Need help w/ *.whataboutadog.com and *.doginhispen.com

[victorydoc]

Hello All,

First off, thanks in advance for your help, and by having resources available to try and fix the problem(s) myself.

I noted that programs had stopped working and icons were disappearing from the lower right hand corner. I ran HJT and noted the aforementioned sites in the 015 spot, that were not present from a log in 5/07.

I ran updated versions of Spybot 1.5 and Ad-Aware 2007 and cleaned up as per program. I have also updated my SpywareBlaster.

I have Symantec Client Security Anti-virus through work, and it has found nothing. I ran AVG in safe mode and it found nothing.

I have attached 2 HJT and AWF logs - the reason for this is that my laptop requires two "Users" (one only for work, and the other is for home/personal use), and HJT gives different logs. The "xxx-2" are from the home/personal login.

I followed the posted instructions on how to do this myself, but I must have done something wrong, because:

1.) I did it twice, and after step 3, I was not getting a "clean" log from AWF.

2.) When I tried this on my "personal/home" login, I got this black screen of death where it ran on with one specific line, "Killing PID 1016 'tfsctrl.exe.'", forcing me to end the program.

If I can get any help in getting my computer back to semi-normal, as well as getting rid of this Trojan, I would greatly appreciate it.

 

[howard_hopkinso]

Hello and welcome to Techspot.

I can only deal with one set of log files at a time, so I have deleted the logs from your personal login and we`ll concentrate on the other one for now. I take it that account does have admin privileges?

If so, we can start with that.

First though, it`s very very important you read this thread HERE and tell me what you want to do.

Regards Howard :wave: :wave:

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Thanks for your reply.

I followed the link and ran through Steps 1-15 on both login names. On the personal user, I think I got rid of them, but now my desktop is a little different (i.e., standard wallpaper instead of the picture I had) and when I log in, there's a little Window's box that pops-up during the start-up that tells me to wait a minute, that wasn't there before.

As for the work login, it looks cleaned, but randomly, the clock in the lower right hand corner is in military time. I couldn't login with my work login into safe mode, so, step 13-14 didn't get done.

I've attached the HJT, ComboFix, and AVG logs.

 

[howard_hopkinso]

Please post an awf.txt after running the FindAWF tool option 1.

Regards Howard

 

[victorydoc]

Here you go...

 

[howard_hopkinso]

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\DellSupport\bak\DSAgnt.exe"



"C:\Program Files\NetWaiting\bak\netWaiting.exe"



"C:\Program Files\QuickTime\bak\qttask.exe"



"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"



"C:\Program Files\Windows Defender\bak\MSASCui.exe"



"C:\WINDOWS\system32\bak\ctfmon.exe"



"C:\WINDOWS\system32\bak\hkcmd.exe"



"C:\WINDOWS\system32\bak\igfxpers.exe"



"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"



"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"



"C:\Program Files\Dell\QuickSet\bak\Quickset.exe"



"C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"



"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"



"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"



"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe"



"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"



"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"



"C:\Program Files\Dell\Dell Laser MFP 1815\PaperPort\bak\IndexSearch.exe"



"C:\Program Files\Dell\Dell Laser MFP 1815\PaperPort\bak\pptd40nt.exe"



"C:\Program Files\Dell\Dell Laser MFP 1815\PSU\bak\Scan2Pc.exe"



"C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"



"C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"



"C:\Program Files\LANDesk\LDClient\WebPortal\bak\sdclientmonitor.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Opened up AWF, selected Option #2, pasted your post, closed the .txt file and said yes, and then a little bit of hell broke loose.

Just like the last time (in my first post), a C:/ window pops up, 3 lines run through, the last of which says, "Error cannot find a process with an image name of ..." those /bak files and then it runs on continually (until I stop it) stating, "Killing PID 1348 'tfswctrl.exe'"

 

[howard_hopkinso]

That`s not good.

Try booting into safe mode under the admin account, not your normal user login and rerun the instructions. See if that helps.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

I rebooted with my personal login into safe mode. I cannot use my work login, as it won't let me. I checked under "Users" in the Control Panel, and my personal login is rated as administrator. I also noted another guest user, "cba_anonymous", which I deleted.

Anyhoo...

I ran FindAWF in Safe Mode, Option #2 like before. With the exception of the non-stop run, it did the same thing in the C:/ box, but then stopped and went back to the program, which then went looking for the /bak files. It generated a report, which I have attached.

 

[howard_hopkinso]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\DellSupport\bak



C:\Program Files\NetWaiting\bak



C:\Program Files\QuickTime\bak



C:\Program Files\Symantec AntiVirus\bak



C:\Program Files\Windows Defender\bak



C:\WINDOWS\system32\bak



C:\Program Files\Common Files\Symantec Shared\bak



C:\Program Files\Dell\Media Experience\bak



C:\Program Files\Dell\QuickSet\bak



C:\Program Files\McAfee\SpamKiller\bak



C:\Program Files\Synaptics\SynTP\bak



C:\WINDOWS\system32\dla\bak



C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak



C:\Program Files\Common Files\Real\Update_OB\bak



C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak



C:\Program Files\Dell\Dell Laser MFP 1815\PaperPort\bak



C:\Program Files\Dell\Dell Laser MFP 1815\PSU\bak



C:\Program Files\Intel\Wireless\Bin\bak



C:\Program Files\LANDesk\LDClient\WebPortal\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Looks better - almost like the tutorial! But it still looks like there's a straggler...

 

[howard_hopkinso]

Ok, we`re going to delete that manually. You may need to reinstall your Scansoft software, but I suggest you wait until we have fully cleaned your system.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

SSBkgdUpdate.exe

Close task manager.

Locate and delete the following bold files and/or folders(if there).


C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak

Reboot into normal mode and rehide your protected OS files.

Post a fresh awf.txt after running the FindAWF tool option1. Also, please post a fresh HJT log.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Amazing...the AWF scan looks clean. Here're the log results from that and HJT.

Shall I empty my Recycle Bin of those deleted files/folders?

 

[howard_hopkinso]

Yes, that awf.txt is indeed clean.

Your HJT log is also clean.

Now, please post a fresh HJT and awf.txt, after running option1 from the other account.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

This also looks good. The 015 trusted zone is ok, i.e., work related.

Just a question on one of the 04 entries on HJT. It says:

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

I thought we got rid of SSBkgdUpdate.exe, but it says that it's embedded?

Thanks again for all of your help!

 

[howard_hopkinso]

Awf.txt is clean as you know.

HJT log is also clean.

The entry you pointed out is just the scansoft updater and is perfectly safe.

See explanation of Embedding.

Now, in order to make sure your computer is really clean, please do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Wow, looks like I may be in the home stretch. So, I followed the instructions in the link provided:

Step 1: Disabled AVG Shield. Didn't install Tea-timer with Spybot (found it a pain with earlier versions) and Ad-Aware doesn't have it with the free version.

Step 2: I have Symantec Antivirus 9.0.4.1000 through work. My firewall is the Windows one, as well as the one through work (when I am at work) and at home, apparently my wireless router has one also.

Step 3: Ran the on-line scanner which found 2 things that were deleted.

Step 4&5: Have a permanent folder for HJT, renamed as specified.

Step 6: AVG shield was inactivated and updated (none available)

Step 7&8: Have Spybot 1.5 and Ad-Aware 2007, both of which were updated.

Step 9: Ran CCleaner, with all of the boxes marked, except for the Old Prefetch option. It cleaned up about 350 Mb! I re-ran the clean option several times also.

Step 10: Ran Tool 1 (SmitfraudFix), Tool 2 (VirtumundoBeGone), and Tool 3 (VundoFix), all of which were negative.

Step 11: Panda Antirootkit scan was negative.

Step 12: Ran Combofix. Log is attached as per Step 15

Step 13&14: Restarted into Safe Mode, and changed folder options as directed. Ran my Symantec Antivirus, Spybotbot, Ad-Aware, and AVG-Antispyware as directed. Symantec found nothing, Spybot found two usual WindowSecurityCenter.blah.blah.blah. Ad-Aware found 8 non-critical items. AVG found nothing.

Step 15: Ran HJT. I have attached HJT, Combofix, and AVG log files.

 

[howard_hopkinso]

That all looks good.

Unless you`re still having problems, you should be good to go.

If you`re not having any problems, please do the following.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Howard,

Thanks alot for your help. It all looks good. Just a few quick questions:

I noticed that after running through those steps, my background wallpaper and Start Menu have changed (perhaps with other subtle differences). Is this to be expected?

Just prior to all this happening, I bought a back-up device and saved my entire computer onto it. Should I just erase all of that and just start from scratch?

Which of the downloaded applications can I delete?

Thanks.

 

[howard_hopkinso]

You can get rid of all the downloaded stuff if you want.

However, I recommend you keep Ccleaner/SS&D/Ad-Aware.

As for your backup. It might be a good idea to get rid of it, otherwise, you might just end up getting reinfected, if the backup itself is infected.

Are you able to change your background wallpaper ok?

What has changed in your start menu?

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Howard,

They're just little things I'm noticing.

In the Start Menu, there were three rows in the left hand column. The top two were applications, and the bottom row was just, "All Programs". That middle row is no longer there. That middle row was the "Recently Used Programs" sort of thing.

Plus, I've noticed that in Word, the EndNote Toolbar is free floating instead of at the top.

 

[howard_hopkinso]

The start menu was probably cleaned by Ccleaner, so don`t worry about that.

You could always reinstall Word if it bothers you.

Providing you`re not having any serious problems, I think your system is clean.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[victorydoc]

Howard,

I think all is clean with my computer. Thanks again for all of your help.

I am noticing that alot of my "preferences" were reset, i.e., Word is in cm instead of inches, and stuff like that. Did that all come from the CCleaner with the Advanced section in Windows or from the MS Office Tab in the applications?

The reason I ask is, since you've recommended keeping and running CCleaner, I'd like not to have to keep re-formatting my applications.

Thanks again.

 

[howard_hopkinso]

Yes, Cleaner may well have caused that. You can always untick the options in Cleaner if you like.

Regards Howard

This thread is for the use of victorydoc only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.