TechSpot

waad problem (I think) - tried Howard's process

By Apollodorus
Oct 24, 2007
  1. A few days ago, our computer started behaving strangely - no sound of any sort and IE started hanging up for 2-3 minutes each time it opened or opened a new tab (although speed seemed OK once a window was open). We installed PC-cillin (in place of a possibly out-of-date Symantec) and got warnings about our computer trying to contact whataboutadog

    Today I finally had time to run through the removal process from this forum (topic 89825). I still had some bak files after step 4 and the symptoms still seem to be there.

    What's up with my system? Here are my latest awf and HJT files:

    View attachment 24206
    View attachment 24207

    And here are the awf files as I went through the removal process (the numbering on these corresponds to the numbering on the examples)

    View attachment 24208
    View attachment 24209
    View attachment 24210

    Would whataboutadog cause the symptoms I describe? Have I gotten rid of the trojan? What do I do now?

    Any help would be greatly appreciated.
     
  2. Rik

    Rik Banned Posts: 3,814

    You need to run through the awf process again then post your results.



    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Apollodorus

    Apollodorus TS Rookie Topic Starter

    Was there something I did wrong the first time?
    Am I understanding you correctly that I need to start over?

    The file named "awf4" and the HJT file are both from immediately after step 4 of the process. I then disabled the net access on that computer and am on my wife's laptop.
     
  4. Rik

    Rik Banned Posts: 3,814

    I don't think you did anything wrong, it's just that the virus occasionally spreads during the removal process.

    If you want, do a fresh scan with option 1 and post the result as an attachment and i will assist you.



    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Apollodorus

    Apollodorus TS Rookie Topic Starter

  6. Rik

    Rik Banned Posts: 3,814

    Whats happened is, there is no bak for any of the remaining files in your log.

    You will need those files deleted. It also means reinstalling any applications that use those files.

    You can either delete them manually or I can compile a script that will delete them, the choice is yours.
    Let me know your decision.



    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Apollodorus

    Apollodorus TS Rookie Topic Starter

    I guess compile a script (I assume that's easier than walking me through the deletion - either would be fine).

    Will that completely remove the waad dog stuff? And is that likely the problem causing the IE hang ups and the sound issue?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    We will remove those manually, after which you will probably need to reinstall the applications.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    googletoolbar4user.exe
    GoogleUpdaterService.exe
    GoogleToolbarNotifier.exe
    GoogleNotebookSetup.exe
    MMReminderService.exe

    Close task manager.

    Locate and delete the following bold files and/or folders(if there).

    C:\Program Files\Google\googletoolbar4user.exe

    C:\Program Files\Picasa2\GoogleUpdaterService.exe

    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    C:\Program Files\Google\Google Notebook\gnotesie-1.0.2.17\GoogleNotebookSetup.exe

    C:\Program Files\Google\Google Notebook\gnotesie-1.0.2.19\GoogleNotebookSetup.exe

    C:\Program Files\Google\Google Notebook\gnotesie-1.0.2.6\GoogleNotebookSetup.exe

    C:\Program Files\Google\GoogleToolbarNotifier\bak

    C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe

    C:\Program Files\Mindjet\MindManager 6\bak

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh awf.txt after running option1 of the FindAWF tool.

    Regards Howard :wave: :wave:

    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Apollodorus

    Apollodorus TS Rookie Topic Starter

    Thanks. That seemed to go well and the awf looks clean. Here are that awf and also a hijackthis log.

    View attachment 24229
    View attachment 24230

    FWIW, the sound problem I mentioned in my first post went away when I went through the AWF process the first time. The IE hang-up is still happening. FireFox does not exhibit the same problem.

    Thanks so much for your help (and to Rik as well, since I don't seem to have expressed that in my last few replies).

    And an update.

    I just reconnected the computer to the internet (I'm doing this correspondance on my wife's laptop). And PC-cillin is telling me that the computer is trying to open http://88.80.5.21/time.txt
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Deny the Time.txt for now.

    Your awf.txt is now clean as you already know.

    Now, in order to make sure your system is clean, please do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Apollodorus

    Apollodorus TS Rookie Topic Starter

    The Housecall online scan is running now and it looks like it will run long enough for me to have to pick this back up tomorrow. I'll post the results when I have them.

    Thanks again.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s ok, no problem mate.

    Regards Howard :)

    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Apollodorus

    Apollodorus TS Rookie Topic Starter

    OK. Here are the results:

    First, the Panda AntiRootkit scan:
    5059 items scanned
    0 rootkits detected

    Here are the logs from HJT, Combofix and AVG.

    View attachment 24281
    View attachment 24282
    View attachment 24286

    In step 13, PC-cillin wouldn't run a scan in safe mode, so I had to go back to normal mode for the scan.

    The various other tools found and removed a few things, but not many.

    I was getting the PC-cillin warning about trying to visit waad and time.txt during the early steps, but I haven't seen one in a while now.

    Thanks again for your help.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Go HERE, download and install the latest version of Java.

    Once the installation is complete, go to add remove programmes in your control panel and uninstall al versions of Java, except for version 6 update 3. Close control panel.

    Open notepad and copy/paste the text in the quote box below into it:
    NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:


    Save this as CFScript.txt


    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. Apollodorus

    Apollodorus TS Rookie Topic Starter

  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All clean mate.

    Unless you`re still having problems, please do the following.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Apollodorus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Apollodorus

    Apollodorus TS Rookie Topic Starter

    Thanks so much. This is an incredible service y'all provide.

    This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

    Only the original thread starter can do this. Anyone else, will be ignored.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...