TechSpot

Help with b.whataboutadog.com & a.doginhispen.com

By stellaj76
Dec 5, 2007
  1. I followed the 15 steps in your Viruses/Spyware/Malware, preliminary removal instructions to the best of my ability and I hope I didn't do too many things wrong.

    I have the log files attached.

    As for the Panda scan, when I ran it, it found no rootkits.

    My history in Internet Explorer keeps showing b.whataboutadog.com and/or a.doginhispen.com

    Also, I recently had SpyDefender popping up on startup, but I think one of the scans you said to do may have caught that one. Right now, I'm still seeing the dog things in my history, and when I boot Internet Explorer, it sometimes opens in a non-maximized window which is when I realize something weird is going on.

    Please help if you can!

    Thanks,
    Joe
     
  2. evilfantasy

    evilfantasy Banned Posts: 428

    Enable Viewing Of Hidden System Files & Folders

    1. Right Click Start.
    2. Select Control Panel.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading select Show hidden files and folders.
    6. Uncheck the Hide extensions for known file types option.
    7. Uncheck the Hide protected operating system files (recommended) option.
    8. Click Apply.
    9. Click OK.

    --------------------

    Boot into Safe Mode

    * Restart the computer.
    * Before Windows loads start tapping the F8 key.
    * When you get to the boot menu, use the arrow keys to select Safe mode
    * Then Press Enter
    * The computer restarts in Safe mode.

    -------------------

    Open HijackThis and select Do a system scan only and place a check mark next to:

    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com

    Now click Fix checked

    ------------------

    Now locate and delete these files/folders (in bold)

    C:\Program Files\SpyDefender Pro\SpyDefender.exe

    Now boot back into normal mode

    ------------------

    Please download FindAWF:
    http://noahdfear.net/downloads/FindAWF.exe

    Save the file to the Desktop
    Double-click the FindAWF icon.

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 1 then Enter to scan for bak folders
    The scan may take a while, please be patient.

    When done, a text file, Find AWF report is produced.
    Please attach the Find AWF report in your reply along with a new HijackThis log.
     
  3. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    done with next step

    here are the log files
     
  4. evilfantasy

    evilfantasy Banned Posts: 428

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 2 then Enter to restore files from bak folders

    A text file opens called: files.txt
    Click below the line and paste the following list of files to be restored:

    Next, close and click Yes to save the changes.

    Once files.txt is saved, FindAWF does the following:
    -It attempts to terminate the process represented by each filename on the list, if running
    -Deletes the rogue file from the parent folder, if present
    -Copies the original file to the parent folder

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach the new FindAWF log in your reply.
     
  5. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    new awf log

    Here's the new log. When I ran the program, it asked me for the Windows XP CD but I don't have one...XP was pre-installed on my machine. Is that a problem?
     
  6. evilfantasy

    evilfantasy Banned Posts: 428

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    Next, close and click Yes to save the changes.

    Once folders.txt is saved, FindAWF does the following:
    -It deletes the contents of the bak folders
    -Removes the bak folders

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach the new FindAWF log in your reply.
     
  7. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    new awf log again

    Here's the updated log.
     

    Attached Files:

    • awf3.txt
      File size:
      549 bytes
      Views:
      5
  8. evilfantasy

    evilfantasy Banned Posts: 428

    -
    Double click My Computer on the desktop to locate and delete this file.

    ------------------

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 4 then Enter to reset domain zones

    This removes all entries from the domain zones.
    When the program returns to the main menu, use the following option:
    Press E then Enter to EXIT

    --------------------

    Run a new HijackThis scan and attach the log please.
     
  9. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    new hjt log

    Here's the new log. Before I hit E then Enter, I was supposed to hit 1 then Enter to run the reset domains, right?
     
  10. evilfantasy

    evilfantasy Banned Posts: 428

    Press 4 then Enter to reset domain zones

    Then E then Enter to exit FindAWF

    --------------------

    The HJT log is clean [​IMG]

    Let's clear out the programs we've been using to clean up your computer, they are not suitable for
    general malware removal and could cause damage if launched accidentally.

    Download OTMoveIT to the desktop.
    http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

    * Double click OTMoveIt.exe to launch it.
    * Click on the CleanUp! button.
    * OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    * You will be prompted to allow the clean up procedure, click Yes
    * When finished exit out of OTMoveIt
    * Now delete OTMoveIt.exe (if still present)

    --------------------

    This is a good time to clear your infected system restore points and establish a new clean restore point:
    * Go to Start > All Programs > Accessories > System Tools > System Restore
    * Select Create a restore point, and click Next.
    * Next, go to Start > Run and type in cleanmgr
    * Select the More options tab
    * Next to System Restore click Clean up....
    This will remove all restore points except the new one you just created.

    --------------------

    This file will help to prevent this from happening again.

    Download DelDomains.inf
    IE users Right-click on the link and select Save As.
    Firefox users Right-click on the link and choose Save link as...

    Save it to the desktop.

    From the desktop Right-click on DelDomains.inf

    Select Install making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note:, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

    -----

    Let us know if anything else comes up.
     
  11. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    not sure it's clean

    I did all these things...and thank you so much for your help, but I don't think it's all gone. When I restarted, there was a new entry of a.doginhispen in my history, and another "checkin" of b.whataboutadog in my history as well. Did I miss something?

    Joe
     
  12. evilfantasy

    evilfantasy Banned Posts: 428

    What history?

    You can attach another HijackThis log and we can see.
     
  13. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    history in Internet Explorer...here's the new hjt log

    When I open Internet Explorer, and it's not maximized (which is how I usually exit), I know there's a problem. I check the history of sites I've been to that day, and there's another entry of b.whataboutadog (and also a new one of a.doginhispen). It doesn't happen everytime I open IE, but some of the time. It looks like it's back in the HJT log again. Ack!
     
  14. evilfantasy

    evilfantasy Banned Posts: 428

    Lets delete them in safe mode but first. Please download ATF Cleaner by Atribune. ATF Cleaner.exe and save it to the desktop. Don't run it yet.

    Next restart the computer in safe mode.

    Starting your computer in safe mode

    * If the computer is running, shut down Windows, and then turn off the power.
    * Wait 30 seconds, and then turn the computer on.
    * Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    * Ensure that the Safe Mode option is selected.
    * Press Enter. The computer then begins to start in Safe mode.
    * Login on your usual account.


    Now open HijackThis and have it fix the two 015 entries.

    Next run ATF Cleaner with all boxes checked.

    Reboot to normal mode.

    We will then want to see if any damage was done by whataboutdog.

    Please download FindAWF:
    http://noahdfear.net/downloads/FindAWF.exe

    Save the file to the Desktop
    Double-click the FindAWF icon.

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 1 then Enter to scan for bak folders
    The scan may take a while, please be patient.

    When done, a text file, Find AWF report is produced.
    Please attach the Find AWF report in your reply.
     
  15. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    Here's the latest log after deleting in safe mode.
    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
    I checked the history and it's back AGAIN! after the last log.
     
  16. evilfantasy

    evilfantasy Banned Posts: 428

    Please download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    2. When finished, it will produce a log for you.
    3. Attach that log in your next reply.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause your computer to stall


    Please attach the combofix and a new HijackThis log in the next reply.
     
  17. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    Here are the combofix and hjt logs. While Combofix was running, I got security pop-ups from my trend-micro PC-cillin anti-virus software about smitfraud, freeloader, etc. This time I just hit close.

    I really do appreciate your help and I will be continuing your steps tomorrow, but I must get some sleep. Talk to you soon.

    Joe

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
     
  18. evilfantasy

    evilfantasy Banned Posts: 428

    No problem I am about done for tonight as well.

    The 015 entries are gone again

    Lets run some scans to see if anything is hiding.

    -------------------

    Run the BitDefender Online Scanner
    Click I Agree to the license and then select Click here to scan
    DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
    That will make your logs huge and we don't need to see clean files.

    Once Bitdefender completes the scan:
    Click-on the Detected Problems tab.
    Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to:
    Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save

    This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it.
    (take notice of where you save it so you can find it later)

    This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

    If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us

    Post the bdscan.txt file as an Attachment.

    -------------------

    Please download the trial version of SpySweeper (2 week trial)

    * Run the installer. Choosing to only install SpySweeper
    * It will prompt you to update to the latest definitions, choose Yes (recommended) and click Next
    * Once the definitions are installed, click I accept the agreement and then Next
    * Choose Typical Installation then click Next
    * Enter your email address then click Next
    Important Uncheck the box Install the Webroot Ask toolbar Search Assistant, I agree to the terms above before clicking Next
    * Click Install.
    * Choose Yes, restart my computer now (recommended) then click Finish (the computer will restart)

    * Once restarted open SpySweeper.
    * Click the Options tab. (lower left)
    * Under Options > Sweep Tab > Sweep Type choose Full Sweep (Recommended)
    * Click the Always Apply tab and use the dropdown menu to select Always Quarantine
    * Click the Home tab and choose Start Full sweep

    * When it's done scanning, Make sure everything has a check next to it, then click the Quarantine Selected button.
    * It will quarantine all of the items found.
    * Click View Session Log in the upper right corner.
    * Click the Save To File button.
    * Click Desktop for the location.
    * Next to the Save as type: be sure it is set to Text Document (.txt) and then click Save
    * Attach the SpySweeper Session Log in your next reply.

    -------------------

    Next post please attach:
    bdscan.txt
    SpySweeper Session Log
    New HijackThis log
     
  19. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    3 new logs (1 missing)

    Hello again. Here are 2 of the logs...I tried to attach the bdscan.txt but it said the filesize was too big. Can I send this to you another way?
    Also, I have gotten a few messages popping up from my trend-micro like this:

    Notification



    Real-time Spyware Protection
    Real-time Spyware Protection has detected spyware and performed the action specified.

    .
    Action taken: Cannot delete. Update now and restart the scan.
    .
    Incident name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP655\A0085709.exe
    Detection name: RAP_Generic
    User name: Joseph Stella
    Note: If Search for and clean Trojans is turned on and executed after scanning, click Next to view the final action taken.
     
  20. evilfantasy

    evilfantasy Banned Posts: 428

    Those two logs are clean.

    Can you copy half of the Bdscan log into another text document and upload the seperately?

    C:\System Volume Information\_restore is a system restore file, we can flush the infected restore points by uninstalling combofix.

    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    [​IMG]

    Make sure there's a space between Combofix and /
    Then hit Enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again
     
  21. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    Here's the 1st half.

    Here's the 2nd half.
    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
     
  22. evilfantasy

    evilfantasy Banned Posts: 428

    I can't open the logs from this computer, I will try again later. But from the other two everything seems to look OK.

    You can uninstall SpySweeper as we are done with it.

    Did combofix uninstall OK? It should have cleared the infected restore points so hopefully the Trend Micro alerts will stop.

    Let us know if anything else comes up.
     
  23. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    still have the dog

    I think the combofix uninstall went ok. Also, I uninstalled the spysweeper. However, I still have 2 problems. The b.whataboutadog has showed up in my IE History AGAIN this morning! If it helps...these are the entries underneath b.whataboutadog (b.whataboutadog.com) in my History:

    http://b.whataboutadog.com/131/chec...S~1\Temp\\1197123532.dat&fw=64&v=131&m=0&vm=0

    http://b.whataboutadog.com/131/in/h...389&aid=10277&time=1197123832&fw=64&v=131&m=0

    The other problem I'm having is that my browser is not letting me get to www.excite.com and I don't know how to fix that.
     
  24. evilfantasy

    evilfantasy Banned Posts: 428

    The links don't work.

    Excite.com is not the safest site in itself. I don't visit there.

    Why it keeps coming back has to be something you are doing. Is there a new link you started clicking around the time this happened?

    That is the worst BitDefender scan I have seen. What are these > C:\Documents and Settings\All Users\Documents\backup.pst=

    Also a bunch of these C:\Documents and Settings\Joseph Stella\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=

    More info here and here on the Exploit.Iframe.Vulnerability.
     
  25. stellaj76

    stellaj76 TS Rookie Topic Starter Posts: 68

    not sure where I'm clicking

    I realize the links it keeps putting in my History are bogus, but thought it might help to see what they looked like.

    I have used excite.com for my email and homepage for probably 8-10 years now without a problem, but I am confused why I cannot even get there now.

    I keep trying to figure out where I could be going when I am getting the b.whataboutadog to show up in the history, and I feel it may be more of a timed thing or something. Sometimes I will just open IE for the first time and it will be there without me even going anywhere. I "fixed" the line in the HJT again and I'm waiting to try to figure out what happens when it will come back. (would be nice if it just WOULDN'T for a change!)

    As for the bitdefender scan...the things you saw look like something to do with saved outlook messages or something...I'm really not sure. Is there a problem here?...do I need to do more as a result?

    As for the Exploit.Iframe.Vulnerability links you sent...what exactly am I supposed to do about those?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...