Whataboutadog, doginhispen

[evilfantasy]

-
SpyDefenderPro is a rogue spyware removal program and must be uninstalled.


It will likely not uninstall in add/remove programs so we will do it manually.

--------------------

Press ctrl+alt+delete (all at once)

Look for unins000.exe and SpyDefender.exe

Right Click them one by one and choose End Process

--------------------

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::
C:\WINDOWS\system32\tmpAE629.FOT
C:\WINDOWS\system32\tmp63629.FOT
C:\WINDOWS\system32\tmp44729.FOT
C:\WINDOWS\system32\tmp2D529.FOT
C:\WINDOWS\system32\tmp09629.FOT
C:\WINDOWS\system32\tmp05529.FOT
C:\Program Files\SpyDefender Pro\SpyDefender.exe
C:\Documents and Settings\Owner\Desktop\SpyDefender Pro.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\SpyDefender Pro\SpyDefender Pro.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\SpyDefender Pro\SpyDefender Pro Help Manual.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\SpyDefender Pro\Uninstall SpyDefender Pro.lnk
C:\Program Files\SpyDefender Pro\SpyDefender.db
C:\Program Files\SpyDefender Pro\SpyDefender.db2
C:\Program Files\SpyDefender Pro\SpyDefender.pdf
C:\Program Files\SpyDefender Pro\unins000.dat

Folder::
C:\Program Files\SpyDefender Pro
C:\Documents and Settings\Owner\Start Menu\Programs\SpyDefender Pro

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDefender Pro_is1]

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

--------------------

Next post please attach
combofix.txt log
New HijackThis log

 

[Jase123]

Good!

This bugger is still here;

O15 - Trusted Zone: *.whataboutadog.com

Follow evilfantasys instructions above.

Regards Jason

 

[redorange]

thanks again for all the help

 

[evilfantasy]

Did you find the unins000.exe and SpyDefender.exe in the Processes?

 

[redorange]

no, they weren't among the processes

I had previously tried to eliminate SpyDefender Pro, including ending the processes, apparently I didn't get all of it

 

[evilfantasy]

Have you ever removed anything from the registry?

1. Click Start > Run.
2. Type regedit
3. Click OK.

Navigate to and delete the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDefender Pro_is1

That should get rid of it.


I am going to try to find a solution for the whataboutdog entry that will not go away.

Be back with you.

 

[redorange]

ok, I deleted the subkey

 

[evilfantasy]

-
OK, again only these are a little deeper.

1. Click Start > Run.
2. Type regedit
3. Click OK.

Navigate to this key: (do not delete the whole key)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Underneath this key in the left-hand panel there may be subkeys for whataboutadog.com. If this key exists, delete it.

Then navigate again to this next key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Again, underneath this key in the left-hand panel there may be subkeys for whataboutadog.com. If this key exists, delete it.



Then please restart your computer, and then post a new HijackThis log.

 

[redorange]

I might have straightened things out, but I'll see what you think:

The past few run throughs, the HijackThis logs were clean (no whataboutthedog or doginhispen), but then after I restarted my computer, whataboutthedog would be back in the trusted sites, and a new run of HijackThis would find it.

Also, on restart, my anti-virus (symantec), was detecting "trojan.zonebac" everytime. It cleaned it everytime but it was always back. According to the anti-virus, it was originating in a Walgreens photo application. I removed that application now, and on the past few restarts, I've been clean.

 

[redorange]

I did not find subkeys in either of those locations

 

[evilfantasy]

None at all?

 

[Jase123]

It could be system restore re - spawning whataboutadog.com I will continue to look for a solution.

Regards Jason

This thread is for the use of redorange ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.

 

[redorange]

right, no subkeys. here's the new HijackThis log.

 

[Jase123]

No whataboutadog.com in there. I think it's now safe to turn off system restore - but we'll wait to see what evilfantasy has to say.

Regards Jason

 

[evilfantasy]

Have HijackThis fix these entries.

O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2

--------------------

Your Java is out of date
Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version of Java components and update

Updating Java:
* Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
* Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
** The latest version is Java 6 Update 3. Remove all other entries.
* Click the Remove or Change/Remove button.
* Repeat as many times as necessary to remove each of the Java versions.
* Reboot your computer once all Java components are removed.

* Download the latest version of Java Runtime Environment (JRE) 6
* Click the Free Java Download button.
* Click the Download Now button.
* When the Software Installation dialog box opens. Click on the Install Now button.
* Follow the prompts to complete installation.

--------------------

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

---------------------

Delete FindAWF and any logs.

I would suggest running SUPERAntispyware Free Edition. It has a very large trojan detection and removal database.


Let us know if anything else comes up.

 

[redorange]

ok, I did all those things, and so far everything looks ok

the ComboFix uninstall then took care of the System Restore reset and I don't need to do it on my own?

thanks so much

 

[evilfantasy]

the ComboFix uninstall then took care of the System Restore reset and I don't need to do it on my own?

Combofix took care of the system restore.

Safe surfing........