BleepingComputer.com: Help Me Kill 'whataboutadog'

Hi.
I'm totally infected by these viruses. They're all showing in my browser history: doginhispen, tribalfusion, skitodayplease, 88.80.7.66. Anti-Spyware software not helpfull. I downloaded FindAWF.exe, but need some help how to step through the cleanup process. Would be greatly appreciated.
Thanks,
DreamofSun

• Double-click on FindAWF.exe to start.
  
• If a "Security Alert" shows, allow the program to run.
  
• A command prompt will open and ask you to "Press any key to continue...".
  
• You will be presented with a Menu.
  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT
  
  
• Press 1 then 'Enter' to scan for bak folders
  
• The FindAWF tool will begin scanning your computer for the infected AWF files and backups created by the trojan.
  
• It may take a few minutes to complete so be patient.
  
• When complete, it will open a text file in notepad called awf.txt which will be saved to your desktop.
  
• Copy and paste the contents of the awf.txt file in your next reply.

Hi Qietman7,
thanks for helping. Here's the contents of the awf.txt file:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 02/14/2008
The current time is: 19:32:00.21


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

11/15/2007 01:11 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

07/07/2006 06:14 PM 576,320 itype.exe
1 File(s) 576,320 bytes

Directory of C:\PROGRA~1\MIFB84~1\BAK

07/07/2006 06:15 PM 600,896 ipoint.exe
1 File(s) 600,896 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/14/2007 11:43 PM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 11:20 AM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK

12/03/2002 06:06 PM 45,056 SBDrvDet.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

09/17/2003 10:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 04:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14860 Feb 4 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 15 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 8 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"
116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer

Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
14860 Feb 4 2008 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
14860 Feb 4 2008 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
14860 Feb 4 2008 "C:\Program Files\QuickTime\QTTask.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14860 Feb 4 2008 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
14860 Feb 4 2008 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
14860 Feb 4 2008 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

Double-click the FindAWF icon once again.

• If a "Security Alert" shows, allow the program to run.
  
• A command prompt will open and ask you to "Press any key to continue...".
  
• You will be presented with a Menu.
  
• Press 2 then 'Enter' to restore files from bak folders
  
• A text file named files.txt will then open.
  
• Click below the line and copy/paste the following list of files in the quote box into the text file:

Quote

• Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list (if running).
    
  • Deletes the rogue file from the parent folder (if present).
    
  • Copies the original file to the parent folder.
  
  
• When done, it automatically runs a new scan and opens a new log.
  
• Please copy/paste the contents of the new awf.txt log in your reply.

OK then, below is the result of the AWF Option 2 text file. I did reboot by the way between running option 1 and option 2. I hope that doesn't mess anything up? Thanks again....


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 02/15/2008
The current time is: 6:37:23.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

11/15/2007 01:11 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

07/07/2006 06:14 PM 576,320 itype.exe
1 File(s) 576,320 bytes

Directory of C:\PROGRA~1\MIFB84~1\BAK

07/07/2006 06:15 PM 600,896 ipoint.exe
1 File(s) 600,896 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/14/2007 11:43 PM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 11:20 AM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK

12/03/2002 06:06 PM 45,056 SBDrvDet.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 11:35 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

09/17/2003 10:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 04:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

267048 Nov 15 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 15 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 8 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe"
116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe"
600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE"
14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

Double-click the FindAWF icon once again.

• A command prompt will open and ask you to "Press any key to continue...".
  
• You will be presented with a Menu.
  
• Press 3 then 'Enter' to remove bak folders.
  
• A text file named files.txt will then open.
  
• Click below the line and copy/paste the following list of folders in the quote box into the text file:

Quote

• Close the text file and click Yes to save the changes.
  
• When done, it automatically runs a new scan and opens a new log.
  
• Please copy/paste the contents of the new awf.txt log in your reply.

Hi again Quietman7. Here's the result of running AWF option 3 txt file (looks good huh?):


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Fri 02/15/2008
The current time is: 19:06:35.70


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Bummer,
hasn't fixed it. I still get a.doginhispen.com showing up in my history as soon as I open IE7. What now?

Double-click the FindAWF icon once again.

• A command prompt will open and ask you to "Press any key to continue...".
  
• You will be presented with a Menu.
  
• Press 4 then 'Enter' to reset domain zones.
  
• You will receive a warning to reset domain zones.
  
• Press 1 then 'Enter'.
  
• When done, you will receive a message: "Done! Zones have been reset".
  
• After resetting the domain zones, the program will return to the main menu.
  
• Press E then 'Enter' to EXIT.
  
• Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.

Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main "Select Files to Delete" choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Thanks Quietman7!
So far so good. This morning on bootup and again after cleansing the system with ATF, the rogue history entries are not showing. Do you by any chance know what information may have been snatched by these rogue sites/groups (tribalfusion/doginhispen/etc)? My wife made an online purchase while these trojans were in place. Wondering if there's any chance they could have snatched credit card or other personal info?

Your infection was related to Downloader.Agent.awf. IMO anytime your machine is infected its always "best practice" to change all your passwords and let credit card companies know that your machine may have been compromised.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Malware Prevention - Preventing Re-infection".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1".
• "Hardening Windows Security - Part 2".
• "IE Recommended Minimal Security Settings".

Thanks Quietman7. Seems however that I'm not yet clean. I still have tribalfusion showing in IE history. It popped up after we finished everything. In IE7 history it reads as follws:
a.tribalfusion (a.tribalfusion.com)
Can you assist to remove that as well. It seems also to be a virus.

One more thing...I just scanned with Spybot and found/killed DSSAgent. Not sure if that's related to tribalfusion?

Use ATFCleaner again to remove all your cookies.

Download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates...". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  
• Under the "Configuration and Preferences", click the Preferences... button.
  
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
  
  
• Click the "Close" button to leave the Control Center screen.
  
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes" and reboot normally.
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  
  
• Click Close to exit the program.

Then add Tribalfusion to your hosts file to block that site. Better yet, download and use a custom HOSTS file which already has that site added for blocking along with numerous others.

MVPS HOSTS File zipped version: http://www.mvps.org/winhelp2002/hosts.zip
Download includes a batch file (mvps.bat) that will rename the existing HOSTS file to HOSTS.MVP, then copy the included updated HOSTS file to the proper location.

MVPS HOSTS File text version: http://www.mvps.org/winhelp2002/hosts.txt
Extract the zip file to the following location and let it replace your existing hosts file: C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Blocking Unwanted Parasites with a Hosts File Instructions

Hi again Quietman,
its back again, and again, and again.
a.doginhispen keep showing up. I re-ran the entire FindAWF process + ATF Cleaner + Superantispyware last night. Rebooted and then its back along with skitoftheday. I rescrubbed again, taking all 4 steps with FindAWF, etc, etc. Turned computer on again and there it is a.doginhispen in the history. In between I was deleting all history, cookies, temp files, etc. I just now ran AWF step 1 and it's clean (attached below). Why then does this keep showing in history. Do you know where it resides? Any other more comprehensive way to find/kill it? Please help again. Thanks.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 02/28/2008
The current time is: 15:56:02.67


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report