Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

B.whataboutadog & A.doginhispen Virus - Please Help!


  • Please log in to reply
9 replies to this topic

#1 ronsin

ronsin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 04 November 2007 - 01:58 PM

Hello,

I believe my computer is infected with the "b.whataboutadog & a.doginhispen" virus.

I downloaded and ran the AWF utility; which has generating the following information:


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 10/31/2007
The current time is: 16:59:09.23


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

09/05/2001 11:28 AM 163,840 MMKeybd.exe
1 File(s) 163,840 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 09:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNVID~1\BAK

01/09/2004 03:04 PM 137,936 MSNVE.exe
1 File(s) 137,936 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

02/27/2002 11:27 AM 75,384 navapw32.exe
1 File(s) 75,384 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/05/2003 12:42 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

06/30/2004 07:04 PM 95,344 SNDMon.exe
1 File(s) 95,344 bytes

Directory of C:\PROGRA~1\MICAC0~1\SYSTEM\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

08/01/2002 04:49 AM 49,152 Opware12.exe
1 File(s) 49,152 bytes


09/04/2001 01:31 PM 655,360 DirectCD.exe
1 File(s) 655,360 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 03:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 4 2007 "C:\WINDOWS\MMKeybd.exe"
163840 Sep 5 2001 "C:\DRIVERS\KEYBOARD\MMKEYBD.EXE"
163840 Sep 5 2001 "C:\WINDOWS\bak\MMKeybd.exe"
163840 Sep 5 2001 "C:\Program Files\Netropa\Drivers\MMKEYBD.EXE"
28172 Oct 4 2007 "C:\Program Files\Messenger\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
28172 Oct 4 2007 "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
137936 Jan 9 2004 "C:\Program Files\MSN Video Enhanced\bak\MSNVE.exe"
28172 Oct 4 2007 "C:\Program Files\Norton AntiVirus\navapw32.exe"
75384 Feb 27 2002 "C:\Program Files\Norton AntiVirus\bak\navapw32.exe"
28172 Oct 4 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Dec 5 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
28172 Oct 4 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
95344 Jun 30 2004 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
28172 Oct 4 2007 "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
49152 Aug 1 2002 "C:\Program Files\ScanSoft\OmniPagePro12.0\bak\Opware12.exe"
28172 Oct 4 2007 "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
655360 Sep 4 2001 "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
28172 Oct 4 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report


***
I could not find any utility to destroy this thing, but I did notice somehow the virus placed itself in my "trusted sites" on my Internet Explorer browser. I did remove the line today, but I suspect it may come back on the next reboot. I'm hoping there is a malware tech that could help me get rid of this stupid thing. Many thanks in advance for your kind help!!

Edit: Moved topic to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 04 November 2007 - 03:01 PM

Please double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • As instructed, press any key to continue.
  • Use the following option: Press 2 then Enter to restore files from bak folders.
  • A text file named files.txt will then open.
  • Click below the line and paste the following list of files to be restored:
"C:\WINDOWS\bak\MMKeybd.exe"
"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\MSN Video Enhanced\bak\MSNVE.exe"
"C:\Program Files\Norton AntiVirus\bak\navapw32.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SymNetDrv\bak\SNDMon.exe"
"C:\Program Files\ScanSoft\OmniPagePro12.0\bak\Opware12.exe"
"C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
"C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"

Next, close it and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list (if running).
  • Deletes the rogue file from the parent folder (if present).
  • Copies the original file to the parent folder.
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ronsin

ronsin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 06 November 2007 - 07:20 PM

Hi there!

Thank you very much for taking on this challenge! I sure hope we can get to the bottom of this. I *still* don't know which website I visited to catch this thing, but here it goes...

Below is the new log report after running the AFW.EXE with OPTION 2:

*********************************

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Tue 11/06/2007
The current time is: 16:11:30.48


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

09/05/2001 10:28 AM 163,840 MMKeybd.exe
1 File(s) 163,840 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 08:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNVID~1\BAK

01/09/2004 02:04 PM 137,936 MSNVE.exe
1 File(s) 137,936 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

02/27/2002 10:27 AM 75,384 navapw32.exe
1 File(s) 75,384 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/05/2003 11:42 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

06/30/2004 06:04 PM 95,344 SNDMon.exe
1 File(s) 95,344 bytes

Directory of C:\PROGRA~1\MICAC0~1\SYSTEM\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

08/01/2002 03:49 AM 49,152 Opware12.exe
1 File(s) 49,152 bytes


09/04/2001 12:31 PM 655,360 DirectCD.exe
1 File(s) 655,360 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

03/14/2007 02:43 AM 83,608 jusched.exe
1 File(s) 83,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

163840 Sep 5 2001 "C:\WINDOWS\MMKeybd.exe"
163840 Sep 5 2001 "C:\DRIVERS\KEYBOARD\MMKEYBD.EXE"
163840 Sep 5 2001 "C:\WINDOWS\bak\MMKeybd.exe"
163840 Sep 5 2001 "C:\Program Files\Netropa\Drivers\MMKEYBD.EXE"
1694208 Oct 13 2004 "C:\Program Files\Messenger\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
137936 Jan 9 2004 "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
137936 Jan 9 2004 "C:\Program Files\MSN Video Enhanced\bak\MSNVE.exe"
75384 Feb 27 2002 "C:\Program Files\Norton AntiVirus\navapw32.exe"
75384 Feb 27 2002 "C:\Program Files\Norton AntiVirus\bak\navapw32.exe"
77824 Dec 5 2003 "C:\Program Files\QuickTime\qttask.exe"
77824 Dec 5 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
95344 Jun 30 2004 "C:\Program Files\SymNetDrv\SNDMon.exe"
95344 Jun 30 2004 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
49152 Aug 1 2002 "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
49152 Aug 1 2002 "C:\Program Files\ScanSoft\OmniPagePro12.0\bak\Opware12.exe"
655360 Sep 4 2001 "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
655360 Sep 4 2001 "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"


end of report

... Not much has changed, but certainly quite a bit regarding the date & time stamp on some of these files.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 06 November 2007 - 09:43 PM

Double-click the FindAWF icon once again.
  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\WINDOWS\bak
C:\Program Files\Messenger\bak
C:\Program Files\MSN Video Enhanced\bak
C:\Program Files\Norton AntiVirus\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SymNetDrv\bak
C:\Program Files\ScanSoft\OmniPagePro12.0\bak
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak
C:\Program Files\Java\jre1.6.0_01\bin\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ronsin

ronsin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 07 November 2007 - 05:59 PM

Hello again.

Thanks for the instructions on step 3. Below is the results of the log file:


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Wed 11/07/2007
The current time is: 14:56:13.23


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MICROS~3\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MICAC0~1\SYSTEM\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 07 November 2007 - 06:20 PM

Your doing fine. Things are looking better.

Double-click the FindAWF icon once again.
  • Select option #4 - Reset domain zones by typing 4 and press 'Enter'.
  • You will receive a warning to reset domain zones
  • Press 1 then press Enter.
  • If you had manually included sites in the trusted zones, these will need to be re-inserted.
  • Please copy/paste the contents of the new awf.txt log in your reply.
Download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) Do not run a scan just yet
  • Reboot in "Safe Mode using the F8 method and launch SUPERAntispyware.
  • In the main screen, under "Scan for Harmful Software" click Scan your computer.
  • There are three scanning options. Choose "Perform Complete Scan" and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure they all have a checkmark next to them and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to reboot, click "Yes".
  • If not, select Close to exit the program and reboot normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 ronsin

ronsin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 08 November 2007 - 07:12 PM

Hello.

I completed step #4, but the program did not save any text logs on this step (option 1-3 did though).

I also downloaded the 3rd party spyware removal tool and ran the program while under safe mode.

Everything APPEARS to be working properly now, and I no longer am getting the "aboutadog" or "doginhispen" in my history. Should I assume everything is alright, or can I re-run the AWF software again to generate a different log now that the removal is theoretically in place now?

Thanks again,
Sheldon

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 08 November 2007 - 08:43 PM

The last log showed that the bad bak folders had been successfully removed after the legit files were restored. Step 4 reset your domain zones (removed all entries). No need to rerun FindAWF again.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ronsin

ronsin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 09 November 2007 - 05:20 PM

Thank you again for all of your help.

I hope things are back to normal now (especially since I now have locked my restore to this most recent event). The only possible caveat is if the user has other malware and/or viruses unknown to them. They would no longer be able to restore to an even EARLIER date if they needed to.

Also, I did try restoring before - but that did NOT work with "adoginhispen". Any ideas why System Restore couldn't handle "adoginhispen"?

Thanks again!
Sheldon

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:09 AM

Posted 09 November 2007 - 06:11 PM

They would no longer be able to restore to an even EARLIER date if they needed to.

You would not want to do that either unless you know for sure it was a clean restore point. System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. Your current restore point leaves you with a workable system. Anything else found can be dealt with from here on.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".

Safe surfing and have a malware free day.

Edited by quietman7, 09 November 2007 - 06:12 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users