Whataboutadog reappears as trusted despite bak file removal & no obvious problems

[bobamherst]

Hello,

Like many others, I have picked up whataboutadog. My local computer repair shop, where I made sure they knew about findAWF and all the whataboutadog symptoms that had showed up, tried to remove it completely but were unsuccessful. They charged me very little for their effort and said my only option was to reload Windows XP, which I would like to avoid doing if possible. Nothing seems to be wrong with my computer. The only evidence of whataboutadog discernable by unsophisticated users like me is that it shows up as a trusted site every time I reboot, and abc123.pid shows up among the temporary files when a Windows Search is run. The shop removed a number of apparently fraudulent bak files that had been created at a single point in time, presumeably when I picked up WAAD. The computer seems to be running normally. When I run Hijackthis, the O15 line with WAAD does not appear. However, its continued presence makes me worry about what might happen if it stays on! Is there anyone who could advise me? I'm not in a great hurry. Thank you in advance for anything you can offer.

Dell 6000 notebook
Windows XP SP2, IE7
AVG 7.5
AVG Anti-Spyware, Ad-Aware (both run manually)
Windows Defender

 

[Rik]

Hi bobamherst and welcome to TechSpot.:wave:

Lets see if we can do a better job than the shop did.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.



This thread is for the use of bobamherst only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[bobamherst]

bak search results from FindAwf

Hello rik,

Thanks for your very prompt reply. I'm afraid that I may have to respond with slightly longer intervals. (I'm on the U.S. east coast.)

I ran the bak search from FindAwf, but the attached notepad file is all that it produced.

Since first posting I find that Windows Defender is identifying the "Backdoor:Zonebac" trojan, which reappears even after I have WD remove it. I supposed this is related to the Whataboutadog phenomenon?

Bobamherst

 

[howard_hopkinso]

Hello and welcome to Techspot.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Now, please post a HJT log as per these instructions.

Regards Howard :wave: :wave:

This thread is for the use of bobamherst only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[bobamherst]

hijackthis log

Hello Howard,

Thanks for getting involved in my thread. I understand you are quite expert in dealing with this troublesome phenomenom. A hijackthis log is attached. The exe file was renamed "Crusty," as per the instructions.

Bobamherst

P.S. I had neglected to mention at the outset that I do have Spybot, which I run manually.

 

[howard_hopkinso]

Your HJT log is clean as a whistle mate.

Are you still having any problems?

Regards Howard

This thread is for the use of bobamherst only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[bobamherst]

WAAD and Zonebac.B are still there on reboot

Hello again Howard and rik,

I'm afraid to say that on reboot WAAD still shows up in trusted sites and Windows Defender still finds Zonebac.B. So.... unless somebody has any other suggestions, I guess I'll have Windows XP reinstalled. Thanks very much for your help.

Bobamherst

 

[howard_hopkinso]

Open IE and click tool/internet options.

Click the Security tab and click on the Trusted sites icon. Click the sites button and remove all sites from the trusted zone by selecting them and clicking the remove button. Once done, click ok.

Warning! Do not click the links below in the quote box.


Click ok/ok and close IE. reboot your system.

Post back when done and I`ll remove the above links to stop anyone from clicking on them.


Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of bobamherst only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Removed dodgy links.

 

[bobamherst]

reinstalled Windows XP

Hello again Howard,

Thanks for following up again. I decided to have a clean Windows reinstall done to get rid of whataboutadog and backdoor:zonebac.b, which must have been cleverly concealed somewhere. I use my laptop for banking and other secure transactions and was nervous about having any malware in it even though it wasn't causing any obvious trouble. (I didn't even dare recover my old IE favorites and Outlook contacts for fear that the culprit might have somehow inserted itself in them!) I've started to use Firefox for routine browsing rather than IE; don't know whether that will make any difference.

Very appreciative of your efforts for me and other non-technical but computer-dependent persons.

Bob

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.