Solved:whataboutadog

[Valerie]

I have downloaded FindAVG, selected option one and here are the results:

bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\YAHOO!\YAHOO!~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"

Next I selected option 2, keyed this information in the awf.txt


"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"

Then I selected option 3, keyed this information in the folder.txt

Program Files\QuickTime\bak\bak\qttask.exe
Program Files\QuickTime\bak\bak\qttask.exe

After the scan, I recived the same information as from the scan w/option one:

"C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe

The first time I downloaded the FindAWF, I had over 100 files and had followed all the steps and didn't have any problems. But these four program files kept coming up. The other files that initially appeared however did not have bak twice in the address line. Please help. I have not selected option four because of these duplicates files. Thanks

 

[howard_hopkinso]

You`ve not used FindAWF correctly.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, please attach a HJT log as per these instructions.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

whataboutadog

Thank you howard for your quick response. I have followed the instructions as provided. Here are the results from the completed scan as requested:

 

[howard_hopkinso]

I asked you to post a HJT log as per the instructions. Please do so.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment, as well as a HJT log.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

whataboutadog

Alright, the DelO15Domains.inf has been saved to my desktop. Also, installed the latest version of HJT. However, I have not been able to rename this file or find it anywhere on my system. After I completed the system scan and saved the logfile, I received a pop up of trend micro hijack. The message states its the results of the HijackThis scan. Be careful what you delete with the "Fix checked" button. Scan results do not determine whether an item is bad or not. The best thing to do is to 'AnalyseThis' and show the log file to knowledgeable folks. The bottom of the window has Scan & Fix Stuff and Other Stuff. I wasn't sure what to do.

 

[howard_hopkinso]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Your HJT log shows your system is infected with other malware, but we`ll deal with that once we`ve got rid of the Downloader.Agent.awf, which is your main infection.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

whataboutadog

Thanks Howard,

I'm aware that there is other malware on my system. Whataboutadog seemed to be the most malicious so that's why addressed it first. Once we've successfully removed whataboutadog I would definetly like assistance on the removal of other malware. Alright, back to whatabouta dog, here's the results after option three scan.

 

[howard_hopkinso]

Make sure you follow all the instructions below exactly.

You`re running HJT from the wrong location and have not renamed it as per the instructions. Please do so, instructions HERE.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.


Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint manager
viewpoint toolbar

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Viewpoint Manager Service

Close the services window.



Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

qttask.exe
ViewpointService.exe
PowerReg Scheduler V3.exe
ViewMgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: Registration TMNT.LNK = E:\Support\Register\RegistrationReminder.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

O15 - Trusted Zone: *.doginhispen.com

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint<Delete the entire folder.
PowerReg Scheduler V3.exe<Search your system for this file and delete all instances found.
C:\Program Files\QuickTime<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Post a fresh HJT log as well.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

whataboutadog

ok, i'm not sure where the disconnect or problem is. but when installed hijack this and ran the program. I recieved a pop up box w/the title as hijack this. The message states: HijackThis appears to have been started from a temp folder. Since temp folders tend to be emptied regularly, it's wise to copy HijackThis.exe to a folder of its own, for instance C:\ProgramFiles\HijackThis. This way, any backups that will be made of fixed items won't be lost. Please quite HijackThis and copy it to a separate folder first before fixing any item. So I clicked OK, believing this would be done but it wasn't. I tried to locate HijackThis on my pc and was unable to locate it. That's why I couldn't rename it or change it from a temp folder to it's own folder. How do I do this? Please help. I have not done the other steps yet. Just wanted to take of this first.

 

[howard_hopkinso]

Delete all copies of HijackThis.

Download it from the link within these instructions HERE.

Make a new folder in programme files and call it HJT. download HijckThis.exe into that folder.

Rename HijackThis.exe to Crusty.exe.

Right click Crusty.exe and send to desktop.

Regards Howard

 

[Valerie]

whataboutadog

I have deleted all copies of HijackThis. When I went to remove it, i received an error message that it may have already been unistalled. When I download it again and ran the program. The same popup box appeared. Only option was to click ok. Do I click ok then make a new folder in program files? How do I make a new folder in program files and download Hijackthis into that folder?I noticed when it installs-the file it installs to is temp files and it is grayed out so I am unable to change it there. After I hit ok then another box appears which I just close out.

 

[howard_hopkinso]

Open programme files click edit/new/folder name the folder HJT etc etc.

Download Hijackthis to the folder you just made. then open the folder right click Hijackthis.exe and rename etc.

Regards Howard

 

[Valerie]

whataboutadog

Hey Howard, hopefully I did it right this time. I have the shortcut to crusty.exe on my desktop and did a system scan and saved a logfile. It only allowed me to save the hijackthis.log notepad in program files though. Let me know if it was a success. Thanks!

 

[howard_hopkinso]

HJT is now in the correct location.

Now, go and follow the instructions I gave you in my post#8 and post the requested log files when done.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

whataboutadog

Please disregard the prior post and attachment. Here is the hijackthis.log you requested.

 

[howard_hopkinso]

You`re not very good at following instructions are you?

Go to post#8 in this thread and follow the instructions exactly.

Post a fresh HJT log as well as a fresh awf.txt as requested when done.

If you don`t follow the instructions, I can`t help you.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

whataboutadog

As requested.

 

[howard_hopkinso]

Your awf.txt is now clean.

Your HJT log is alos clean.

Download and reinstall Quicktime.

However, in the interests of making sure your system is really clean, please do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

whataboutadog

Clarifaction on the Viruses/Spyware/Malware, preliminary removal instructions. Most of the programs requested to be dowloaded on installed I have. My question is on step 9 , dowload the ccleaner program. I followed the instructions, some of the boxes were ticked and I ticked the others that were not except for the old prefetch data option as instructed. When I started ticking the other options I received numberous pop of boxes w/different messages. I just clicked ok. Then I clicked the run cleaner button another pop up messaged appeared and said it was going to delete all files. I just wanted to make sure prior to selecting it that this was suppose to occur or if i made some mistake on the download or installation. Please advise. Thanks!

 

[howard_hopkinso]

That`s absolutely normal and nothing to worry about. Just run the Ccleaner programme as instructed.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

3 log files

no results on the Antirootkit scan
thanks,

 

[howard_hopkinso]

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file)

Click on the fix checked button.

Close HJT.

Other than the above entries, your HJT log is clean.

Delete the following.

C:\vundofix backups
C:\Qoobox

Once done, you should be good to go.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Valerie only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

thanks

followed all the instructions as indicated on the previous post. thanks so much for giving my pc a clean bill of health.

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.