TechSpot

Solved:The dog is definately a lover of the USA...

By dawghunter
Oct 10, 2007
  1. 'cause he's here with me too. Norton AV found Trojan.Dropper and Trojan.Adclicker and says it deleted them. This was after a routine full system scan. The scan came immediately after strange and vulgar pop up ads appeared (depsite a firewall, pop-up blocker).

    Well, I have found most or all of the following in my trusted sites:

    *whataboutadog.com
    *doginhispen.com
    88.80.5.21

    Have done all Norton called for, including the turning off of the infamous sysem restore. The dog comes home. If I delete it from the trusted box, it comes back when I restart my computer.

    I downloaded FindAWF. The attachment of findings is included on this post.

    I downloaded HJT. The attachment of findings is included on this post.

    Thanks Howard and all you folks for your info and help,
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You`re running an outdated version of HJT. See HERE.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Also, please attach a fresh HJT log.

    Regards Howard :wave: :wave:

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK, work completed...

    I have attached a new awf and hjt (using the new hjt tool...thanks for that note).

    They are labeled as before with the addition of 101107 at the end to indicate newest files.

    Where do I head now, and thanks Howard for your help.

    DawgHunter (but please call me Tom the lover of MGB's...)
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    New AWF...

    OK Howard, done. Attached is newest AWF. Note the letter "B" which means this is the newest one.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There`s still some bak files left to deal with.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK, newest awf posted

    labeled with a "C" for newest scan.

    Man, Howard, are you in the UK? Must be about 6PM there...
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    newest "D" awf

    OK Howard, here it is.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint manager
    Viewpoint toolbar
    Power Scan
    AWS
    WeatherBug

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewpointService.exe
    Weather.exe
    powerscan.exe
    ViewMgr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {4445ba54-fb65-47ab-8df7-52aafca46154} - C:\WINDOWS\system32\dpvcmp.dll (file missing)

    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab

    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://di.imgag.com/imgag/cp/install/Crusher.cab

    Fix all O18 - Protocol: entries.

    O20 - Winlogon Notify: dpvcmp - dpvcmp.dll (file missing)

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint<Delete the entire folder.
    C:\Program Files\AWS<Delete the entire folder.
    C:\Program Files\Power Scan<Delete the entire folder
    C:\Program Files\QuickTime\bak<Delete the entire folder.
    C:\Program Files\HP\hpcoretech\data\EvntData-533031436.xml
    C:\Program Files\QuickTime\qttask.exe

    Reboot into normal mode and rehide your protected OS files.

    Download and install Quicktime again.

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK Howard, inititating the processes now...

    I'll be back! (not a threat...I ain't Arnold...).
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok mate, no problem.

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK, files ready

    Did all you said. Quicktime is reloaded. Here's latest awf and hjt files

    awf has a "E" in it, and hjt has "A" in it.

    Regards from the Colonies

    DawgHunter aka Tom the former MGB owner
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Theres only one bak entry left to deal with in your awf.txt.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK forgot to say that when I restarted in normal mode the dog was still barking, so I got him out of the trusted zone. argh. Doing your suggested fix now...

    Attached "F" awf file ready to see....

    Might have to get out of here for a bit but I'll be back if not tonight tomorrow it's 719pm here now so I know its late there. Get some sleep dude. You are awesome!
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    C:\Program Files\HP\hpcoretech\bak


    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    File G

    OK Howard, awf file "G" coming to you.

    It's 22:43EDST here, and I need to get to sleep so I need to sign off for now. I suppose you must be doing a red-eye tonight!

    I appreciate your help and I'll check back here later. Looking forward to resolving this thing.

    '68 MGB: Last of the leather seaters...


    Dawg aka Tom
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\HP\hpcoretech\data\EvntData-463817067.xml
    C:\Program Files\HP\hpcoretech\bak

    Reboot into normal mode and rehide your protected OS files.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK Howard, I'm back. Sorry for the delay. It's 17:57 EDST here. Initiating your fixes now...

    I'll be back!

    10/13/2007 23:59

    Hey Howard, I am at Step 9 (Ccleaner) so far with the other steps, so good. TrendMicro found a trojan in C:|Windows|cpa.exe that was cleaned.

    I have cleaned 50 of 450+ infected files with Ccleaner, but now it want's me to buy the full program to finish the job. Recommended?

    Thanks.


    DawgHunter aka Tom the Colonial
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    What wants you to buy the full programme?

    Regards Howard :)
     
  21. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    When I went to Step 9 and downloaded Ccleaner (which showed http://www.filehippo.com/download_ccleaner/) as the website, it loaded OK, then tested something like 400 of 450 "infections) then stopped and said in order to have them all cleaned I'd need the full version for $29.95 US). I tried it again with the same results, only it showed then it had alread cleaned a previous 50.

    Also, I never saw an Old prefetch Data option as indicated in Step 9.

    I didn't want to prceed to Step 10 till we cleared up Step 9.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  23. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK will do.

    OK, Step 9 completed. That newer link to Ccleaner worked fine. Old Prefetch Data option unchecked.

    Working on Step 10 now, Tool 1.

    15:12 EDST

    Dawg aka Colonial
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok mate, I`ll alter the link in the main sticky, so that no one else has that problem.

    Regards Howard :)

    This thread is for the use of dawghunter only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. dawghunter

    dawghunter TS Rookie Topic Starter Posts: 36

    OK, steps all done...

    20:59
    11/15/2007

    Howdy Howard. All 15 steps run, and the three reports are attached.

    1. HJT (just done)
    2. Combofix
    3. AVG Antispyware

    Panda Antirootkit says NO ROOTKITS FOUND.

    AVG Antispyware Step 14 found 6 items, quarantined 2 (ADWARE.HOTBAR & TROJAN.ZAPCHAST) but refused to quarentine the cookies; insisted on deleting them. Couldn't make it change so it deleted them and quarantined the other 2.

    Other than that, things seem to go swimingly.

    Dawg aka The Colonial Pest
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...