Submit Your Article Forum Rules FAQ About Us
Search the forums:

Tech Support Team

Join Now!Nav Seperator FAQNav Seperator GalleryNav Seperator TutorialsNav Seperator BlogNav Seperator SearchNav Seperator Today's PostsNav Seperator Mark Forums ReadNav Seperator Navigation Right

Hello and Welcome to Tech Support Team! Before you can start posting and answering questions, you'll have to register. Registration is fast, simple and absolutely free! Feel free to browse through existing questions by choosing the forum you want to visit below.


Tech Support Team » Community » Tutorials » Whataboutadog/Whataboutarabbit/Adoginhispen removal instructions

Closed Tutorial
Tutorial Tools
 
Whataboutadog/Whataboutarabbit/Adoginhispen removal instructions
Published by Howard
27th December 2007
Whataboutadog/Whataboutarabbit/Adoginhispen removal instructions
Very Important Information: Malware infections can lead to a number of problems, including; identity theft, stolen bank funds, abuse of credit card information etc. If you use your computer for online banking ect... I strongly encourage you to disconnect from the net and do a complete reformat. See HERE on how to reinstall windows.

If you just use your computer for gaming/music etc, then cleaning your system is possibly a better option.

See the two links below, before you decide what you want to do.

When should I re-format? How should I reinstall? Security - dslreports.com
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security - dslreports.com

If after reading the above you wish to clean your computer, please follow the instructions below.

--------------------------------------------------------------------

Please download and run SmitFraudfix, make sure you follow the instructions on the download page.

--------------------------------------------------------------------

Download the ATF cleaner programme from HERE and save it to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Double-click ATF-Cleaner.exe to run the program.

* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
* NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
* NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

Reboot into normal mode.

--------------------------------------------------------------------


Please follow these instructions exactly. A copy of these instructions is available as a downloadable .txt file in the attachments.

Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Running FindAWF allows us to identify the files that are infected, as well as the backups and then restore the files.

STEP1:

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad.

See attached example 1:

STEP2:

You would then need to do the following with Example1. Scroll down the file, until you come to the main body marked as START HERE. It`s the entries below where it says "Duplicate files of bak directory contents" that we`re interested in.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text into the text file.

These are the entries from Example1 you would need to copy and paste into the above. Please note: You must include the quotes.

You would only copy and paste the entries that have a bak folder in the file path.


"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\DISC\bak\DiscUpdateMgr.exe"
"C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
"C:\Program Files\PCPal\bak\PalAgnt.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Logitech\QuickCam10\bak\QuickCam10.exe"
"C:\Program Files\Comcast\Desktop Doctor\bin\bak\sprtcmd.exe"
"C:\Program Files\Common Files\LogiShrd\LComMgr\bak\Communications_Helper.e xe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad.

STEP3:

Please double-click the FindAWF icon once again.

Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed: See attached Example2: Again scroll down the file to where it says START HERE. Again, it`s the entries below where the file says "Duplicate files of bak directory contents" that we`re interested in.

Note: This time only copy and paste up to where the actual bak folder is and we don`t need the quotes this time.

C:\hp\KBD\bak
C:\Program Files\DISC\bak
C:\Program Files\DISC\bak<This is a duplicate of the above entry. These often crop up in a awf.txt file.
C:\Program Files\Lexmark X1100 Series\bak
C:\Program Files\PCPal\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Logitech\QuickCam10\bak
C:\Program Files\Comcast\Desktop Doctor\bin\bak
C:\Program Files\Common Files\LogiShrd\LComMgr\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak

PLease Note: The bold entry above, is simply a duplicate and is there for example only.. For instance, you could find several bak folders in Windows/system32/bak or elsewhere. You would only need to enter one of these as in effect it`s exactly the same bak folder, so we can`t remove it twice etc.

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log. See the attached Example3, which is clean.

STEP4

If you receive a clean log after running option3 as in the attached Example3, then the infection is gone and you need to do the following.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT


However, that`s not always the case and some times you`ll still see some bak files left under where it says "Duplicate files of bak directory contents" after running option3. See the attached Example4.


In all cases, it is recommended you start a new thread in this forum, even if your awf.txt is clean. That`s because your system may be infected with other malware.

You would need to attach a fresh awf.txt from running Option1 of the FindAWF.exe tool, as well as a fresh HJT log. See below for HJT instructions.

Make sure you have the LATEST version of HJT (currently 2.0.0.2) from HERE.

* Double-click on the file you just downloaded.
* Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
* Please do not change the default install location.

Now go to the HJT directory and right click on the HijackThis.exe file. Choose rename and click in the title box. Hit the enter key to clear what`s there and rename HijackThis.exe to Crusty.exe.

Right click on the crusty.exe file and choose send to desktop, create shortcut.

Run Hijackthis

* Next click on the "Do a system scan and save a log file" button.
* Hijackthis will scan and then a log will open in notepad.
* Post the HJT log as an attachment.

You can post attachments by clicking on the post reply button and then scrolling down and clicking on the manage Attachments button.

Click the browse button in order to locate the file you wish to upload and click on it, followed by clicking the open button. Now click the Upload button. You can attach several files in a single post. Once you`re done, close the manage attachments window and write your post. Finally, click the submit button.



If you have any questions, pertaining to these instructions, please don`t hesitate to ask.

Regards Howard
Page copy protected against web site content infringement by Copyscape

Published by
Howard's Avatar
TST Master
Join Date: Dec 2007
Posts: 3,366
Reputation: Howard has a spectacular aura aboutHoward has a spectacular aura about

Tutorial Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Attached Files
File Type: txt EXAMPLE1.txt (5.9 KB, 113 views)
File Type: txt EXAMPLE2.txt (5.9 KB, 107 views)
File Type: txt EXAMPLE3.txt (506 Bytes, 86 views)
File Type: txt EXAMPLE4.txt (743 Bytes, 84 views)
File Type: txt Whataboutadog etc removal instructions.txt (6.5 KB, 74 views)
Closed Tutorial

Only registered members can participate in forum threads. You must register or log in to contribute.


« Previous Tutorial | Next Tutorial »
Tutorial Tools

Forum Jump


All times are GMT. The time now is 04:54 PM.

Contact Us - Tech Support Team - Terms of Service - Top


Copyright © Tech Support Team, Inc. All rights reserved.
TechSupportTeam.org is an Privacy Policy and Legal Powered by vBulletin® Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 ©2008, Crawlability, Inc.