Solved:Another whataboutadog problem

[randompete]

Hey there,

Sorry to post the same problem as a ton of other people, but I am very concerned about my whataboutadog issue. I ran Avast and found nothing, ran Webroot Spysweeper and antivirus and found a trojan and a behavioral and keep seeing b.whataboutadog.com show up in my history folder, although I don't know if that's what Webroot got rid of because I only just finished running that one. Hopefully I have successfully attached the awf.text and hijackthis.txt files. Thanks in advance for any help you have time to give.

Pete

 

[Rik]

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter.

A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\DISC\bak\DISCover.exe"
"C:\Program Files\DISC\bak\DiscUpdateMgr.exe"
"C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
"C:\Program Files\PCPal\bak\PalAgnt.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Logitech\QuickCam10\bak\QuickCam10.exe"
"C:\Program Files\Comcast\Desktop Doctor\bin\bak\sprtcmd.exe"
"C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.



This thread is for the use of randompete only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[randompete]

whatabouta!&@$!dog

Here is the new awf text file. Thank you, Rik. You always were my favourite of the Young Ones.

 

[Rik]

Lol, I have long hair so I look more like Neil.


Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders.


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\hp\KBD\bak
C:\Program Files\DISC\bak
C:\Program Files\Lexmark X1100 Series\bak
C:\Program Files\PCPal\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Logitech\QuickCam10\bak
C:\Program Files\Comcast\Desktop Doctor\bin
C:\Program Files\Common Files\LogiShrd\LComMgr\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log.



This thread is for the use of randompete only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[randompete]

Option 3

Here is the latest awf text file, Rik. Have I mentioned that you are a star?
Two related questions:
1. Where does this whataboutadog thing usually come from?
2. Is Avast just not good enough to stop normal viruses? It has failed me in the past and now it let this thing get me.

 

[howard_hopkinso]

Hello and welcome to Techspot.

There`s still one bak folder left to deal with.

Rather than going trough the FindAWF steps again, we can just delete them manually.

If after doing this, you still want to use Desktop Doctor, you can re-download and install it from HERE.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

sprtcmd.exe

Close task manager.
Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Comcast\Desktop Doctor\bin\bak<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, please post a fresh HJT log.

Regards Howard

This thread is for the use of randompete only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[randompete]

Hopefully last one

Here are the awf and hijack files from after manually deleting those bak files. Is there a way to find the file that the virus came in on in the first place? I would really hate to go through this again and again.

Thanks for all of the help.

Pete

 

[howard_hopkinso]

Your awf.txt is now clean.

Your system was infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

How you got the infection in the first place is anyones guess. But as with most infections, user error is usually to blame.

You`re running an outdated version of HJT, see HERE.

Now, in order to make sure your system is clean, please do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of randompete only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[randompete]

Ugh, that was fun.

Okay, attached are the logs, and the Panda root thing turned up all clear. What a blast that was. Can you think of any reason why after all of that I have a program that tries to open by itself? Comic Book Creator by Planetwide games attempts to open while I'm on the internet, and says, "configre Planetwidegames Comic Book Creator," like just now when I pressed "Manage Attachments.". It never did that before, so I'm a bit concerned. Maybe just an after effect of my system being invaded and cleared out. Dunno, but anyway, here's the stuff and thanks again.

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

Uninstalling and reinstalling the configre Planetwidegames Comic Book Creator, may well solve that particular problem.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

Regards Howard

This thread is for the use of randompete only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[randompete]

K, here's the stuff.

You guys spend loads of time doing this stuff and poor sods like me. What can I do to return the favor?

 

[howard_hopkinso]

Delete the following file.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

C:\Program Files\wt3d.ini

Rehide your protected OS files.

Other than that, you should be good to go.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of randompete only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[randompete]

Fab

Thank you, Rik and Howard. I will attempt to learn how to read some of these logs so that I can better rip those little beasties out of my system myself next time. Your help is appreciated.

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.