Yet another WHATABOUTADOG victim

[Eclipse08]

Hi group, you can add me to the (rapidly) growing list of WAAD victims. Not sure how it got in -we're pretty savvy about opening suspicious e-mail, keep our McAfee files up to date, etc., but we've got it anyway.

I usually try to avoid bogging down forums with my own entries, since I can usually fix my problems by following along with previously-posted solutions, but looking through the posts here it seems the solutions have to be custom-tailored, based on each victim's HJT and AWF files.

'nuf said. Here are my HJT and AWF files. Thanks for your help!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\WINDOWS\bak\UpdReg.EXE"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\LVCOMSX.EXE"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\WINDOWS\system32\bak\PSDrvCheck.exe"
"C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe"
"C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
"C:\Program Files\Logitech\Video\bak\ISStart.exe"
"C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
"C:\Program Files\Logitech\Video\bak\LogiTray.exe"
"C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
"C:\Program Files\Logitech\Video\bak\ISStart.exe"
"C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
"C:\Program Files\Logitech\Video\bak\LogiTray.exe"
"C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
"C:\Program Files\McAfee\MSK\bak\MskAgent.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
"C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard :wave: :wave:

This thread is for the use of Eclipse08 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eclipse08]

results of cleanup

Thanks Howard!

I've run the deldomains.inf application and the findAWF app as instructed. Attached is the resulting AWF file.

One thing to note: while findAWF was running I got a dialog box stating something to the effect that a file needed by Windows had been replaced by a version that windows didn't recognize. It went on to request that I Insert Windows XP install disk 2. Since I don't have that disk (windows came pre-installed on the PC and the installation media weren't included) I selected 'cancel'. findAWF went on to complete normally.

I should note that I received this same dialog two days ago, and also cancelled out of the 'insert CD' request at that time. At the time I attributed the dialog box to a McAfee update, but in retrospect it was probably the calling card from the trojan.

So the question now is, did I get the dialog box when the correct version of the file was being restored, or is it an indication that there's still something amiss? The dialog box didn't bother to identify the file in question.

Thanks!

 

[howard_hopkinso]

We`re not finished with the fix yet, so let`s see what happens when we are.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Ahead\Nero BackItUp\bak
C:\Program Files\Logitech\ImageStudio\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\Logitech\ImageStudio\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\McAfee\MSK\bak
C:\Program Files\McAfee.com\Agent\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Creative\MediaSource\Detector\bak
C:\Program Files\Creative\SBAudigy\Surround Mixer\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log


Regards Howard

This thread is for the use of Eclipse08 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eclipse08]

file removed

Okay, so far so good -I've successfully completed the file removal. Here's the log -looks pretty empty, which I assume is a good thing.

Thanks!

 

[howard_hopkinso]

Yes, that`s clean.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Now, in the interests of making sure your system is clean, please do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of Eclipse08 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eclipse08]

Virus/Spyware/Malware removal results

I've completed the 15-step process for cleaning malware/spyware, etc., as recommended. I've included the requested attachments. Briefly, here are the results of the cleaning steps:

step 1: n/a, as I wasn't running any of the indicated programs
step 2: n/a, as I was already running McAfee, with spyware and firewall turned on -for all the good it was doing me, as it turns out :-(
step 3: completed successfully
steps 4&5: completed successfully
step 6: completed successfully -trojan SrvAdmin.A found
step 7: completed successfully
step 8: n/a -I already had Ad-aware personal, with latest updates.
step 9: completed successfully
step 10: tool1/2/3 all completed successfully
step 11: completed successfully -no rootkits found
step 12: completed successfully -combofix log attached
step 13: partial success: McAfee wouldn't run in safe mode . It would display it's startup splash screen for a 1/2 second then disappear. Nice, huh? I booted back into normal mode and ran it from there, then rebooted into safe mode for step 14.
step 14: completed successfully. Note that AVG again found the SrvAdmin.A trojan, and even though I checked 'quarantine' as directed (I double checked this before and after the scan) the log still reported 'no action taken' [perhaps because it's already quarantined from the first scan?]
step 15: completed successfully

One lesson learned from this is that McAfee isn't nearly as good as I thought it was. I knew it wasn't perfect, but between it completely missing two different trojans (whataboutadog and SrvAdmin.A), not being able to run in safe mode, and missing a whole lot of spyware that Ad-Aware and some of the other tools you had me run found, I must say I'm pretty disappointed in it.

Thanks again Howard for all your help with this -you and your fellow experts provide a real service to the rest of us, and it's most appreciated.

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

Other than that, your log files appear to be clean.

Unless you`re having any other problems, you should be good to go.

If you`re not having any other problems, please do the following.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Eclipse08 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eclipse08]

wrapup

I've deleted the quarantined virus and disabled/enabled system restore, so all is well with the world.

Thanks again for your help.:grinthumb

Oh, one final question: Can I continue to run AVG with McAfee? My past experience has been that virus checkes don't play very well together, but given my newfound disrespect for McAfee I don't know if I want to rely on it solely.

 

[howard_hopkinso]

The AVG Antispyware programme is just that, an antispyware programme and not an antivirus programme. It shouldn`t cause any conflicts with McAfee.

However, McAfee is a pretty crap programme in my opinion and apart from being a resource hog doesn`t do a very good job of protecting your system.

You might want to consider getting rid of Mcafee and using one of the free antivirus and firewall programmes below.

AVG free or Avast antivirus programmes.

Zonealarm Kerio or Comodo free firewall programmes.

Apparently, McAfee can be a real pain to uninstall. With that in mind I suggest you read this post HERE

Regards Howard

This thread is for the use of Eclipse08 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Valerie]

Help Please

I recently ran an online scan w/emsi, it said I had Worm.Win32.Netop.a and listed eight files that were infected. Is this a trojan or virus? How can I get rid of it. Any help would greatly be appreciated. Thanks!