Whataboutadog Zonebac Infection

[arthurb999]

Ok I've been reading about the whataboutadog virus because I have it. No matter what I do, everytime i reboot windows, *whataboutadog.com gets added to trusted sites, security on trusted sites gets altered and IE sends it informaiton.

I have windows XP, AVG Free and wndows defender/firewall. I also have spyware blaster loaded.

I tried the removal from this link

http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=3

and

I followed the instruction in the sticky with awf clearing out the bak stuff... here's my current log.


I ran every scan I got and the only thing found is windows defender finds Trojan/Zonebac and I delete it... but it keeps coming back. Everytime I reboot... I get the thing again.

Any help is greatly appricated.
Thanks.

Arthur

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read this thread HERE and follow the instructions exactly. Post the requested log files as attachments, once done.

Regards Howard :wave: :wave:

This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[arthurb999]

Hey Howard,

I followed the directions and have a clean AWF file. See below.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 11/06/2007
The current time is: 8:09:02.50


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report



However, when I reboot, the *whataboutadog.com gets added to my trusted sites and sends something to b.whataboutadog.com. Nothing shows up on virus scans either... only windows defender finds it... and even when I delete it... it reappears when I reboot.

Any other suggestions. Thanks!!!

 

[howard_hopkinso]

I asked you to post the requested log files.

Regards Howard

This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[arthurb999]

Attached is the most updated AWF and hijack this. Let me know what other log files you need...

 

[howard_hopkinso]

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Reboot your computer.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Post the Combofix log as well as a fresh HJT log.

Regards Howard

This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[arthurb999]

I"m not sure what combofix does but it certainly pissed off the virus I have. During its scanning I had the following virus warnings pop up...

Trojan Horse Generic9.hlk
Backdoor:Win32/Zonebac.B

They are currently in the virus vault of avg free.

Attached are my new logs...
Thanks Howard!!!

Arthur

 

[howard_hopkinso]

Delete all files in the AVG virus vault.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\SYM_REGISTRY_BACKUP.reg
Folder::
C:\qoobox
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[arthurb999]

Ok... during that scan/reboot only the Trojan Horse Generic9.hlk virus popped up and I deleted it.

Attached are my new logs.
Thanks!!!!

Arthur

 

[howard_hopkinso]

Nearly there now.

Download and install one of the free firewall programmes below.

Zonealarm Kerio or Comodo free firewall programmes.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O24 - Desktop Component 0: (no name) - http://www.ccri.edu/images/index-home-09.gif

O24 - Desktop Component 1: (no name) - http://www.ccri.edu/images/spacer-home.gif

O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

O24 - Desktop Component 3: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

Click on the fix checked button.

Close HJT and reboot your system.

Delete the following folder.

C:\qoobox

Once done, your system is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[arthurb999]

Howard... you are the man!!!!!!!!!!!!!!!!!!!!

Intel Proset is trying to reinstall itself... not sure why.

Looks like virus is gone for good. I downloaded zone alarm and put it on this notebook. I"m going to get it for my other machine too.

Just so this doesn't happen again...

I have...

Avg Free AV
Zone Alarm Free
Windows Defender
Spyware Blaster
Hardware Router

I pride myself on keeping things updated and having tight PC security. Granted my wife uses the comp so she may have did something but who knows. Is there anything else I could do to tighten things up?

Arthur

 

[howard_hopkinso]

Let the Intel proset reinstall if it wants.

Your security now seems fine.

However, you might want to take a look at this thread HERE for more tips.

Regards Howard

This thread is for the use of arthurb999 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[arthurb999]

OK thanks! Guess I'm good to go now.

Thanks for the help Howard... I appriacte it a TON.

Thanks!!!!!!!!

-Arthur

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.