Infected by whataboutadog

[mbmainer]

Hi- I have been infected by the whataboutadog virus. I also believe I had a spydefender virus, but it think that's gone. I followed your 15 steps and I have attached my 3 log files (HJT, Combofix and AVG Antispyware logs). The Panda Antirootkit found nothing. Can you please help me figure out if I still have viruses? Thank you!!!

 

[evilfantasy]

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
C:\Program Files\SpyDefender Pro\SpyDefender.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield]

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

----------

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please attach the Find AWF report in your reply.

----------

Next post please attach:
Combofix log
FindAWF log

 

[mbmainer]

Super fast response. Thanks! I followed your instructions, but I kept getting "Access Denied", etc. (maybe because I have Spybot Search & Destroy, and AVG Anti-Spyware, and AVG Anti-Virus running?)... anyway I rebooted into Safe Mode and ran the Combofix with the CFScript you told me to create and it worked fine. Then I also ran FindAFW while in safe mode. I hope that's ok! I've attached the two logs.

 

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

C:\WINDOWS\bak\UpdReg.EXE
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\system32\bak\NeroCheck.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe
C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\bak\pc-cillin.ini
C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe
C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE
C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe
C:\Program Files\HP\digital imaging\Unload\bak\hpqcmon.exe

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[mbmainer]

I followed your instructions, and here is the new log...

 

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\BAK
C:\WINDOWS\EHOME\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
C:\PROGRA~1\CREATIVE\VOICEC~1\BAK
C:\PROGRA~1\DELL\MEDIAE~1\BAK
C:\PROGRA~1\TRENDM~1\INTERN~1\BAK
C:\WINDOWS\SYSTEM32\DLA\BAK
C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK
C:\PROGRA~1\CREATIVE\SBAUDIGY\SURROU~1\BAK
C:\PROGRA~1\HP\DIGITA~1\UNLOAD\BAK
C:\PROGRA~1\TRENDM~1\INTERN~1\TMAS_OE\BAK

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[mbmainer]

Followed the newest instructions. Here is the log...

 

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

----------

Download DelDomains.inf
IE users Right-click on the link and select Save As.
Firefox users Right-click on the link and choose Save link as...

Save it to the desktop.

From the desktop Right-click on DelDomains.inf

Select Install making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note:, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

----------

Then post a new HijackThis log please.

 

[mbmainer]

Did #4 with FindAWF, then installed DelDomains.inf...here is my HijackThis log> Thanks EvilFantasy!

 

[evilfantasy]

You are running two antivirus. You need to pick one and uninstall the other. This can cause problems.

Other then that the log looks fine.

 

[mbmainer]

Do you reccomend one over the other?

 

[evilfantasy]

AVG is the better choice to me.

 

[mbmainer]

So from what I can see I am running AVG Anti-Spyware, Spybot Search & Destroy, and AVG Anti-Virus. Pardon the ignorance, but are you saying to keep both of the AVG programs and uninstall S&D?

 

[evilfantasy]

The HijackThis log shows AVG and Trend Micro AVs.

 

[mbmainer]

OK. I'll uninstall Trend Micro. Thanks for all of your help!