follow the instructions in this POST and see if it helps.

Please let me know.

Regards Howard

This thread is for the use of IL-02 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our malware Removal forum.

[IL-02]

Well now this is interesting...

After doing what that post said, the page will still pop up the first time IE is opened, but instead of showing the jumbled characters from the a.doginhispen site it says Internet Explorer cannot display the webpage. The site itself is shown on the address bar still.

[evilfantasy]

EDIT, you replied while I was working this up.



You may want Howard to approve this before you follow through since he is helping you. I have ran into this problem and it is very difficult to say the least. This is what finally worked.

If you don't have Spybot then download and install it. (do not choose to enable the Tea Timer function) http://filehippo.com/download_spybot_search_destroy/

If you don't have SpywareBlaster download and install it. http://filehippo.com/download_spywareblaster/

----------

Open Notepad (Start > Run > type Notepad.exe) and copy/paste everything in the below quote box beginning with "regedit4" as the very top line.

HTML Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Save it to the Desktop (in notepad click File > Save as..)
Name it fixme.reg
Save as Type: All files
Click: Save
On the desktop it should look like this


Then, physically disconnect from the Internet!

Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

Reconnect to the internet but do not open any web browser yet.

Now open Spybot and run the updates.
IMPORTANT: As soon as the updates are installed click the Immunize button and install all Immunizations.

Next open SpywareBlaster and run the updates.

Delete the fixme.reg file.

Restart the computer.

Visit http://www.update.microsoft.com and check for updates.

Note that DelDomains have also been deleted so you will want to reinstall it.