Help with b.whataboutadog.com & a.doginhispen.com

[stellaj76]

I followed the 15 steps in your Viruses/Spyware/Malware, preliminary removal instructions to the best of my ability and I hope I didn't do too many things wrong.

I have the log files attached.

As for the Panda scan, when I ran it, it found no rootkits.

My history in Internet Explorer keeps showing b.whataboutadog.com and/or a.doginhispen.com

Also, I recently had SpyDefender popping up on startup, but I think one of the scans you said to do may have caught that one. Right now, I'm still seeing the dog things in my history, and when I boot Internet Explorer, it sometimes opens in a non-maximized window which is when I realize something weird is going on.

Please help if you can!

Thanks,
Joe

 

[evilfantasy]

Enable Viewing Of Hidden System Files & Folders

1. Right Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

--------------------

Boot into Safe Mode

* Restart the computer.
* Before Windows loads start tapping the F8 key.
* When you get to the boot menu, use the arrow keys to select Safe mode
* Then Press Enter
* The computer restarts in Safe mode.

-------------------

Open HijackThis and select Do a system scan only and place a check mark next to:

O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com

Now click Fix checked

------------------

Now locate and delete these files/folders (in bold)

C:\Program Files\SpyDefender Pro\SpyDefender.exe

Now boot back into normal mode

------------------

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please attach the Find AWF report in your reply along with a new HijackThis log.

 

[stellaj76]

done with next step

here are the log files

 

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

C:\WINDOWS\bak\p_981116.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\QuickTime\bak\QTTask.exe
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe
C:\WINDOWS\system32\dla\bak\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[stellaj76]

new awf log

Here's the new log. When I ran the program, it asked me for the Windows XP CD but I don't have one...XP was pre-installed on my machine. Is that a problem?

 

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\PROGRA~1\ITUNES\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\EHOME\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
C:\PROGRA~1\MUSICM~1\MUSICM~3\BAK
C:\WINDOWS\SYSTEM32\DLA\BAK
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[stellaj76]

new awf log again

Here's the updated log.

 

[evilfantasy]

-
Double click My Computer on the desktop to locate and delete this file.

C:\WINDOWS\bak\p_981116.exe

------------------

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

--------------------

Run a new HijackThis scan and attach the log please.

 

[stellaj76]

new hjt log

Here's the new log. Before I hit E then Enter, I was supposed to hit 1 then Enter to run the reset domains, right?

 

[evilfantasy]

Press 4 then Enter to reset domain zones

Then E then Enter to exit FindAWF

--------------------

The HJT log is clean

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.

Download OTMoveIT to the desktop.
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Double click OTMoveIt.exe to launch it.
* Click on the CleanUp! button.
* OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
* You will be prompted to allow the clean up procedure, click Yes
* When finished exit out of OTMoveIt
* Now delete OTMoveIt.exe (if still present)

--------------------

This is a good time to clear your infected system restore points and establish a new clean restore point:
* Go to Start > All Programs > Accessories > System Tools > System Restore
* Select Create a restore point, and click Next.
* Next, go to Start > Run and type in cleanmgr
* Select the More options tab
* Next to System Restore click Clean up....
This will remove all restore points except the new one you just created.

--------------------

This file will help to prevent this from happening again.

Download DelDomains.inf
IE users Right-click on the link and select Save As.
Firefox users Right-click on the link and choose Save link as...

Save it to the desktop.

From the desktop Right-click on DelDomains.inf

Select Install making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note:, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

-----

Let us know if anything else comes up.

 

[stellaj76]

not sure it's clean

I did all these things...and thank you so much for your help, but I don't think it's all gone. When I restarted, there was a new entry of a.doginhispen in my history, and another "checkin" of b.whataboutadog in my history as well. Did I miss something?

Joe

 

[evilfantasy]

What history?

You can attach another HijackThis log and we can see.

 

[stellaj76]

history in Internet Explorer...here's the new hjt log

When I open Internet Explorer, and it's not maximized (which is how I usually exit), I know there's a problem. I check the history of sites I've been to that day, and there's another entry of b.whataboutadog (and also a new one of a.doginhispen). It doesn't happen everytime I open IE, but some of the time. It looks like it's back in the HJT log again. Ack!

 

[evilfantasy]

Lets delete them in safe mode but first. Please download ATF Cleaner by Atribune. ATF Cleaner.exe and save it to the desktop. Don't run it yet.

Next restart the computer in safe mode.

Starting your computer in safe mode

* If the computer is running, shut down Windows, and then turn off the power.
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe Mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* Login on your usual account.


Now open HijackThis and have it fix the two 015 entries.

Next run ATF Cleaner with all boxes checked.

Reboot to normal mode.

We will then want to see if any damage was done by whataboutdog.

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please attach the Find AWF report in your reply.

 

[stellaj76]

Here's the latest log after deleting in safe mode.
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
I checked the history and it's back AGAIN! after the last log.

 

[evilfantasy]

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall


Please attach the combofix and a new HijackThis log in the next reply.

 

[stellaj76]

Here are the combofix and hjt logs. While Combofix was running, I got security pop-ups from my trend-micro PC-cillin anti-virus software about smitfraud, freeloader, etc. This time I just hit close.

I really do appreciate your help and I will be continuing your steps tomorrow, but I must get some sleep. Talk to you soon.

Joe

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

 

[evilfantasy]

No problem I am about done for tonight as well.

The 015 entries are gone again

Lets run some scans to see if anything is hiding.

-------------------

Run the BitDefender Online Scanner
Click I Agree to the license and then select Click here to scan
DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it.
(take notice of where you save it so you can find it later)

This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us

Post the bdscan.txt file as an Attachment.

-------------------

Please download the trial version of SpySweeper (2 week trial)

* Run the installer. Choosing to only install SpySweeper
* It will prompt you to update to the latest definitions, choose Yes (recommended) and click Next
* Once the definitions are installed, click I accept the agreement and then Next
* Choose Typical Installation then click Next
* Enter your email address then click Next
Important Uncheck the box Install the Webroot Ask toolbar Search Assistant, I agree to the terms above before clicking Next
* Click Install.
* Choose Yes, restart my computer now (recommended) then click Finish (the computer will restart)

* Once restarted open SpySweeper.
* Click the Options tab. (lower left)
* Under Options > Sweep Tab > Sweep Type choose Full Sweep (Recommended)
* Click the Always Apply tab and use the dropdown menu to select Always Quarantine
* Click the Home tab and choose Start Full sweep

* When it's done scanning, Make sure everything has a check next to it, then click the Quarantine Selected button.
* It will quarantine all of the items found.
* Click View Session Log in the upper right corner.
* Click the Save To File button.
* Click Desktop for the location.
* Next to the Save as type: be sure it is set to Text Document (.txt) and then click Save
* Attach the SpySweeper Session Log in your next reply.

-------------------

Next post please attach:
bdscan.txt
SpySweeper Session Log
New HijackThis log

 

[stellaj76]

3 new logs (1 missing)

Hello again. Here are 2 of the logs...I tried to attach the bdscan.txt but it said the filesize was too big. Can I send this to you another way?
Also, I have gotten a few messages popping up from my trend-micro like this:

Notification



Real-time Spyware Protection
Real-time Spyware Protection has detected spyware and performed the action specified.

.
Action taken: Cannot delete. Update now and restart the scan.
.
Incident name: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP655\A0085709.exe
Detection name: RAP_Generic
User name: Joseph Stella
Note: If Search for and clean Trojans is turned on and executed after scanning, click Next to view the final action taken.

 

[evilfantasy]

Those two logs are clean.

Can you copy half of the Bdscan log into another text document and upload the seperately?

C:\System Volume Information\_restore is a system restore file, we can flush the infected restore points by uninstalling combofix.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

 

[stellaj76]

Here's the 1st half.

Here's the 2nd half.
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

 

[evilfantasy]

I can't open the logs from this computer, I will try again later. But from the other two everything seems to look OK.

You can uninstall SpySweeper as we are done with it.

Did combofix uninstall OK? It should have cleared the infected restore points so hopefully the Trend Micro alerts will stop.

Let us know if anything else comes up.

 

[stellaj76]

still have the dog

I think the combofix uninstall went ok. Also, I uninstalled the spysweeper. However, I still have 2 problems. The b.whataboutadog has showed up in my IE History AGAIN this morning! If it helps...these are the entries underneath b.whataboutadog (b.whataboutadog.com) in my History:

http://b.whataboutadog.com/131/chec...S~1\Temp\\1197123532.dat&fw=64&v=131&m=0&vm=0

http://b.whataboutadog.com/131/in/h...389&aid=10277&time=1197123832&fw=64&v=131&m=0

The other problem I'm having is that my browser is not letting me get to www.excite.com and I don't know how to fix that.

 

[evilfantasy]

The links don't work.

Excite.com is not the safest site in itself. I don't visit there.

Why it keeps coming back has to be something you are doing. Is there a new link you started clicking around the time this happened?

That is the worst BitDefender scan I have seen. What are these > C:\Documents and Settings\All Users\Documents\backup.pst=

Also a bunch of these C:\Documents and Settings\Joseph Stella\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=

More info here and here on the Exploit.Iframe.Vulnerability.

 

[stellaj76]

not sure where I'm clicking

I realize the links it keeps putting in my History are bogus, but thought it might help to see what they looked like.

I have used excite.com for my email and homepage for probably 8-10 years now without a problem, but I am confused why I cannot even get there now.

I keep trying to figure out where I could be going when I am getting the b.whataboutadog to show up in the history, and I feel it may be more of a timed thing or something. Sometimes I will just open IE for the first time and it will be there without me even going anywhere. I "fixed" the line in the HJT again and I'm waiting to try to figure out what happens when it will come back. (would be nice if it just WOULDN'T for a change!)

As for the bitdefender scan...the things you saw look like something to do with saved outlook messages or something...I'm really not sure. Is there a problem here?...do I need to do more as a result?

As for the Exploit.Iframe.Vulnerability links you sent...what exactly am I supposed to do about those?