Ugh! Need help with whataboutadog and doginhispen

[RJR]

I can't for the life of me get rid of whataboutadog and doginhispen. I went through the preliminary removal instructions and my attachments are below. Panda Antirootkit scan came up clean.

I'm sorry to burden you with this but any help you could offer would be HUGELY appreciated. Thanks!!!

 

[evilfantasy]

Welcome to Tech Spot.

Go to add/remove programs and uninstall SpyDefender Pro

SpyDefender Pro is a misleading application that provides exaggerated results about spyware found on your computer.

---------------

Download DelDomains.inf
IE users Right-click on the link and select Save As.
Firefox users Right-click on the link and choose Save link as...

Save it to the desktop.

From the desktop Right-click on DelDomains.inf

Select Install making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note:, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

---------------

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please attach the Find AWF report in your reply.

 

[RJR]

Thanks for helping me out, EF. No sign of SpyDefender Pro in the Add/Remove programs window. Other ways to get to it?

The AWF report is attached.

 

[evilfantasy]

We will work on SpyDefender after the FindAWF is complete. It may just be an empty registry key that I was seeing.

----------

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

C:\WINDOWS\bak\MXOALDR.EXE
C:\IBMTOOLS\Updater\bak\ucstartup.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe
C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\bak\deskup.exe
C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe
C:\Program Files\Real\RealPlayer\bak\realplay.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
C:\Program Files\ThinkPad\Utilities\bak\EzEjMnAp.Exe
C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe
C:\WINDOWS\system32\dla\bak\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\Maxtor\OneTouch\Utils\bak\Onetouch.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply

 

[RJR]

Okay, here's the latest FindAWF log.

 

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\BAK
C:\IBMTOOLS\UPDATER\BAK
C:\PROGRA~1\ITUNES\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
C:\PROGRA~1\IBM\MESSAG~1\BAK
C:\PROGRA~1\IOMEGA\AUTODISK\BAK
C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK
C:\PROGRA~1\REAL\REALPL~1\BAK
C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
C:\PROGRA~1\THINKPAD\UTILIT~1\BAK
C:\WINDOWS\SYSTEM32\DLA\BAK
C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK
C:\PROGRA~1\MAXTOR\ONETOUCH\UTILS\BAK
C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[RJR]

Thanks. FindAWF log attached...

 

[evilfantasy]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\PROGRA~1\IBM\MESSAG~1\BAK
C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[RJR]

Interesting, the contents of the FindAWF log file didn't seem to change.

 

[evilfantasy]

True, I think we need to back up a step.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

C:\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[RJR]

Okay, here's the FindAWF log file.

 

[evilfantasy]

Sorry it took a while to get back to you.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\PROGRA~1\IBM\MESSAG~1\BAK
C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please attach the new FindAWF log in your reply.

 

[RJR]

No apologies necessary, EF. I very much appreciate all the time you've spent helping me out already.

I just ran FindAWF, but inadvertently closed the log file before I saved it. I did a search for the log, but it doesn't appear that it saved anywhere. Should I run option 2, followed by option 3 again? Or is just running option 3 again sufficient?

I should note, I closely viewed the log before closing it and looked exactly like the log two log-posts back, with the exception that it now only had the ibmmessages.exe piece remaining. (i.e., Directory of C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK was no longer there).

Also, on a separate but related note, a malicious software removal tool updated and ran on my PC yesterday and found and removed "backdoor:win32/zonebac.gen!b". I googled this, and it appears to be related to these viruses. Since then, no sign of them in my internet history file either. I'm taking it this is a step in the right direction, yes?

Anyway, I'm sorry about the botched AWF log. Let me know how I should proceed. Thanks again...

 

[evilfantasy]

No need to run the option 3 again.

We will finish up with FindAWF now and then go to another scan to ensure everything is gone.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

-----------

Download Superantispyware (SAS) SUPERAntispyware Free Edition

Install it and double-click the icon on your desktop to run it.
* It will ask if you want to Update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information please do the following:

• After reboot, double-click the SUPERAntiSpyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment along with a new HijackThis log in the next post.

-----------

Then run a fresh HijackThis scan and post that log after the SUPERAntispyware log.

 

[RJR]

Done. SAS and HJT logs posted below.

 

[evilfantasy]

Press ctrl+alt+Delete (all at once)

Click the processes tab and look for SpyDefender.exe. Right click it and choose End Process.

----------

Open HijackThis and select "Do a system scan only" then place a check mark next to

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2

Then click "Fix checked"

----------

Enable viewing of hidden files.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

----------

Double click My Computer on the desktop.

Navigate to and delete the following files/folders (in bold)

C:\Program Files\SpyDefender Pro\SpyDefender.exe

----------

Restart the computer and post a new HijackThis log.

 

[RJR]

Thanks. I followed all of the steps, although SpyDefender wasn't in the Windows Task Manager or in My Computer (no folder, executable, etc.). Still, I proceeded through the other steps. The new log is attached.

 

[evilfantasy]

It didn't show up in this log either.

have HijackThis fix on more entry and I think you are good to go.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime


To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

 

[RJR]

Done. Thank you so much, again, EF!!! You've been a MONUMENTAL help and I truly do appreciate it.

All the Best,
RJR

 

[evilfantasy]

No problem.


Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again





Safe surfing...........