TechSpot

Ugh! Need help with whataboutadog and doginhispen

By RJR
Dec 10, 2007
  1. I can't for the life of me get rid of whataboutadog and doginhispen. I went through the preliminary removal instructions and my attachments are below. Panda Antirootkit scan came up clean.

    I'm sorry to burden you with this but any help you could offer would be HUGELY appreciated. Thanks!!!
     
  2. evilfantasy

    evilfantasy Banned Posts: 428

    Welcome to Tech Spot.

    Go to add/remove programs and uninstall SpyDefender Pro
    ---------------

    Download DelDomains.inf
    IE users Right-click on the link and select Save As.
    Firefox users Right-click on the link and choose Save link as...

    Save it to the desktop.

    From the desktop Right-click on DelDomains.inf

    Select Install making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

    Note:, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

    ---------------

    Please download FindAWF:
    http://noahdfear.net/downloads/FindAWF.exe

    Save the file to the Desktop
    Double-click the FindAWF icon.

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 1 then Enter to scan for bak folders
    The scan may take a while, please be patient.

    When done, a text file, Find AWF report is produced.
    Please attach the Find AWF report in your reply.
     
  3. RJR

    RJR TS Rookie Topic Starter

    Thanks for helping me out, EF. No sign of SpyDefender Pro in the Add/Remove programs window. Other ways to get to it?

    The AWF report is attached.
     
  4. evilfantasy

    evilfantasy Banned Posts: 428

    We will work on SpyDefender after the FindAWF is complete. It may just be an empty registry key that I was seeing.

    ----------

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 2 then Enter to restore files from bak folders

    A text file opens called: files.txt
    Click below the line and paste the following list of files to be restored:

    Next, close and click Yes to save the changes.

    Once files.txt is saved, FindAWF does the following:
    -It attempts to terminate the process represented by each filename on the list, if running
    -Deletes the rogue file from the parent folder, if present
    -Copies the original file to the parent folder

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach the new FindAWF log in your reply
     
  5. RJR

    RJR TS Rookie Topic Starter

    Okay, here's the latest FindAWF log.
     
  6. evilfantasy

    evilfantasy Banned Posts: 428

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    Next, close and click Yes to save the changes.

    Once folders.txt is saved, FindAWF does the following:
    -It deletes the contents of the bak folders
    -Removes the bak folders

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach the new FindAWF log in your reply.
     
  7. RJR

    RJR TS Rookie Topic Starter

    Thanks. FindAWF log attached...
     
  8. evilfantasy

    evilfantasy Banned Posts: 428

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    Next, close and click Yes to save the changes.

    Once folders.txt is saved, FindAWF does the following:
    -It deletes the contents of the bak folders
    -Removes the bak folders

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach the new FindAWF log in your reply.
     
  9. RJR

    RJR TS Rookie Topic Starter

    Interesting, the contents of the FindAWF log file didn't seem to change.
     
  10. evilfantasy

    evilfantasy Banned Posts: 428

    True, I think we need to back up a step.

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 2 then Enter to restore files from bak folders

    A text file opens called: files.txt
    Click below the line and paste the following list of files to be restored:

    Next, close and click Yes to save the changes.

    Once files.txt is saved, FindAWF does the following:
    -It attempts to terminate the process represented by each filename on the list, if running
    -Deletes the rogue file from the parent folder, if present
    -Copies the original file to the parent folder

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach the new FindAWF log in your reply.
     
  11. RJR

    RJR TS Rookie Topic Starter

    Okay, here's the FindAWF log file.
     
  12. evilfantasy

    evilfantasy Banned Posts: 428

    Sorry it took a while to get back to you.

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 3 then Enter to remove bak folders

    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    Next, close and click Yes to save the changes.

    Once folders.txt is saved, FindAWF does the following:
    -It deletes the contents of the bak folders
    -Removes the bak folders

    When done with the above, it automatically runs a new scan and opens a new log.
    Please attach the new FindAWF log in your reply.
     
  13. RJR

    RJR TS Rookie Topic Starter

    No apologies necessary, EF. I very much appreciate all the time you've spent helping me out already.

    I just ran FindAWF, but inadvertently closed the log file before I saved it. I did a search for the log, but it doesn't appear that it saved anywhere. Should I run option 2, followed by option 3 again? Or is just running option 3 again sufficient?

    I should note, I closely viewed the log before closing it and looked exactly like the log two log-posts back, with the exception that it now only had the ibmmessages.exe piece remaining. (i.e., Directory of C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK was no longer there).

    Also, on a separate but related note, a malicious software removal tool updated and ran on my PC yesterday and found and removed "backdoor:win32/zonebac.gen!b". I googled this, and it appears to be related to these viruses. Since then, no sign of them in my internet history file either. I'm taking it this is a step in the right direction, yes?

    Anyway, I'm sorry about the botched AWF log. Let me know how I should proceed. Thanks again...
     
  14. evilfantasy

    evilfantasy Banned Posts: 428

    No need to run the option 3 again.

    We will finish up with FindAWF now and then go to another scan to ensure everything is gone.

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Use the following option: Press 4 then Enter to reset domain zones

    This removes all entries from the domain zones.
    When the program returns to the main menu, use the following option:
    Press E then Enter to EXIT

    -----------

    Download Superantispyware (SAS) SUPERAntispyware Free Edition

    Install it and double-click the icon on your desktop to run it.
    * It will ask if you want to Update the program definitions, click Yes.
    * Under Configuration and Preferences, click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
    * On the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK.
    * Make sure everything in the white box has a check next to it, then click Next.
    * It will quarantine what it found and if it asks if you want to reboot, click Yes.
    * To retrieve the removal information please do the following:
    • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    * Please add the log as an attachment along with a new HijackThis log in the next post.

    -----------

    Then run a fresh HijackThis scan and post that log after the SUPERAntispyware log.
     
  15. RJR

    RJR TS Rookie Topic Starter

    Done. SAS and HJT logs posted below.
     
  16. evilfantasy

    evilfantasy Banned Posts: 428

    Press ctrl+alt+Delete (all at once)

    Click the processes tab and look for SpyDefender.exe. Right click it and choose End Process.

    ----------

    Open HijackThis and select "Do a system scan only" then place a check mark next to

    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\bak\ibmmessages.exe
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2


    Then click "Fix checked"

    ----------

    Enable viewing of hidden files.

    To enable the viewing of Hidden files follow these steps:

    1. Close all programs so that you are at your desktop.
    2. Double-click on the My Computer icon.
    3. Select the Tools menu and click Folder Options.
    4. After the new window appears select the View tab.
    5. Put a checkmark in the checkbox labeled Display the contents of system folders.
    6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
    9. Press the Apply button and then the OK button and shutdown My Computer.
    10. Now your computer is configured to show all hidden files.

    ----------

    Double click My Computer on the desktop.

    Navigate to and delete the following files/folders (in bold)

    C:\Program Files\SpyDefender Pro\SpyDefender.exe

    ----------

    Restart the computer and post a new HijackThis log.
     
  17. RJR

    RJR TS Rookie Topic Starter

    Thanks. I followed all of the steps, although SpyDefender wasn't in the Windows Task Manager or in My Computer (no folder, executable, etc.). Still, I proceeded through the other steps. The new log is attached.
     
  18. evilfantasy

    evilfantasy Banned Posts: 428

    It didn't show up in this log either.

    have HijackThis fix on more entry and I think you are good to go.

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime


    To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
     
  19. RJR

    RJR TS Rookie Topic Starter

    Done. Thank you so much, again, EF!!! You've been a MONUMENTAL help and I truly do appreciate it.

    All the Best,
    RJR
     
  20. evilfantasy

    evilfantasy Banned Posts: 428

    No problem.


    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    [​IMG]

    Make sure there's a space between Combofix and /
    Then hit Enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again





    Safe surfing...........[​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...