Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

B.whataboutadog Again!


  • Please log in to reply
12 replies to this topic

#1 jde68

jde68

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 27 January 2008 - 02:10 PM

Two weeks ago this forum helped me to remove b.whataboutadog. Well I have it again. I have no idea how I got this in the first place and how I got it again. Please help me remove it. My guess is I can't repeat the steps from before. My thanks for whatever assistance you can give.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 27 January 2008 - 02:25 PM

Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups, then restore them.

Download FindAWF.exe by noahdfear and save to your desktop.
  • Double-click on FindAWF.exe to start.
  • If a "Security Alert" shows, allow the program to run.
  • Select option #1 - Scan for bak folders by typing 1 and press 'Enter'.
  • When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
  • Copy and paste the contents of the awf.txt file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jde68

jde68
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 27 January 2008 - 02:59 PM

Here is the list...please note I also just discovered that I have Spydefender Pro also. I'll need help with that too


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 01/27/2008
The current time is: 14:49:14.85


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"


end of report

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 27 January 2008 - 03:09 PM

Double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • As instructed, press any key to continue.
  • Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"

  • Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list (if running).
    • Deletes the rogue file from the parent folder (if present).
    • Copies the original file to the parent folder.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.
Check Add/Remove Programs for SpyDefender Pro and remove it from there if listed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jde68

jde68
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 27 January 2008 - 03:31 PM

Removed Spydefender with Add/Remove

Here is the awf text


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sun 01/27/2008
The current time is: 15:24:40.96


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 04:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"


end of report

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 27 January 2008 - 04:03 PM

Double-click the FindAWF icon once again.
  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\Program Files\Common Files\Symantec Shared\Security Center\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jde68

jde68
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 27 January 2008 - 04:58 PM

Spydefender still appears in the start up menu next to my clock

Here is the awf text

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sun 01/27/2008
The current time is: 16:50:19.50


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 27 January 2008 - 07:47 PM

Double-click the FindAWF icon once again.
  • Select option #4 - Reset domain zones by typing 4 and press 'Enter'.
  • You will receive a warning to reset domain zones.
  • Press 1 then press 'Enter'.
  • After resetting the domain zones, the program will return to the main menu.
  • Use the following option: Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.
Please download AutoRuns and save it to your Desktop.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for an entry related to SpyDefender.exe.
  • If found, right-click on the entry and choose delete.
  • Exit the program when done.
Please download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.

C:\Program Files\SpyDefender Pro

  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
  • Please copy/paste the contents of that log in your next reply.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Then search for and delete the following file(s)/folder(s) in bold if still present. You can use Windows Explorer to navigate to them:

C:\Documents and Settings\username\Start Menu\Programs\SpyDefender Pro <- this folder
C:\Documents and Settings\username\Desktop\SpyDefender <- this folder

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jde68

jde68
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 29 January 2008 - 05:48 AM

Here are the results:

Move It file

C:\Program Files\SpyDefender Pro moved successfully.

Created on 01/27/2008 20:39:13

From OT Log files

C:\Program Files\SpyDefender Pro moved successfully.

Created on 01/27/2008 20:39:13

From SuperAnti Spyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/28/2008 at 01:21 AM

Application Version : 3.9.1008

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 03:43:49

Memory items scanned : 211
Memory threats detected : 0
Registry items scanned : 5111
Registry threats detected : 2
File items scanned : 152072
File threats detected : 13

Rogue.SpyDefender Pro
HKU\S-1-5-21-2241485819-1922042149-3997420412-1003\Software\SpyDefender
HKU\S-1-5-21-2241485819-1922042149-3997420412-1003\Software\SWD123
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\SPYDEFENDER PRO\SPYDEFENDER.EXE

Trojan.Downloader-Gen/Suspicious
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1191364056.OLD
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1193352915.OLD
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1193968897.OLD
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1195322145.OLD
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1195994507.OLD
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1198099170.OLD
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1199283759.OLD
C:\PROGRAM FILES\WINBUDGET\BIN\CRAP.1201413565.OLD

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Cookies\owner@3D-Realistic-Fireplace-Screensaver[1].txt
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Cookies\owner@3D-Realistic-Fireplace-Screensaver[2].txt
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Cookies\owner@burstnet[2].txt
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Cookies\owner@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmycpcjacpaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 29 January 2008 - 08:30 AM

Did that resolve your malware issues?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 jde68

jde68
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 30 January 2008 - 08:34 PM

I am not sure...Spydefender seems to have disappeared, but Superanti spyware keeps detecting a Trojan dowloader gen. I have run it twic in safe mode and it doesn't seem to get rid of it. But the computer runs as if it is malware free

#12 jde68

jde68
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 30 January 2008 - 08:40 PM

Also guess what...whataboutadog has returned!!!!

Here is the first step in the AWF


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Thu 01/31/2008
The current time is: 6:16:42.60


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Edited by jde68, 31 January 2008 - 06:28 AM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:03 AM

Posted 31 January 2008 - 09:34 AM

Further investigation is required to find out why it returned and what else may be on your system.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users