TechSpot

Whataboutadog Zonebac Infection

By arthurb999
Nov 6, 2007
  1. Ok I've been reading about the whataboutadog virus because I have it. No matter what I do, everytime i reboot windows, *whataboutadog.com gets added to trusted sites, security on trusted sites gets altered and IE sends it informaiton.

    I have windows XP, AVG Free and wndows defender/firewall. I also have spyware blaster loaded.

    I tried the removal from this link

    http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=3

    and

    I followed the instruction in the sticky with awf clearing out the bak stuff... here's my current log.


    I ran every scan I got and the only thing found is windows defender finds Trojan/Zonebac and I delete it... but it keeps coming back. Everytime I reboot... I get the thing again.

    Any help is greatly appricated.
    Thanks.

    Arthur
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read this thread HERE and follow the instructions exactly. Post the requested log files as attachments, once done.

    Regards Howard :wave: :wave:

    This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. arthurb999

    arthurb999 TS Rookie Topic Starter

    Hey Howard,

    I followed the directions and have a clean AWF file. See below.


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Tue 11/06/2007
    The current time is: 8:09:02.50


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report



    However, when I reboot, the *whataboutadog.com gets added to my trusted sites and sends something to b.whataboutadog.com. Nothing shows up on virus scans either... only windows defender finds it... and even when I delete it... it reappears when I reboot.

    Any other suggestions. Thanks!!!
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I asked you to post the requested log files.

    Regards Howard :)

    This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. arthurb999

    arthurb999 TS Rookie Topic Starter

    Attached is the most updated AWF and hijack this. Let me know what other log files you need...
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Reboot your computer.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt

    Post the Combofix log as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. arthurb999

    arthurb999 TS Rookie Topic Starter

    I"m not sure what combofix does but it certainly pissed off the virus I have. During its scanning I had the following virus warnings pop up...

    Trojan Horse Generic9.hlk
    Backdoor:Win32/Zonebac.B

    They are currently in the virus vault of avg free.

    Attached are my new logs...
    Thanks Howard!!!

    Arthur
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in the AVG virus vault.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:



    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. arthurb999

    arthurb999 TS Rookie Topic Starter

    Ok... during that scan/reboot only the Trojan Horse Generic9.hlk virus popped up and I deleted it.

    Attached are my new logs.
    Thanks!!!!

    Arthur
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Nearly there now.

    Download and install one of the free firewall programmes below.

    Zonealarm, Kerio or Comodo free firewall programmes.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O24 - Desktop Component 0: (no name) - http://www.ccri.edu/images/index-home-09.gif

    O24 - Desktop Component 1: (no name) - http://www.ccri.edu/images/spacer-home.gif

    O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

    O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

    Click on the fix checked button.

    Close HJT and reboot your system.

    Delete the following folder.

    C:\qoobox

    Once done, your system is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. arthurb999

    arthurb999 TS Rookie Topic Starter

    Howard... you are the man!!!!!!!!!!!!!!!!!!!!

    Intel Proset is trying to reinstall itself... not sure why.

    Looks like virus is gone for good. I downloaded zone alarm and put it on this notebook. I"m going to get it for my other machine too.

    Just so this doesn't happen again...

    I have...

    Avg Free AV
    Zone Alarm Free
    Windows Defender
    Spyware Blaster
    Hardware Router

    I pride myself on keeping things updated and having tight PC security. Granted my wife uses the comp so she may have did something but who knows. Is there anything else I could do to tighten things up?

    Arthur
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Let the Intel proset reinstall if it wants.

    Your security now seems fine.

    However, you might want to take a look at this thread HERE for more tips.

    Regards Howard :)

    This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. arthurb999

    arthurb999 TS Rookie Topic Starter

    OK thanks! Guess I'm good to go now.

    Thanks for the help Howard... I appriacte it a TON.

    Thanks!!!!!!!!

    -Arthur

    This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

    Only the original thread starter can do this. Anyone else, will be ignored.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...