doginhispen/skitodayplease

Posting for my husband...
A few days ago I started noticing in my IE7 history tab the following two entries:
a.doginhispen/com
b.skitodayplease/com

When I clear out the history tab, they keep reappearing. Around this same time, IE explorer started to intermittently shutdown. I can log back on right away when it does this...but I'm starting to get a bad feeling about what's going on. I'm careful about where I surf, although a few day ago my wife went to a game website to print out some information. Hmmm.

I've got Nod32 v3.0.612.0 on my system (Windows XP Pro SP2). My most recent scan of my hard drive was this morning. Nothing was detected. The settings are per Blackspeare's recent tutorial.

I've never had a computer virus before...and have no clue what to do if that's what it is. Please help.

 

TimW,

We followed the malware directions. Attached are the logs we received (note that AVG Anti-Spyware identified Trackingcookie.ATDMT and Trackingcookie.Tribalfusion...and indicated one trace detected for each one...but when we clicked on the Report tab, it said no report was available). Lastly, please note that SpyBot reported finding the following two entries: DoubleClick and MediaPlex.

I cleared my IE7 browser history. About 10 minutes later, the a.doginhispen.com and b.skitodayplease.com entries are showing up in the browser history again.

What's next? (And, thanks...because we're pretty concerned and pretty lost.)

 

TimW,
I want to supplement my post from last night. There are three (not two) entries that reappeared again in my IE7 history tab after following your malware directions. They are:

88.80.7.66
a.doginhispen
b.skitodayplease

(My post from last night did not include the "88.80.7.66" entry.)

 

Tim: Just checking: did we do the first part right? I (Jennie) feel a little over my head here...I use a Mac; Dave is the windows guy, and he thinks I probably am responsible for infecting his computer, so I am helping (mostly reading directions and cheerleading) but it's confusing. And when things like the AVG not printing a report happen, we are left wondering if we did it right. I call Major Geeks up on the MacBook Pro and read the directions off while we "operate" on the PC. Have you seen these 3 items in browsers before?
I cannot express how much we appreciate your help.
Jennie

 

TimW,

Here's what we've done per your most recent post:

We did not run C:|MGtools\analyse.exe because my understanding of your instructions said not to do it if myway.com is my home page for IE. (So to clarify, myway.com is my home page for IE.)

We downloaded Avenger and ran it per your instructions. I'm not too familiar with the terminology, but after it ran, it looked like Notepad came up with a message saying it couldn't find Avenger text. So, we found the avenger.txt file, but it was empty. I tried repeatedly to attach it to this post (as you asked), but it won't. We had to manually delete C:\WINDOWS\system32\save$$updater and C:\WINDOWS\system32\(NULL).

We ran CCleaner on all user accounts including the administrators account in safe mode per the protocol we followed yesterday.

We ran the MGtools\GetLogs.bat file and we were successful in attaching it.

Lastly, just before sending this post, I surfed a few minutes and the 88.80.7.66 entry in my IE7 History came back. (88.80.7.66 is one of the three I mention in a post to you this morning). No sign of the other two (a.doginhispen and b.skitodayplease) so far, but sometimes they show up a little afterwards.

Thanks. Please hang in there with us. We need you!

 

TimW,

Just a quick update...
I had to be out most of the evening. After I got back home a short time ago, I decided to log onto my computer and once again IE7 suddenly shutdown again (see our first post). I was able to immediately log back on.

I hope I'm not being too wordy. Just trying to give you as much info as I can.

 

TimW,
We followed your latest instructions precisely. Attached are the two logs you requested. Please note the following two issues:

This evening we noticed these entries in IE7 browser history: 88.80.7.66 and b.skitodayplease We'll clear them out of browser history (again) tonight.

When running FindAWF.exe, ESET Nod32 displayed this window message:
! Object: C:\Documents & Settings\David\Desktop\Process.exe
Threat: Win32/PRCView application
Information: Cleaned by deleting - quarantined

Can you answer two questions?
1) Thus far, I've left all the downloads installed. Is this ok?
2) I have taken no action on the above Eset quarantine message. How should I proceed with it?

Much thanks for your continued help.

 

TimW,

Below is the pasted log from FindAWF. Attached is the new MGlogs.zip.
Per your instructions, we deactivated Eset during this process. It is now reactivated.

Thanks again.



Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 02/06/2008
The current time is: 21:58:32.71


bak folders found
~~~~~~~~~~~


Directory of C:\IBMTOOLS\UTILS\BAK

12/16/2004 05:41 AM 90,112 ibmprc.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/06/2005 06:03 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 07:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

08/06/2004 10:27 AM 860,160 smax4.exe
07/27/2004 03:48 PM 1,388,544 SMax4PNP.exe
2 File(s) 2,248,704 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

03/29/2005 11:05 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/19/2006 01:41 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\LENOVO\SCHEDU~1\BAK

11/19/2007 02:23 PM 487,424 scheduler_proxy.exe
1 File(s) 487,424 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 Dec 16 2004 "C:\IBMTOOLS\utils\ibmprc.exe"
90112 Dec 16 2004 "C:\IBMTOOLS\utils\bak\ibmprc.exe"
14348 Jan 28 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 6 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
14348 Jan 28 2008 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
860160 Aug 6 2004 "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe"
860160 Aug 6 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\smax4.exe"
860160 Aug 6 2004 "C:\IBMTOOLS\DRIVERS\AUDIO\SOUNDMAX\SM_PANEL\SYS\SMAX4.EXE"
1388544 Jul 27 2004 "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
1388544 Jul 27 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
1388544 Jul 27 2004 "C:\IBMTOOLS\DRIVERS\AUDIO\SOUNDMAX\SM_PNP\SYS\SMAX4PNP.EXE"
14348 Jan 28 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Mar 29 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
14348 Jan 28 2008 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
14348 Jan 28 2008 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
14348 Jan 28 2008 "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe"
487424 Nov 19 2007 "C:\Program Files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe"


end of report

 

TimW,
This supplements the response we sent last night.
This morning I logged onto the web and all three entries (88.80.7.66, a.doginhispen.com, and b.skitodayplease.com) reappeared in the IE7 browser history. As an fyi, the entries oftentimes appear sooner when I access the web using Quick Launch (I dragged my favorite web sites there). In addition, I noticed this entry: My Computer. When I expanded it, the following appeared: STSE.tmp and STSF.tmp Not sure what they are.
We've tried not to ask many questions thus far because we don't want to impose on your time. But, to be honest, I'm starting to feel pretty anxious. Right now, a couple of big worries are: (1) Do these history entries mean that someone's watching what we're doing on our computer? Can they take information out of our computer files and/or track where we go and the passwords we use? Are there pre-emptive steps we should take while we work with you to remove this malware? (2) Is there a way of finding out if the Word, Excel, and music files on our pc's hard drive and on the external drive used for backup are infected? (Unfortunately, we backed up our system several days ago onto the external drive not realizing at the time that our pc was infected).
Thanks for your time.

 

TimW,

Followed your instructions; attached are the MGlogs.zip file and Avenger log. We also immunized Spybot. Not absolutely sure deldomains installed since we saw no icon or message saying installation was successful.

When booting the computer to start this work, I got two error messages that I had never seen before (up till now, the boots have been without incident). Here are the messages:

(Message 1 is typed below exactly as it appeared on my desktop. I think I located and attached the error file that it references.)

AVG Anti Spyware 7.5 Exception
! Something bad happened in the application. Error diagnostics file saved to 'C:/Program Files/Grisoft/AVG Anti-Spyware 7.5\avgas.err'


(Message 2 that I have typed below as best I recall)

HPProduct Assistant
The feature you are trying to use is on a cd-rom or other removable disk that is not available. Insert the 'HPProduct Assistant' disk & click ok.

Continued thanks.

 

TimW,

I'm sending this second post late tonight to let you know that EsetNod32 is showing 6 items that it quarantined this evening as we were following your instructions. I'm not sure how to send them to you. They involve program files for the following:
Adobe Acrobat
ATI Technologies
Lenovo Scheduler
HP Software Update
Windows Media Player
iTunes helper

The "threat" associated with each one says "Win32/KillAV.OE trojan" (minus the quotes). The action says "Cleaned by deleting - quarantined". Lastly, an information column says, "Event occurred during an attempt to access the file by the application: C:\Program Files\Grisoft\AVG Antispyware 7.5\guard.exe"

Didn't know if this was relevant. Trying to help as best I can and very much appreciate yours.

 

Hi TimW,

Ok...here's where we're at now:
We followed your instructions. First we uninstalled AVG and reinstalled it. We also ran it and it caught Tribalfusion again and we deleted. As was the case several days ago, we clicked on the Report tab...but nothing was available to send to you.
Then we uninstalled a number of the HP programs...we didn't know which one was specifically the one containing Product Assistant because it was not clearly identified. Bottom line is all but one of their programs is gone now, but the printer still works and when we are booting we're not seeing that error message...so for the moment I hoping that's resolved. (If need be, we can always uninstall the remaining HP program and then load everything through the HP installation CD.)

The findAWF file is attached that you requested.

We ran the ATF Cleaner (it's saved to our desktop...along with all the others). Lastly, we followed your instructions in copying the fixME.reg text to the registry.

While we were running AVG, ESET showed a customary update popup message and a few moments later all heck broke loose. One ESET quarantine message after another appeared and this went on throughout the AVG scan as well as when we were following your FindAWF instructions. 21 ESET quarantines appeared this evening. Thinking you may want to see them, we copied the log in Notepad and attached it to this post.

Please tell us what we are supposed to do about these ESET quarantined files. I haven't deleted any of them yet.

Thanks again. We look forward to hearing from you.

 

TimW
This is in addition to the post we sent last night.
We were on the web today testing things out; surfed for about an hour. The messages a.doginhispen.com, b.skitodayplease.com and 80.88.7.66 did not appear in the IE7 browser history and there were no intermittent shut downs.
On the downside, power management does not seem to be working (standby, hibernate, monitor) and the Scheduler in Lenovo's ThinkVantage update program was not accessible. So we uninstalled the program and reinstalled it from the web. Scheduler seems to be working now but not sure what it means regarding which programs have been affected that we haven't discovered yet.
Thanks as usual for your help. Keep us posted.

 

TimW,

Thanks once again for your continued support.

We followed your most recent instructions, including purging and resetting the system restore point.

We're still a bit confused about a few remaining issues. Would you mind offering your guidance?

1) In your previous posts, you told us to install Spybot, AVG Antispyware, Super Antispyware, and FindAWF. We have not deleted these as of yet. Am I correct in assuming it's a good idea for us to keep one or two of the the antispyware programs installed (maybe Spybot and AVG) and to delete FindAWF?

2) Since this is the first time we've ever experienced a computer infection, we're not sure what to do with the quarantined files that ESET Nod32 has listed. (I attached those as a text file in my previous post to you.) Is it okay now for us to delete them from the quarantine list?

3) Regarding the power management issue, yes...I can access Power Options from the Control Panel. The problem is that even though the settings may indicate that the monitor should turn off after X minutes and the system go into standby or hibernate Y minutes after that, nothing happens. In addition, we've noticed that the Autoplay feature no longer works. What I mean is that we used to be able to insert a cd or plug an external drive into a USB port and a pop-up Autoplay box would appear asking us what action to take. That pop-up box no longer shows up. A work-around is for us to use Start > My Computer. But, do you think these problems are a consequence of the malware and that other functions may have been affected as well?

We know we've said it before, but we are grateful for you assistance.