Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Internet Has Been Hijacked By Webhancer


  • This topic is locked This topic is locked
2 replies to this topic

#1 Kanye

Kanye

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:20 AM

Posted 22 January 2008 - 04:20 PM

My little brother, without my permission, decided to download a game from a spyware-infested website, which I don't know what it was. He downloaded "setup.exe" to the desktop, and I asked him what it was and he said it was a game he tried t install but it didn't work. So I deleted the setup file. I do a Task Manager check every few hours, just to make sure no suspicious tasks are running. I checked, and saw "setup.exe" running in my processes. I terminated it. I also saw "rundll32.exe" running. I knew it was a safe process for Windows, but I knew it shouldn't have been running. I didn't have any Control Panel sub-categories open or anything, just MSN messenger and IE7. So I terminated that, too. Nothing went wrong. I checked back a few minutes later to make sure everything was fine, and the process was back. I terminated it again. Checked back 3 or 4 times and it keeps coming back. Not only that, but I randomly get popups that I never used to get, ever. Popups telling me to download online games, fortune tellers, etc. But it didn't say the site it was coming from so I couldn't track it. I've seen about 3 or 4 of these popups in the last hour.

I have a bit of knowledge with spyware removal, so I did a HJT test and removed some little problems that didn't seem to change anything. But there are still 3 HJT entries that I can't remove. It says I should use LSPFix to try to remove it instead. I downloaded it, ran it, and it said it couldn't find anything at all. I also have Sygate Firewall, and I checked the logs and it said "setup.exe" has been allowed. I assume my brother allowed it to try to run his game installation. (He's only 8 years old). So I blocked that, and it doesn't start up anymore, but rundll32.exe does, even after I continuously terminate it. My friend just gave me Spy Sweeper on CD, the full version, and I'm going to install and run that and check for spyware momentarily. I don't use a virus scanner, and yes I know I should, but I don't because A) I generally am good at avoiding bad things online, and thoroughly keep alert for suspicious things on my computer constantly, B ) AVG keeps messing up after a few days after I install it, and C) most other virus scanners use a lot of memory and cause constant lag. I also have a firewall as I said, and I run online virus scans time after time so I don't need to bother with installation. I believe I have a trojan/spyware, and I know that my internet has been infected. I also found thise folder just moments ago as I was typing this. C:\Program Files\BrowsingEnhancer. Don't know what it is, never installed it, and I naturally don't trust it. The files in it are: BrowsingEnhancer-1.dll, BrowsingEnhancer-2.dll, BrowsingEnhancer.dat, pcre3.dll, and uninstall.exe. Getting rid of that and anything else lurking that I don't know about would be great as well.

Computer Specs:

PCV-RX540 Sony Vaio PC
Intel Celeron 1.2 GHz processor
512MB 233MHz SDRAM
16MB Rage Pro AGP 4x graphics
CD-RW/DVD drives
60GB Maxtor HDD


HJT Log

(Rundll32.exe isn't there because I just ended it before posting this log).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:45 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BrowsingEnhancer - {5ABBD91B-0215-2FE1-7A7E-753F05B40CB8} - C:\Program Files\BrowsingEnhancer\BrowsingEnhancer-2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [Del21678] cmd /c del C:\WINDOWS\system32\RKInstaller.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [PackNoVs] "C:\WINDOWS\BricoPacks\Vista Inspirat\Pack It!.exe" --unsetvs (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - .DEFAULT User Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe (User 'Default user')
O4 - .DEFAULT User Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe (User 'Default user')
O4 - Startup: Kuma_Tray.lnk = C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2C4964E-D37C-49C2-BE30-4B842DC88C7B}: NameServer = 206.248.154.170 206.248.154.22
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (file missing)
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 6482 bytes



Also, I've found a few programs that I have no idea what they are in my Add/Remove Programs list. The ones in red boxes I have never installed, don't know what they are, and what I want gone. I found them all here today after my brother got off the computer, and they all seem suspicious. Any help getting those removed would be helpful as well. Should I just simply uninstall them? I just don't want to try to remove anything myself without consulting a pro first, because I don't want to leave anything behind.

Suspcious Files Part 1:
http://i31.tinypic.com/34fy8ts.png

Suspicious Files Part 2:
http://i27.tinypic.com/2ccnloi.png


Any help I recieve to remove all this garbage would be highly appreciated. Thanks a lot.


- Kanye

Edited by Kanye, 22 January 2008 - 04:24 PM.


BC AdBot (Login to Remove)

 


#2 Kanye

Kanye
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:20 AM

Posted 30 January 2008 - 12:27 PM

I seemed to have fixed the problem via System Restores, multiple virus/spyware scans and help from a HJT expert. :thumbsup:

#3 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:20 AM

Posted 30 January 2008 - 12:55 PM

Thank you for the update Kanye.
This topic is now closed.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users