Help with b.whataboutadog.com & a.doginhispen.com

[evilfantasy]

I am trying to piece this together.

Lets, try a few things.

Check your firewall for any and all exceptions and allowed programs and see if there are any that could be malicious and block them.

Inastall WinPatrol 2007 which will alert you to any changes that are made to your computer environment.

Then another online scan .

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please attach the Kaspersky Online Scanner Report in your next post.

 

[stellaj76]

scanning

I'm currently doing the scan as instructed, but I'm not sure what I should do for: "Check your firewall for any and all exceptions and allowed programs and see if there are any that could be malicious and block them."

 

[evilfantasy]

I don't use Trend Micro so it is hard for me to instruct on that.

There should be a setting for firewall controls. Allowed items. Blocked items. Something like that.

 

[stellaj76]

Here's the Kscan

I found the spot in my antivirus program with the exceptions but I don't know exactly what I should be looking for in there.

Attached is the Kscan.

 

[evilfantasy]

These two zip files have to be in the same folder to run correctly. If they open in different folders just cut and paste them into the same folder.

TrendMicro Sysclean


Create a new folder on the desktop by Right Clicking an empty area of the desktop and select New > Folder. Name it Sysclean.


1. Download Sysclean by Trendmicro and save it to the new folder on your Desktop.
2. Download the latest Pattern Files from Trendmicro and save it to the same folder as the Sysclean. Pattern file is in Zip format such as lptxxx.zip (lpt871.zip, Windows)
3. Extract the contents of the lptxxx.zip in the folder where Sysclean in located.

4. Reboot computer in SafeMode

a) During BootUp process Press F8 continuously until selection appears
b) Use Arrow Up+Down to select SafeMode on the selections menu.
c) Hit Enter to proceed.

5. If it requires you to login please use the login name with administrative rights. Without this privilege, Sysclean will not delete/clean infected files located on System folder.
6. Open the Sysclean folder on on your Desktop and Double-click Sysclean to run and do a full system scan. This may take time. Reboot when finished, repeat as desired to make sure that all threats are removed.

Then attach a HijackThis log please.

 

[stellaj76]

no sysclean folder in safe mode

I downloaded the files to the sysclean folder I created on my desktop, but when I reboot in Safe Mode, the folder is NOT on my desktop. Any ideas?

 

[evilfantasy]

Running it in normal mode should be fine.

 

[stellaj76]

scan running in safe mode

After I posted the last post, I realized if I navigated through My Computer, I could find the desktop folder, and I was able to find the folder and run the scan that way. It's running right now...I'm just posting from another computer. I'll send the log when it's done.

 

[stellaj76]

it won't go away

Here's the latest HJT log and the report from the other scan.

 

[evilfantasy]

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please attach the Find AWF report in your reply along with a new HijackThis log.

 

[stellaj76]

new logs

Here you go.

 

[evilfantasy]

Open HijackThis and have it fix:

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" -startup <--There are two of these, fix this one only


One log will have the 015 entry and the next it is gone. This one does not have it.

 

[stellaj76]

no different

Sorry for the much delayed reply, but I fixed that line and I'm still getting the b.whataboutadog in my history. I fix the 015 line in HJT and it still keeps coming back no matter what I do.

 

[baros1954]

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Open IE and click tools/internet options.

Click the Security tab and click on the Trusted sites icon. Click the sites button and remove all sites from the trusted zone by selecting them and clicking the remove button. Once done, click ok.

Warning! Do not click the links below in the quote box.



Click ok/ok and close IE. reboot your system.

Post back when done and I`ll remove the above links to stop anyone from clicking on them.

 

[stellaj76]

done

I did what you said, but *.whataboutadog.com keeps showing up in my list in trusted sites in IE.

 

[baros1954]

Right click Winpatrol in your system tray and select exit.

Run through the instructions in my post above again and reboot your system. See if that helps.

Post a fresh HJT log.

 

[stellaj76]

redone with winpatrol closed

I redid the steps, but whataboutadog is back in my history and listed under trusted sites again.

 

[evilfantasy]

Install and run this. I will see what I can find in the log.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Attach the contents of main.txt in your post.
5. Please also attach extra.txt to your post.

What DSS will do:

* Create a new System Restore point in Windows XP and Vista.
* Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

 

[stellaj76]

main & extra

Main.txt & Extra.txt are both attached. I tried to put the contents of main.txt, but I was way over the limit of characters...hope this works OK for you.

By the way...it's back again.

 

[evilfantasy]

Open Notepad, and copy/paste everything in the below quote box beginning with "regedit4" as the very top

line.
Save it to the Desktop
Name it fixme.reg
Save as Type: All files
Click: Save

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to

merge the information.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's

Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.

 

[stellaj76]

did the fixme.reg & immunize

1. How do I do this?...SpywareBlaster protection must be re-enabled.

2. This is Search & Destroy, then I click on Immunize, right?...Spybot's

Immunize feature must be used again,

3. How do I do this?...also you have to re-install IE-SpyAd if installed.

4. Scotty from WinPatrol is asking what I should do with Filename HOSTS "c:\windows\system32\drivers\etc\hosts" Do I accept or reject change?

 

[evilfantasy]

1. How do I do this?...SpywareBlaster protection must be re-enabled.

Open SpywareBlaster and check for updates, then click "Enable All Protection"

2. This is Search & Destroy, then I click on Immunize, right?...Spybot's

Immunize feature must be used again,

Open SpyBot and check for updates, then click on "Immunize"

3. How do I do this?...also you have to re-install IE-SpyAd if installed.

I don't think we have installed IE-SpyAd so nothing to do there

4. Scotty from WinPatrol is asking what I should do with Filename HOSTS "c:\windows\system32\drivers\etc\hosts" Do I accept or reject change?

Accept, that is from the batch file you ran from notepad

How are things running now?

 

[stellaj76]

spyware blaster?

In reference to: Open SpywareBlaster and check for updates, then click "Enable All Protection"

I'm not sure if I have SpywareBlaster or how to find it.

Otherwise, the b.whataboutadog hasn't shown up yet, but any ideas about not being able to get to www.excite.com at all? It's very frustrating because nothing happens at all when I type the address...and that's any excite page.

 

[evilfantasy]

Sorry I thought you had SpywareBlaster. It is a good tool to have and as usual free. https://www.techspot.com/downloads/568-spywareblaster.html It runs silently, you just have to check for updates every now and then.

Go to www.youhide.com and see if you can get to excite from there. It might be safer to use it for access anyway.

Hopefully the dog is caged finally.

 

[stellaj76]

spyware blaster, etc.

Thanks for the spyware blaster link...I didn't have that installed before.

So far, so good with the "dog" since I haven't noticed it in my history or in my trusted sites list in over 24 hours. So, thanks so much for helping me to get rid of it...hopefully it's gone for good now.

In the course of the last bunch of days trying to rid myself of the dog, I have been instructed to download many new programs. Would you let me know which ones I should keep and which I should uninstall. This includes cccleaner, HJT, ATF cleaner, AVG, find AWF, spybot, bitdefender, winpatrol etc. Which of these should I run regularly, and how often?

As for the excite.com problem...that is still not fixed, and the youhide.com didn't work for me either. I would really appreciate any input on this, especially since this was not a problem until after I started running all these new programs this past week +.

Thanks again in advance!