[fiveone5]

This is a great site - Thanks for all the time you put into it!

Ok - family computer has been running strange - tracked down "whataboutadog" as the problem - followed the instructions for removal got down to one bak file and can not go any where - I disabled teatimer and sdhelper in sypbot but it is a no go - any ideas?

I am also getting Winpatrol messages like this one at this point I am rejecting changes - c:\windows\system32\drivers\etc\hosts

[evilfantasy]

Do you have any of the logs from the removal instructions or were you just working the whataboutdog removal thread?

Can you post a fresh FindAWF and Hijackthis log.

[fiveone5]

Thsi is the latest -

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 02/11/2008
The current time is: 22:44:34.82


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

2097488 Jan 28 2008 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"


end of report

[evilfantasy]

this is after running option #2 correct?

Lets try again.


Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: From the Keyboard Press 3 then Enter to remove bak folders

A text file will open called: folders.txt
Click below the line and paste the following list of folders to be removed:

Quote:

Directory of C:\PROGRA~1\SPYBOT~1\BAK

Next, close the text file and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
* It deletes the contents of the bak folders
* Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please add the new FindAWF log in your reply.

[fiveone5]

This is the first time I used HijackThis-

This is what I have -


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 02/11/2008
The current time is: 22:56:36.84


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

2097488 Jan 28 2008 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"


end of report

[evilfantasy]

Download OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  C:\PROGRA~1\SPYBOT~1\BAK
  

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.

• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2
• Go ahead and post this log now before moving to the other steps so it doesn't get lost
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Having items in the trusted zone is always a way for malware to exploit a PC. It is best to remove them.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O15 - Trusted Zone: http://download.windowsupdate.com

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

I would like to run another scan for a "second opinion" in order to make sure nothing is still hiding.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Next post please add
OTMoveIt log
Combofix log

[fiveone5]

C:\PROGRA~1\SPYBOT~1\BAK moved successfully.

OTMoveIt2 v1.0.19 log created on 02112008_233242

[evilfantasy]

Looks good, combofix will let us know if more work lies ahead or not.

[fiveone5]

After this is taken care of what can I do to avoid repeats??

By the way you are truely wonderful to take time to help - Thanks!

[Howard]

Please post log files as attachments. See HERE for info.

Thanks.

Regards Howard

[evilfantasy]

Quote:

Originally Posted by fiveone5

After this is taken care of what can I do to avoid repeats??

I will give you some links with advice on tightening security.

Quote:

Originally Posted by fiveone5

By the way you are truely wonderful to take time to help - Thanks!

No problem, it's why we are here.

[fiveone5]

Hope this is it!

[evilfantasy]

It is now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website here --> http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System



Download the file & save it as it is originally named, next to ComboFix.exe.



Now close all open windows and programs.
Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
When complete, a log named CF_RC.txt will open.
Please post the contents of that log in your next reply.

Thanks to Bleeping Computer for the guide.

Next post please attach
Combofix log
New Hijackthis log

[fiveone5]

The files as requested -

[evilfantasy]

Upload a File to Virustotal

Please visit Virustotal

Copy the file path in the code box blow.

Code:

C:\WINDOWS\D3EF-0207-C008-8E78.dat

• At VirusTotal click once inside the window next to Browse.
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
• Next click Send File
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• VirusTotal will perform a scan across 30+ different virus scanning engines.
• Please wait for all of the scanning engines to complete.
• Copy and then Paste the results in the next reply.

[fiveone5]

File D3EF-0207-C008-8E78.dat received on 02.12.2008 06:38:32 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.12.11 2008.02.12 -
AntiVir 7.6.0.62 2008.02.11 -
Authentium 4.93.8 2008.02.11 -
Avast 4.7.1098.0 2008.02.11 -
AVG 7.5.0.516 2008.02.11 -
BitDefender 7.2 2008.02.12 -
CAT-QuickHeal None 2008.02.11 -
ClamAV 0.92 2008.02.11 -
DrWeb 4.44.0.09170 2008.02.11 -
eSafe 7.0.15.0 2008.02.11 -
eTrust-Vet 31.3.5529 2008.02.11 -
Ewido 4.0 2008.02.11 -
FileAdvisor 1 2008.02.12 -
Fortinet 3.14.0.0 2008.02.12 -
F-Prot 4.4.2.54 2008.02.11 -
F-Secure 6.70.13260.0 2008.02.12 -
Ikarus T3.1.1.20 2008.02.12 -
Kaspersky 7.0.0.125 2008.02.12 -
McAfee 5227 2008.02.11 -
Microsoft 1.3204 2008.02.11 -
NOD32v2 2866 2008.02.11 -
Norman 5.80.02 2008.02.11 -
Panda 9.0.0.4 2008.02.11 -
Prevx1 V2 2008.02.12 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.12 -
Sunbelt 2.2.907.0 2008.02.12 -
Symantec 10 2008.02.12 -
TheHacker 6.2.9.217 2008.02.11 -
VBA32 3.12.6.0 2008.02.11 -
VirusBuster 4.3.26:9 2008.02.11 -
Webwasher-Gateway 6.6.2 2008.02.12 -
Additional information
File size: 13 bytes
MD5: 3993243e891ff2a54498c0da3527c283
SHA1: 2a7a2e6a2cc148d31b3aba818a771040e7c088f0
PEiD: -

[evilfantasy]

The logs are clean

----------

Your Java is out of date.
Older versions of Java have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version(s) of Java components and update.

Step 1 - Get the new version

• Go to the Sun Java Download Page
• On the Sun Java page scroll to the 4th download.
• 
• Click the button and choose the options.
  • Platform Windows
  • Language English
• Next place a check mark in the box to agree to the License Agreement.
  • "I agree to the Java SE Runtime Environment 6 License Agreement"
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.
• Follow the prompts to complete the installation.

Step 2 - Remove old version(s)

• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel > Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Do not remove Java 6 Update 4
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Restart your computer once all Java components are removed.

Step 3 - Remove old folder(s)

• Double click My Computer on the desktop, Locate this folder: C:\Program Files\Java
• Open the Java folder and delete any subfolders except the jre1.6.0_04 folder which was just created by the newest Java installation.

----------

Time to do some cleanup and secure the work you have done.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

The above procedure will:

• Delete:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

----------

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? Check here first; it may not be malware for free cleaning/maintenance tools to help keep your computer running smooth.

[evilfantasy]

Marking this thread as solved. If fiveone5 needs this reopened then please PM me or another moderator to have it reopened.