Help Me Kill 'whataboutadog'

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Help Me Kill 'whataboutadog', I got it all: doginhispen, tribalfusion, skitodayplease, 88.80.7.66

Options

DreamofSun View Member Profile	Feb 13 2008, 09:29 PM Post #1
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	Hi. I'm totally infected by these viruses. They're all showing in my browser history: doginhispen, tribalfusion, skitodayplease, 88.80.7.66. Anti-Spyware software not helpfull. I downloaded FindAWF.exe, but need some help how to step through the cleanup process. Would be greatly appreciated. Thanks, DreamofSun

quietman7 View Member Profile	Feb 14 2008, 11:18 AM Post #2
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Double-click on FindAWF.exe to start. If a "Security Alert" shows, allow the program to run. A command prompt will open and ask you to "Press any key to continue...". You will be presented with a Menu. 1. Press 1 then Enter to scan for bak folders 2. Press 2 then Enter to restore files from bak folders 3. Press 3 then Enter to remove bak folders 4. Press 4 then Enter to reset domain zones 5. Press E then Enter to EXIT Press 1 then 'Enter' to scan for bak folders The FindAWF tool will begin scanning your computer for the infected AWF files and backups created by the trojan. It may take a few minutes to complete so be patient. When complete, it will open a text file in notepad called awf.txt which will be saved to your desktop. Copy and paste the contents of the awf.txt file in your next reply. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

DreamofSun View Member Profile	Feb 14 2008, 07:36 PM Post #3
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	Hi Qietman7, thanks for helping. Here's the contents of the awf.txt file: Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Thu 02/14/2008 The current time is: 19:32:00.21 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\ITUNES\BAK 11/15/2007 01:11 PM 267,048 iTunesHelper.exe 1 File(s) 267,048 bytes Directory of C:\PROGRA~1\MICROS~4\BAK 07/07/2006 06:14 PM 576,320 itype.exe 1 File(s) 576,320 bytes Directory of C:\PROGRA~1\MIFB84~1\BAK 07/07/2006 06:15 PM 600,896 ipoint.exe 1 File(s) 600,896 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 11/14/2007 11:43 PM 286,720 QTTask.exe 1 File(s) 286,720 bytes Directory of C:\PROGRA~1\WIFD1F~1\BAK 11/03/2006 11:20 AM 866,584 MSASCui.exe 1 File(s) 866,584 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/04/2004 07:00 AM 15,360 ctfmon.exe 1 File(s) 15,360 bytes Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK 12/03/2002 06:06 PM 45,056 SBDrvDet.exe 1 File(s) 45,056 bytes Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK 11/10/2006 11:35 AM 90,112 CLIStart.exe 1 File(s) 90,112 bytes Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK 06/18/2003 01:00 AM 45,056 CTDVDDet.EXE 1 File(s) 45,056 bytes Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK 09/17/2003 10:43 AM 57,344 CTSysVol.exe 1 File(s) 57,344 bytes Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK 06/06/2005 04:46 PM 57,344 apdproxy.exe 1 File(s) 57,344 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 14860 Feb 4 2008 "C:\Program Files\iTunes\iTunesHelper.exe" 267048 Nov 15 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Dec 8 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe" 116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe" 14860 Feb 4 2008 "C:\Program Files\Microsoft IntelliType Pro\itype.exe" 576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe" 14860 Feb 4 2008 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" 600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe" 14860 Feb 4 2008 "C:\Program Files\QuickTime\QTTask.exe" 286720 Nov 14 2007 "C:\Program Files\QuickTime\bak\QTTask.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe" 14860 Feb 4 2008 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" 45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe" 14860 Feb 4 2008 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" 90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe" 14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" 45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE" 14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" 57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe" 14860 Feb 4 2008 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" 57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe" end of report

quietman7 View Member Profile	Feb 14 2008, 10:43 PM Post #4
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Double-click the FindAWF icon once again. If a "Security Alert" shows, allow the program to run. A command prompt will open and ask you to "Press any key to continue...". You will be presented with a Menu. Press 2 then 'Enter' to restore files from bak folders A text file named files.txt will then open. Click below the line and copy/paste the following list of files in the quote box into the text file: QUOTE "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe" "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe" "C:\Program Files\QuickTime\bak\QTTask.exe" "C:\Program Files\Windows Defender\bak\MSASCui.exe" "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe" "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe" "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE" "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe" Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following: It attempts to terminate the process represented by each filename on the list (if running). Deletes the rogue file from the parent folder (if present). Copies the original file to the parent folder. When done, it automatically runs a new scan and opens a new log. Please copy/paste the contents of the new awf.txt log in your reply. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

DreamofSun View Member Profile	Feb 15 2008, 06:42 AM Post #5
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	OK then, below is the result of the AWF Option 2 text file. I did reboot by the way between running option 1 and option 2. I hope that doesn't mess anything up? Thanks again.... Find AWF report by noahdfear ©2006 Version 1.40 Option 2 run successfully The current date is: Fri 02/15/2008 The current time is: 6:37:23.20 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\ITUNES\BAK 11/15/2007 01:11 PM 267,048 iTunesHelper.exe 1 File(s) 267,048 bytes Directory of C:\PROGRA~1\MICROS~4\BAK 07/07/2006 06:14 PM 576,320 itype.exe 1 File(s) 576,320 bytes Directory of C:\PROGRA~1\MIFB84~1\BAK 07/07/2006 06:15 PM 600,896 ipoint.exe 1 File(s) 600,896 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 11/14/2007 11:43 PM 286,720 QTTask.exe 1 File(s) 286,720 bytes Directory of C:\PROGRA~1\WIFD1F~1\BAK 11/03/2006 11:20 AM 866,584 MSASCui.exe 1 File(s) 866,584 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/04/2004 07:00 AM 15,360 ctfmon.exe 1 File(s) 15,360 bytes Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK 12/03/2002 06:06 PM 45,056 SBDrvDet.exe 1 File(s) 45,056 bytes Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK 11/10/2006 11:35 AM 90,112 CLIStart.exe 1 File(s) 90,112 bytes Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK 06/18/2003 01:00 AM 45,056 CTDVDDet.EXE 1 File(s) 45,056 bytes Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK 09/17/2003 10:43 AM 57,344 CTSysVol.exe 1 File(s) 57,344 bytes Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK 06/06/2005 04:46 PM 57,344 apdproxy.exe 1 File(s) 57,344 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 267048 Nov 15 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 267048 Nov 15 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Dec 8 2007 "C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe" 116008 Nov 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe" 576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\itype.exe" 576320 Jul 7 2006 "C:\Program Files\Microsoft IntelliType Pro\bak\itype.exe" 600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" 600896 Jul 7 2006 "C:\Program Files\Microsoft IntelliPoint\bak\ipoint.exe" 286720 Nov 14 2007 "C:\Program Files\QuickTime\QTTask.exe" 286720 Nov 14 2007 "C:\Program Files\QuickTime\bak\QTTask.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe" 45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" 45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe" 90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" 90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe" 45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" 45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDet.EXE" 14860 Feb 4 2008 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" 57344 Sep 17 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe" 57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" 57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe" end of report

quietman7 View Member Profile	Feb 15 2008, 09:01 AM Post #6
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Double-click the FindAWF icon once again. A command prompt will open and ask you to "Press any key to continue...". You will be presented with a Menu. Press 3 then 'Enter' to remove bak folders. A text file named files.txt will then open. Click below the line and copy/paste the following list of folders in the quote box into the text file: QUOTE C:\Program Files\iTunes\bak C:\Program Files\Microsoft IntelliType Pro\bak C:\Program Files\Microsoft IntelliPoint\bak C:\Program Files\QuickTime\bak C:\Program Files\Windows Defender\bak C:\WINDOWS\system32\bak C:\Program Files\Creative\SB Drive Det\bak C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak Close the text file and click Yes to save the changes. When done, it automatically runs a new scan and opens a new log. Please copy/paste the contents of the new awf.txt log in your reply. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

DreamofSun View Member Profile	Feb 15 2008, 07:14 PM Post #7
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	Hi again Quietman7. Here's the result of running AWF option 3 txt file (looks good huh?): Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: Fri 02/15/2008 The current time is: 19:06:35.70 bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report

DreamofSun View Member Profile	Feb 15 2008, 08:08 PM Post #8
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	Bummer, hasn't fixed it. I still get a.doginhispen.com showing up in my history as soon as I open IE7. What now?

quietman7 View Member Profile	Feb 16 2008, 09:13 AM Post #9
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Double-click the FindAWF icon once again. A command prompt will open and ask you to "Press any key to continue...". You will be presented with a Menu. Press 4 then 'Enter' to reset domain zones. You will receive a warning to reset domain zones. Press 1 then 'Enter'. When done, you will receive a message: "Done! Zones have been reset". After resetting the domain zones, the program will return to the main menu. Press E then 'Enter' to EXIT. Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted. Please download ATF Cleaner by Atribune & save it to your desktop. Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

DreamofSun View Member Profile	Feb 16 2008, 09:33 AM Post #10
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	Thanks Quietman7! So far so good. This morning on bootup and again after cleansing the system with ATF, the rogue history entries are not showing. Do you by any chance know what information may have been snatched by these rogue sites/groups (tribalfusion/doginhispen/etc)? My wife made an online purchase while these trojans were in place. Wondering if there's any chance they could have snatched credit card or other personal info?

quietman7 View Member Profile	Feb 16 2008, 12:08 PM Post #11
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Your infection was related to Downloader.Agent.awf. IMO anytime your machine is infected its always "best practice" to change all your passwords and let credit card companies know that your machine may have been compromised. To protect yourself against malware and reduce the potential for re-infection, be sure to read: • "Malware Prevention - Preventing Re-infection". • "How did I get infected?, With steps so it does not happen again!". • "Best Practices - Internet Safety for 2008". • "Hardening Windows Security - Part 1". • "Hardening Windows Security - Part 2". • "IE Recommended Minimal Security Settings". -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

DreamofSun View Member Profile	Feb 16 2008, 01:18 PM Post #12
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	Thanks Quietman7. Seems however that I'm not yet clean. I still have tribalfusion showing in IE history. It popped up after we finished everything. In IE7 history it reads as follws: a.tribalfusion (a.tribalfusion.com) Can you assist to remove that as well. It seems also to be a virus.

DreamofSun View Member Profile	Feb 16 2008, 01:48 PM Post #13
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	One more thing...I just scanned with Spybot and found/killed DSSAgent. Not sure if that's related to tribalfusion?

quietman7 View Member Profile	Feb 16 2008, 02:51 PM Post #14
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	Use ATFCleaner again to remove all your cookies. Download and scan with SUPERAntiSpyware Free Double-click SUPERAntiSypware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates...". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) Under the "Configuration and Preferences", click the Preferences... button. Click the "*General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked): Close browsers before scanning.* Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the Control Center screen. Back on the main screen, under "Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose *Perform Complete Scan* and click "Next". After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "*Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes" and reboot normally. To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Click Close to exit the program. Then add Tribalfusion to your hosts file to block that site. Better yet, download and use a custom HOSTS file which already has that site added for blocking along with numerous others. MVPS HOSTS File zipped version: http://www.mvps.org/winhelp2002/hosts.zip Download includes a batch file (mvps.bat) that will rename the existing HOSTS file to HOSTS.MVP, then copy the included updated HOSTS file to the proper location. MVPS HOSTS File text version: http://www.mvps.org/winhelp2002/hosts.txt Extract the zip file to the following location and let it replace your existing hosts file: C:\WINDOWS\SYSTEM32\DRIVERS\ETC Blocking Unwanted Parasites with a Hosts File Instructions This post has been edited by quietman7: Feb 16 2008, 02:52 PM -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

DreamofSun View Member Profile	Feb 28 2008, 04:06 PM Post #15
New Member Group: Members Posts: 12 Joined: 13-February 08 Member No.: 190,052	Hi again Quietman, its back again, and again, and again. a.doginhispen keep showing up. I re-ran the entire FindAWF process + ATF Cleaner + Superantispyware last night. Rebooted and then its back along with skitoftheday. I rescrubbed again, taking all 4 steps with FindAWF, etc, etc. Turned computer on again and there it is a.doginhispen in the history. In between I was deleting all history, cookies, temp files, etc. I just now ran AWF step 1 and it's clean (attached below). Why then does this keep showing in history. Do you know where it resides? Any other more comprehensive way to find/kill it? Please help again. Thanks. Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Thu 02/28/2008 The current time is: 15:56:02.67 bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: