Stupid Dog! (doginhispen and aboutadog problem)

[Mpls21]

Hi. Over the past few days I have developed a problem with Internet Explorer. I am not able to open any sites with Internet Explorer, however I am able to get online using MSN Explorer.

Until yesterday, I was using IE6. When the problem first developed I got an alert from Microsoft stating I needed to upgrade to IE7. I did that, but it did not solve the problem.

I've run spybot, and norton virus scans, then ran HJT and found doginhispen.com and aboutadog.com listed in my trusted sites.

I removed both of these, using HJT and rebooted. This solved the problem for about 24 hours, however today the problem suddenly redeveloped. I ran HJT again, and there they were. They've been removed again, and I went and entered these two sites in my listing of blocked sites, but am still not able to get online using IE. Once I open a window, it locks up and the only way to close it is using task manager to end the task.

Thank you in advance for any assistance anyone is able to offer.

MRD

 

[Rik]

You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

Please ignore the instructions given by rik for now.

Your system is infected with a very nasty virus.

The virus takes legit .exe files and places them in bak(backupfolders) it then calls itself whatever .exe file it has moved.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, post a HJT log as per these instructions.

Once we`ve managed to get rid of that virus, we can then check your system for any other infections that may be present.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bobbye]

You have Downloader-BEW, a Downloader Trojan: This Trojan tries to download other malware from various websites and also lowers security settings on the compromised machine. It is very new- discovered 10/1/07 and I wonder if your AV is up to date. One thing you need to do is disable System Restore until you're clean.

he Trojan tries to contact the following websites:
* http://b.whataboutadog.com[REMOVED]
* http://a.doginhispen.com[REMOVED]
* http://88.80.5.21[REMOVED]
* http://88.80.5.36[REMOVED]
* http://a.ciscering.com[REMOVED]

http://vil.nai.com/vil/content/v_143361.htm

"alert from Microsoft stating I needed to upgrade to IE7."

IE7 is not an upgrade or update to IE6. It is a new version. Are you using Vista? I'm not aware of MS telling users they 'have' to get IE7. Unfortunately, MS did include it in their Windows Updates some time ago so a lot of users unexpectedly found themselves with it.

You can uninstall IE7 by going to the Control Panel> Add/Remove Programs> highlight and uninstall. You will then be left with IE6. If there is a problem with IE6, getting IE7 will not fix it.

 

[howard_hopkinso]

Hi Bobbye:

https://www.techspot.com/vb/topic88712.html

The above thread had the same infection. Removal is quite long winded, but can be achieved. Look at post#9 onwards in particular.

Regards Howard

 

[Bobbye]

Thanks Howard. Users are really going to need to keep on top of their AV updating and scanning! This Trojan is barely out and causing problems!There is some debate about turning off System Restore Before cleaning- that's what I've always suggested, but have run into a couple of people who say "No"-better to have an infected Restore Point than none at all!

Since some try using SR early on as a fix, many will get reinfected. What's your thought on this?

 

[howard_hopkinso]

Turning of system restore before cleaning is very risky. If something goes wrong during cleaning, the user won`t have any way to get back and will ultimately have to format.

Far better to be able to restore a system, even if that means restoring some infections, than not being able to restore at all.

Only once a system is clean, is it safe to turn system restore off and back on.

I first saw this virus a few weeks ago, I can`t remember which thread it was, but will try and find it, if I get time.

Found the thread.

https://www.techspot.com/vb/topic86461.html

Regards Howard

 

[DelJo63]

immediate setup to bypass these sites:

1) stop access by name
update host file
\windows\system32\drivers\etc\host (note missing extension)
set attrib -r, then edit the file and add

127.0.0.1 prq.se
127.0.0.1 b.whataboutadog.com
127.0.0.1 a.ciscering.com​

save the file and set attrib +r

(nslookup 88.80.5.36 & 88.80.5.21 both ips point to prq.se)
b.whataboutadog.com ->8.80.5.21
a.ciscering.com ->209.62.20.154


2) stop access by ip-address
Unless you have fouled-up your firewall OR insist on running without one,
this should not be necessary at all. Otherwise, you can add these rules
near the top of the rule stack (to insure something else does not accidentily
allow traffic)
open your firewall and add rules

DENY out tcp/udp dest-ip 88.80.5.36 log
DENY out tcp/udp dest-ip 88.80.5.21 log
DENY in tcp/udp source-ip 88.80.5.36 log
DENY in tcp/udp source-ip 88.80.5.21 log

DENY out tcp/udp dest-ip 8.80.5.21 log
DENY in tcp/udp source-ip 8.80.5.21 log

DENY out tcp/udp dest-ip 209.62.20.154 log
DENY in tcp/udp source-ip 209.62.20.154 log
​

Do not add any reference to PORT(s)

 

[Bobbye]

Howard, I see Trusted Zone: *.Trusted Zone: *.whataboutarabit.com on the thread you referenced. This Trojan doesn't waste any time! I am amazed to see how many programs/processes are running!

So many have the Java Update Check set jusched.exe which highly recommended "not" to have set for automatic checks for updates. And I notice many other running programs or processes that shouldn't be running in the background, but that's another matter.

I usually go through that for complaints like 'my computer is slow, it takes too long to start up and the like. I think many users don't understand about taking programs off startup through msconfig!

I did find another Trojan- the Trojan.Zonebac that contacts .whataboutarabit.com form a year ago- so this bad guy is mutating!

 

[Mpls21]

Well isn't this just fun!

First of all, thank you all so very much for your assistance with this problem. My technical knowledge is at about the level where I know enough to do damage, so this is all quite intimidating to me... despite spending the last 5 years working (albiet in sales and marketing) for a dotcom and now an SEO firm. I just sell the stuff...

I am going through all the instructions in the thread referenced above by Howard, but am quite worried at the prospect of doing a system restore. I, as well as my boyfriend have both used that computer for both banking and credit card activity and I have some medical information saved on there as well. (In documents only.) I am also terrified at the thought of losing the massive amount of music, photos, old family movies I've transferred to DVD and have spent innumerable hours editing and creating movies with music and interviews of old relatives etc. I had all of this saved to an external hard drive, but about a month ago that froze and I'll have to spend an exorbitant amount of money to recover all of that. I do now have a new external hard drive that I can re-save all of my files to, so I've got that going for me... which is nice... I guess.

I have a couple of questions regarding doing a system restore. My apologies if they're really dumb.

If I do have to do a restore, will I then have to reinstall any programs that have been added "post OEM?"

Will I lose music, data files, photos etc, saved to my documents and if I first save them to an external hard drive, is there a risk of somehow moving the virus or part thereof to the hard drive? (I warned you these might be dumb questions! I've never had to do a restore.)

Thank you all once again for all your help... I hope I can get through this without too much loss!

 

[howard_hopkinso]

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, post a HJT log as per these instructions.

Once we`ve managed to get rid of that virus, we can then check your system for any other infections that may be present.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi Mpls21:

The above instructions are what I`d like you to follow.

Just post the two requested log files and we`ll take it from there.

Regards Howard

 

[Rik]

Howard knows what he is doing with the type of infection you have, follow his instructions and with a little luck your pc should be fine.

 

[DelJo63]

Well isn't this just fun!

I have a couple of questions regarding doing a system restore. My apologies if they're really dumb.

1. If I do have to do a restore, will I then have to reinstall any programs that have been added "post OEM?"
   
2. Will I lose music, data files, photos etc, saved to my documents and if I first save them to an external hard drive, is there a risk of somehow moving the virus or part thereof to the hard drive? (I warned you these might be dumb questions! I've never had to do a restore.)

issue is RESTORE vs. Restore Point(s)

Normally, we get System Restore Points everytime we do installs (it's the default option but can be disabled.)
Referencing one of these will ONLY change the registry, not your files.

A System Restore can only be done if you perform a System Backup.
Using one of these will overlay massive amounts of files, programs and system data.

on (1) the System Restore Points will track your registry over time --
which is why we typcially disable this option when removing virus/trojans;
if you don't, then you just waste time and reinstall the same problem.
It is possible, however, to pick a restore point which is not containated and
thus delete the offending virus/trojans -- it's just very difficult to find that correct instance.

A System Restore is whatever it is in time; it captures the state of your system at that time and rolls your system to that condition.

on (2) the virus/trojans seldomly attack files per se; they like to attack
the registry, configuration information and programs. *IF* you're careless
enough to click on any email attachments, then you will get some containated file -- typically located in the TEMP directories rather than you personal \Docs & Settings\yourloginId\My Documents\*

 

[Mpls21]

I've run HJT, (twice actually, I ran it again after kicking the dog out again.) I've attached both HJT files and the AWF file here.

Thanks.

issue is RESTORE vs. Restore Point(s)

Normally, we get System Restore Points everytime we do installs (it's the default option but can be disabled.)
Referencing one of these will ONLY change the registry, not your files.

A System Restore can only be done if you perform a System Backup.
Using one of these will overlay massive amounts of files, programs and system data.

on (1) the System Restore Points will track your registry over time --
which is why we typcially disable this option when removing virus/trojans;
if you don't, then you just waste time and reinstall the same problem.
It is possible, however, to pick a restore point which is not containated and
thus delete the offending virus/trojans -- it's just very difficult to find that correct instance.

A System Restore is whatever it is in time; it captures the state of your system at that time and rolls your system to that condition.

on (2) the virus/trojans seldomly attack files per se; they like to attack
the registry, configuration information and programs. *IF* you're careless
enough to click on any email attachments, then you will get some containated file -- typically located in the TEMP directories rather than you personal \Docs & Settings\yourloginId\My Documents\*

Thank you for the information Joebeard. I think I'll be backing up the movies etc to the new hard drive and to DVDs... just to be safe. Thanks again!

 

[howard_hopkinso]

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Microsoft ActiveSync\bak\Wcescomm.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\PSDrvCheck.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\support.com\bin\bak\tgcmd.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\support.com\backup\bo\bookmarks.bak\80688_52abb6142_"
"C:\Program Files\support.com\backup\bo\bookmarks.html.sbsd.bak\80688_52abb6142_"
"C:\Program Files\support.com\backup\bo\bookmarks.html.sbsd.bak\80688_52abb6142_"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bobbye]

Mpls21:

System Restore will roll back the Windows' state to a working version, without affecting any of your data. The only things you may lose are updates on the system. Understand that doing a System Restore is NOT the same as doing a 'last good configuration'.

Hopefully you have started saving those files you do not want to lose, those which cannot be created again, to some form of media that could be used to recover.

A System Restore doesn't require that you do a back up first. In normal operation, the system will automatically set a restore point about once every 24 hours, if the computer is on, taking a snapshot of your system. Restore points are also not always set automatically before these things are done. I always set my own restore points before a download, update, install or uninstall of any major work on my system. That way if there is a problem, I can restore to right before I did whatever I did that caused the problem. I also set occasional restore points myself when I know maintenance is done and security scan are finished.

 

[howard_hopkinso]

I know all you guys are trying to help.

However this thread is in overkill with advice and it`s just getting confusing.

Anyone who has the same problem and looks at this thread, is gonna wonder what the hells going on.

Let`s at least try and get rid of the infection, then see what else needs to be done, if anything.

Regards Howard

 

[Bobbye]

Howard, the information I posted answered a question and also clarified the System Restore point. It does not tread on the Hijack log process. Knowledge is good- it doesn't have to be kept in one narrow box. No attempt was made to interfere with your work on the logs.

A lot of users are throwing out hijack logs as a 'fix all' because some don't have a clue of what's running on their systems or how to begin troubleshooting.

 

[Mpls21]

Mpls21:

System Restore will roll back the Windows' state to a working version, without affecting any of your data. The only things you may lose are updates on the system. Understand that doing a System Restore is NOT the same as doing a 'last good configuration'.

Hopefully you have started saving those files you do not want to lose, those which cannot be created again, to some form of media that could be used to recover.

A System Restore doesn't require that you do a back up first. In normal operation, the system will automatically set a restore point about once every 24 hours, if the computer is on, taking a snapshot of your system. Restore points are also not always set automatically before these things are done. I always set my own restore points before a download, update, install or uninstall of any major work on my system. That way if there is a problem, I can restore to right before I did whatever I did that caused the problem. I also set occasional restore points myself when I know maintenance is done and security scan are finished.

I copied the info, ran the AWF tool as instructed, and am attaching the results from the file here.

Thank goodness I have my laptop to get online and do all of this!

Thank you.

 

[howard_hopkinso]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak
C:\Program Files\Windows Media Player\bak
C:\WINDOWS\system32\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\support.com\bin\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log as well as a fresh HJT log.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Mpls21]

Ok, did that, and here is the file.

Oops, sorry, I forgot the HJT File. Here is that as well. - Both doginhispen.com and whataboutadog.com are back.

 

[howard_hopkinso]

There`s Still some bak files left to deal with.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Microsoft ActiveSync\bak\Wcescomm.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\PSDrvCheck.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\support.com\bin\bak\tgcmd.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Also, please post a fresh HJT log.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Mpls21]

There`s Still some bak files left to deal with.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.




Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Also, please post a fresh HJT log.

Regards Howard

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Edited to delete my response. It wasn't relative.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - Startup: HyperShare.lnk = C:\Program Files\HyperOffice\HyperShare\HyperShare.exe

O15 - Trusted Zone: http://dealers.carsoup.com

O15 - Trusted Zone: *.doginhispen.com

O15 - Trusted Zone: *.microsoft.com

O15 - Trusted Zone: *.whataboutadog.com

O15 - Trusted Zone: http://download.windowsupdate.com

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Click on the fix checked button.

Close HJT.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Navigate to the following reg keys and in the right hand pane, right click on them and choose delete.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\whataboutadog.com
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\doginhispen.com

Close regedit.

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Post a fresh HJT log as well.

This thread is for the use of Mpls21 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Mpls21]

I haven't completed all of this yet, but what in the heck are all these domain names in this registry?? There's things like, "cyberrape.com," "doggystyle.com" and about... I don't even know how many more nasty names and spyware names like coolsearch etc. that are in here!

When I deleted the dog registry entries, there were two items in the right panel. One was default, and when I try to delete it I get a pop up that says, "unableto delete all specified values"

I'm rebooting that computer and will then run AWF and HJT again, then will post the reports.