TechSpot

Solved:b.whataboutadog.com infection

By plasma dragon00
Oct 14, 2007
  1. hi, im writing this from my parents pc, which has the b.whataboutadog.com infection. my mom and i were both reading about how to fix this, and no luck so far. we have run spybot s&d 15, adaware 2007, norton 2006, and ccleaner, all updated today. nothing so far, but we still get the item in the ie7 history.

    any help would be greatly appreciated

    thanks in advance,

    ~plasma

    i did a HTJ scan and a findAWF scan, ill post the logfiles as an attachment

    edit: i clicked the manage attachments button, but i cant seem to attach them. should i upload them to fileshare.com and upload the files to there?

    edit2: nevermind, i still cant attach them from my parents pc, but i can from mine.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I don`t know why you can`t attach your log files. Please try again. See HERE for instructions.

    Edit: Ok I can see them now and will issue instructions into this post shortly.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.


    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Please post a fresh HJT log and make sure you don`t use the word wrap feature in notepad.



    Regards Howard :wave: :wave:

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    scanned with both, did as you said. now i have a question. on the desktop, an application called "Process" appeared on the desktop. should i delete it or leave it for now?

    attaching logfiles...

    thanks

    ~plasma

    and odd, now the upload dialogue box opens on my parents pc.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Leave that for now and we`ll deal with it later. I need to get rid of this infection first, before we do anything else.

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    well, the findAWF program isnt working now, let me re-download it, and then try it again

    when i try to run it, it gives me the "findAWF.exe has encountered an error and needs to close. we are sorry for the inconvenience." it has send error report, dont send, and debug.

    lets redownload it

    ~plasma

    edit: i believe that "Process" application is what's causing findAWF to not work, because the new downloaded one wont work on the desktop while that Process app is still there, but will run from the My Documents folder just fine
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s weird. In that case, delete the Process app.

    Regards Howard :)
     
  7. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    i tried to delete, but it gave me the error: "cannot delete Process: access is denied. Make sure that the disk is not full and write-protected and the file is not in use."

    anyway, here are the logfiles.

    ~plasma
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Just one more bak file to deal with.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    done

    once again, thanks

    ~plasma

    heres the logfile
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    C:\WINDOWS\bak

    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    done.

    attaching.

    ~plasma
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s not clean.

    Now comes the real hard work I`m afraid.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    working on it.

    step 1. complete - disabled TeaTimer

    step 2. complete - installed zone alarm firewall, keeping norton AV 2006

    step 3. canceled

    step 4. complete

    step 5. complete

    step 6. complete

    step 7. complete - installed this morning

    step 8. complete - also installed this morning

    step 9. complete - also installed this morning

    step 10. complete tool1, complete tool2 nothing found, complete tool3 nothing found
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, you can leave Norton alone mate.

    Personally, I think you`d be better off without Norton because it`s crap.

    If you decide to go ahead and get rid of Norton do the following.

    Download the Symantec/Norton removal tool.

    Download one antivirus and one firewall programme from the choices below.

    AVG free or Avast antivirus programmes.

    Zonealarm, Kerio or Comodo free firewall programmes.

    Disconnect from the net and run the Symantec/Norton removal tool.

    Install whichever firewall your chose and reconnect to the net.

    Install whichever antivirus programme you chose and run the antivirus updates.


    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    im almost done, im just waiting for the House Call scan to finish, in about a half hour. also, i do have a few more questions, they can be found in my previous post, if you could please take a look at them.

    thanks so much for the help so far

    ~plasma
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Crusty.exe.exe is fine mate.

    Yes, have SmitFraudfix clean the registry.

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    house call is done, with 98 infections under ADWARE_MEMWATCHER, 13 infections under TSPY_SMALL, and 10 infections under HTTP cookies. ill clean all detected files, and i just have to run the last 2 steps.

    edit: also, it says that for some entries, it has to delete them. i should allow it to do that?

    edit2: im deleting, and i hadnt realized that there were more steps than 11.

    thanks

    ~plasma

    house call is stuck on "Deleting active grayware and spyware", so im just going to stop it. im going to continue on with step 10.

    ~plasma
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes allow it to delete the files.

    In total there are 15 steps I believe lol.

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    nothing under the panda anti rootkit program, its all clean
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s good. You don`t have to keep informing me of your progress. Just post the requested log files once you`re done. ;)

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    well, i have 2 file logs so far, being the combofix log and the avg anti spyware log. the weird thing is though, acg detected 11 things in its scan, and yes, i set it to quarantine. then i clicked save logfile, it opend the logfile, but nothing was in it. so after that, i clicked quarantine on the avg program, but it gave me an error while it tried to quarantine.

    anyway, i have to go for now, if you're gone when i get back or i cant get on when i get back, ill talk to you when i get back from school tomorrow. im going to let a few scans run while im out, and hope it turns up something.

    thanks so much for your help,

    ~plasma

    edit: ill post the 2 logfiles i have, the avg and the combofix, but i doubt the avg will be of any help.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, no problem.

    You might want to take a look at this guide to using AVG Antispyware.

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    well, i am on one last time, and from the HTJ logfile, i cant find anything about whataboutadog in there, but im not sure if i understand the logfile correctly, so ill still post it. i re-ran avg anti spyware, and it fixed the problems, but only one of them could be quarentined, the others had to be deleted, as quarentine was not an option for them.

    anyway, here are the good avg anf HTJ logfiles.

    thanks so much for the help

    and the entry for the b.whataboutadog.com isnt in the IE7 history, and let's hope it stays hat way.
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, here`s what I recommend you do.

    Delete all files in AVG Antispyware quarantine.

    Download this Symantec/Norton removal tool.

    Download one of the antivirus programmes below.

    AVG free or Avast antivirus programmes.

    Run the Symantec/Norton removal tool and reboot your system the required number of times.

    Install whichever antivirus programme you chose and run the antivirus updates.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/GeneralMills/Coupon s.cab

    O16 - DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} (AtlAsianataCtlAttrib Class) - http://playgames.comcast.net/online2/asianata/asianata.cab

    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

    Click on the fix checked button.

    Close HJT.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and combofix log.

    Regards Howard :)

    This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    here are the logfiles, including one before i fixed the entries in HTJ and one after i fixed them, as well as the combofix, final HTJ, and avenger logs.

    avenger seemed to have a problem though, after the pc rebooted and it started to run, avenger ran into a problem, saying it couldnt find or read a file, and gave me 3 options - continue, try again, or cancel. i picked continue, and it kept working then.

    anyway, here they are.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...