Solved:b.whataboutadog.com infection

Status
Not open for further replies.

plasma dragon00

Posts: 169   +0
hi, im writing this from my parents pc, which has the b.whataboutadog.com infection. my mom and i were both reading about how to fix this, and no luck so far. we have run spybot s&d 15, adaware 2007, norton 2006, and ccleaner, all updated today. nothing so far, but we still get the item in the ie7 history.

any help would be greatly appreciated

thanks in advance,

~plasma

i did a HTJ scan and a findAWF scan, ill post the logfiles as an attachment

edit: i clicked the manage attachments button, but i cant seem to attach them. should i upload them to fileshare.com and upload the files to there?

edit2: nevermind, i still cant attach them from my parents pc, but i can from mine.
 
Hello and welcome to Techspot.

I don`t know why you can`t attach your log files. Please try again. See HERE for instructions.

Edit: Ok I can see them now and will issue instructions into this post shortly.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\WINDOWS\bak\UpdReg.EXE"
"C:\Program Files\DellSupport\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\Ahead\InCD\bak\Error.log"
"C:\Program Files\Ahead\InCD\bak\InCD.exe"
"C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
"C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIALA.EXE"


Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Please post a fresh HJT log and make sure you don`t use the word wrap feature in notepad.



Regards Howard :wave: :wave:

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
scanned with both, did as you said. now i have a question. on the desktop, an application called "Process" appeared on the desktop. should i delete it or leave it for now?

attaching logfiles...

thanks

~plasma

and odd, now the upload dialogue box opens on my parents pc.
 
Leave that for now and we`ll deal with it later. I need to get rid of this infection first, before we do anything else.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak\
C:\Program Files\DellSupport\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Ahead\InCD\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Creative\MediaSource\Detector\bak
C:\Program Files\Creative\SBAudigy\Surround Mixer\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
well, the findAWF program isnt working now, let me re-download it, and then try it again

when i try to run it, it gives me the "findAWF.exe has encountered an error and needs to close. we are sorry for the inconvenience." it has send error report, dont send, and debug.

lets redownload it

~plasma

edit: i believe that "Process" application is what's causing findAWF to not work, because the new downloaded one wont work on the desktop while that Process app is still there, but will run from the My Documents folder just fine
 
i tried to delete, but it gave me the error: "cannot delete Process: access is denied. Make sure that the disk is not full and write-protected and the file is not in use."

anyway, here are the logfiles.

~plasma
 
Just one more bak file to deal with.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\WINDOWS\bak\UpdReg.EXE"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That`s not clean.

Now comes the real hard work I`m afraid.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
working on it.

step 1. complete - disabled TeaTimer

step 2. complete - installed zone alarm firewall, keeping norton AV 2006

step 3. canceled

step 4. complete

step 5. complete

step 6. complete

step 7. complete - installed this morning

step 8. complete - also installed this morning

step 9. complete - also installed this morning

step 10. complete tool1, complete tool2 nothing found, complete tool3 nothing found
 
No, you can leave Norton alone mate.

Personally, I think you`d be better off without Norton because it`s crap.

If you decide to go ahead and get rid of Norton do the following.

Download the Symantec/Norton removal tool.

Download one antivirus and one firewall programme from the choices below.

AVG free or Avast antivirus programmes.

Zonealarm Kerio or Comodo free firewall programmes.

Disconnect from the net and run the Symantec/Norton removal tool.

Install whichever firewall your chose and reconnect to the net.

Install whichever antivirus programme you chose and run the antivirus updates.


Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
im almost done, im just waiting for the House Call scan to finish, in about a half hour. also, i do have a few more questions, they can be found in my previous post, if you could please take a look at them.

thanks so much for the help so far

~plasma
 
Crusty.exe.exe is fine mate.

Yes, have SmitFraudfix clean the registry.

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
house call is done, with 98 infections under ADWARE_MEMWATCHER, 13 infections under TSPY_SMALL, and 10 infections under HTTP cookies. ill clean all detected files, and i just have to run the last 2 steps.

edit: also, it says that for some entries, it has to delete them. i should allow it to do that?

edit2: im deleting, and i hadnt realized that there were more steps than 11.

thanks

~plasma

house call is stuck on "Deleting active grayware and spyware", so im just going to stop it. im going to continue on with step 10.

~plasma
 
Yes allow it to delete the files.

In total there are 15 steps I believe lol.

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That`s good. You don`t have to keep informing me of your progress. Just post the requested log files once you`re done. ;)

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
well, i have 2 file logs so far, being the combofix log and the avg anti spyware log. the weird thing is though, acg detected 11 things in its scan, and yes, i set it to quarantine. then i clicked save logfile, it opend the logfile, but nothing was in it. so after that, i clicked quarantine on the avg program, but it gave me an error while it tried to quarantine.

anyway, i have to go for now, if you're gone when i get back or i cant get on when i get back, ill talk to you when i get back from school tomorrow. im going to let a few scans run while im out, and hope it turns up something.

thanks so much for your help,

~plasma

edit: ill post the 2 logfiles i have, the avg and the combofix, but i doubt the avg will be of any help.
 
well, i am on one last time, and from the HTJ logfile, i cant find anything about whataboutadog in there, but im not sure if i understand the logfile correctly, so ill still post it. i re-ran avg anti spyware, and it fixed the problems, but only one of them could be quarentined, the others had to be deleted, as quarentine was not an option for them.

anyway, here are the good avg anf HTJ logfiles.

thanks so much for the help

and the entry for the b.whataboutadog.com isnt in the IE7 history, and let's hope it stays hat way.
 
Ok, here`s what I recommend you do.

Delete all files in AVG Antispyware quarantine.

Download this Symantec/Norton removal tool.

Download one of the antivirus programmes below.

AVG free or Avast antivirus programmes.

Run the Symantec/Norton removal tool and reboot your system the required number of times.

Install whichever antivirus programme you chose and run the antivirus updates.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/GeneralMills/Coupon s.cab

O16 - DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} (AtlAsianataCtlAttrib Class) - http://playgames.comcast.net/online2/asianata/asianata.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

Click on the fix checked button.

Close HJT.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and combofix log.

Regards Howard :)

This thread is for the use of plasma dragon00 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
here are the logfiles, including one before i fixed the entries in HTJ and one after i fixed them, as well as the combofix, final HTJ, and avenger logs.

avenger seemed to have a problem though, after the pc rebooted and it started to run, avenger ran into a problem, saying it couldnt find or read a file, and gave me 3 options - continue, try again, or cancel. i picked continue, and it kept working then.

anyway, here they are.
 
Status
Not open for further replies.
Back