Whataboutadog

By kemp_Drumsalot
Oct 20, 2007
Topic Status:
Not open for further replies.
  1. Hello all. I'm new to all of this, so whatever you need me to post, just tell me. I recently have been seeing b.whataboutadog in my history (http://b.whataboutadog.com/128/chec...S~1\Temp\\1192890722.dat&fw=96&v=128&m=0&vm=0) =the one in todays folder. I have noticed this for awhile now, and would like to know what it is and how I get rid of it. I read a few other posts and it sounds likes its a backdoor trojan? I have no clue, so any tips/advice would be appeciated!

    Thanks!

    Still could use some help =-P
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.


    Go and read this thread HERE and follow the instructions.

    Then, post back here with the results, logs etc.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    Alright, I did all of those things, and have attached both the AWF and HJT logs. What now?
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ok, we now need to manually delete some files/programmes.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    viewpoint
    viewpoint manager
    viewpoint toolbar
    Kontiki

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    MySpaceIM_Setup.exe
    MySpaceIM.exe
    ALCXMNTR.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

    O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201

    O15 - Trusted Zone: *.whataboutadog.com

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\Program Files\Kontiki
    C:\Program Files\Viewpoint
    C:\windows\ALCXMNTR.EXE
    C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Documents and Settings\Owner\Desktop\downloads\MySpaceIM_Setup.exe
    C:\Program Files\MySpace\IM\bak

    Reboot into normal mode and rehide your protected OS files.

    Reinstall your MySpace software.

    Post a fresh awf.txt after running option1 of the FindAWF tool as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    Ok, I did all of the instructions, but when i got to the last stage, i could not delete the Viewpoint folder (said it was in use?). Attached the fresh logs.
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your log files are clean.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Then, go and do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, please attach the content of c:\avenger.txt into your reply.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    Phew! Ok, did all of those things, attached all my results. For the AVG Spyware, I had to do the scan twice since i didnt save the first one, so the report is the second one. Also, the pandarootkit or whaterever that was didnt come up with anything. Just tell me what to do now and I'll get it done!
    Also, if I forgot to attach something, just tell me.

    Thanks for all your help so far!
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Delete all files in AVG Antispyware quarantine.

    Delete the following folders.

    C:\VundoFix Backups
    C:\Qoobox

    Other than that, you should be good to go.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    Ok, doing that right after this post, do I need to keep all the programs you had me download? Is it ok to put the gaurds back on the programs (if so which ones?)
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Just re-enable any guards you disabled and yes, you can now get rid of the tools etc we used to clean your system.

    I recommend you keep SS&D/Ad-Aware/Ccleaner.

    You can uninstall the rest if you want.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    Hmm, ok, I'm not sure if its because of the fact I'm using the free-edition of Ad-aware 2007 or not, but I can't figure out how to turn the real-time protection on for that. By the way, should I turn tea-timer on in SS&D? I also have comodoo's firewall now, and firefox, since I heard it was more secure. I put the AVG AS on and deleted all the other files besides CCleaner. How often should I run CC, and should I be in safe mode?

    Oh, and I have my clock set in military time still, how do I get it to civilian time?
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The free edition of Ad-Aware doesn`t support real time monitoring as far as I`m aware.

    Yes, you can turn on SS&D Teatimer protection if you want.

    You can run Ccleaner as often as you want. Personally, I run it daily or sometimes more often than that, depending on what I`ve been doing.

    As to your clock problem, please do the following.

    Go to your control panel and double click on the Regional and languages icon.

    On the Regional Options tab, click the Customize button ,followed by the Time tab. You can set your preferred time options here. Once done, click apply/ok/apply/ok and close your Control panel.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    Ok, what exactly is tea-timer? I have a firewall (Comodo) already on if that's what it is, I have no clue what it does, so feel free to inform me =-)
    Haha what exactly was it the CCleaner was doing? I don't know for sure.
    Thanks for the clock, I ended up just google'ing it and figuring it out, thanks though =-)
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    See HERE for information on Spybot`s Teatimer.

    Ccleaner gets rid of junk files that accumulate on your system. This is temp files/cookies/browser cache/etc. It`s a very useful application and I can`t recommend it highly enough.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    Why can't you highly recommend it?
    I know one thing I do 1-7+ days a week it go to internet explore properties, and then delete all temp. files (check offline) and then the cookies. Is this what CC is doing?
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    If you read what I actually said, I said, "It`s a very useful application and I can`t recommend it highly enough."

    In other words, it`s absolutely wonderful and you should definitely keep and use Ccleaner on a regular basis.

    Yes, Cleaner does delete lots of .temp files and more besides.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. kemp_Drumsalot

    kemp_Drumsalot Newcomer, in training Topic Starter Posts: 66

    My apologies. I read your statement wrong, I will continue to use it then.

    This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

    Only the original thread starter can do this. Anyone else, will be ignored.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.