Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webenhancer Got Me


  • This topic is locked This topic is locked
2 replies to this topic

#1 zukertort

zukertort

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 17 June 2008 - 06:44 PM

Hello all,
I got hit with a virus/trojan/whatever when I tried to read a chessbook of all things. Webenhancer [among other things] was involved. I've managed to patch things up a bit because I have a dual boot computer, so I could run some programs from an account on one drive on another drive.

However, there appears to be a sensitive file or registry or something because whenever I run SuperAntispyware or malwarebytes on the drive that has the problem [from either inside that account or from the clean account!] every time it hits a snag and reboots. I can use my computer fine if I am not running a spyware/malware check on that drive [including being able to run an entire scan on my much larger "clean" drive.]

My command prompt won't stay open, I cannot get to task manager, and my internet was broken, but I have partially repaired that with LSP-fix. I say partially because I can get to some websites but not others.

I looked at the "Getting rid of WebEnhancer" topic, but the only part of that which applied to me was removing the \Webenhancer folder [the other items had been removed by my various virus scans.] However, evidently some keys are still there based on the HJT report....

Anyways, here are the log files:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: IntelŪ PentiumŪ 4 CPU 3.00GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1535.36 MiB / 1082.7 MiB
Pagefile Memory (total/avail): 2924.8 MiB / 2476.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919.91 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 120.01 GiB total, 43.63 GiB free.
D: is Fixed (NTFS) - 23.03 GiB total, 12.03 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 126.96 GiB total, 85.84 GiB free.
H: is Fixed (NTFS) - 232.88 GiB total, 194.64 GiB free.

\\.\PHYSICALDRIVE1 - Maxtor 6B160R0 - 152.66 GiB - 4 partitions
\PARTITION0 (bootable) - Installable File System - 126.96 GiB - G:
\PARTITION1 - Extended Partition - 25.71 GiB

\\.\PHYSICALDRIVE0 - ST3160021A - 149.05 GiB - 3 partitions
\PARTITION0 - Unknown - 6.01 GiB
\PARTITION1 (bootable) - Installable File System - 120.01 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 23.03 GiB - D:

\\.\PHYSICALDRIVE2 - ST325082 3A USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;D:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=RUDEL
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\RUDEL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=D:\Program Files\MiKTeX 2.7\miktex\bin;D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\Intel\DMIX;D:\Program Files\ATI Technologies\ATI.ACE\;D:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0303
ProgramFiles=D:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=RUDEL
USERNAME=Administrator
USERPROFILE=D:\Documents and Settings\Administrator
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

David (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
1&1 EasyLogin --> D:\Program Files\1&1\1&1 EasyLogin\Uninstall.exe
Adobe Flash Player ActiveX --> D:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> D:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> D:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AFPL Ghostscript 8.53 --> D:\Program Files\gs\uninstgs.exe "D:\Program Files\gs\gs8.53\uninstal.txt"
AFPL Ghostscript Fonts --> D:\Program Files\gs\uninstgs.exe "D:\Program Files\gs\fonts\uninstal.txt"
AIM 6 --> D:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Applian FLV Player --> "D:\WINDOWS\Applian FLV Player\uninstall.exe" "/U:D:\Program Files\FLV Player\Uninstall\uninstall.xml"
ATI - Software Uninstall Utility --> D:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}
ATI Display Driver --> rundll32 D:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> D:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Command --> wscript "D:\WINDOWS\RA\lE.vbs"
Enhancement Browser Tools Targetedbanner --> D:\WINDOWS\system32\{f11d65fa-71dd-1c46-c41f-0a3bf9cd940f}.dll-uninst.exe
GoToMeeting/GoToWebinar 3.0.0.198 --> D:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
GSview 4.9 --> D:\Program Files\Ghostgum\gsview\uninstgs.exe "D:\Program Files\Ghostgum\gsview\uninstal.txt"
Hello Engines! Professional 6 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E3575350-3A00-4C5E-9C48-48775D7E8E0C}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Inkscape 0.46 --> D:\Program Files\Inkscape\Uninstall.exe
IntelŪ Network Connections 13.0.42.0 --> MsiExec.exe /i{2223FC2F-B862-4F83-BC9E-DDF2DADF2859} ARPREMOVE=1
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Juniper Networks Cache Cleaner 5.5.0 --> "D:\Documents and Settings\Administrator\Application Data\Juniper Networks\Cache Cleaner 5.5.0\uninstall.exe"
Juniper Networks Host Checker --> "D:\Documents and Settings\Administrator\Application Data\Juniper Networks\Host Checker\uninstall.exe"
Juniper Networks Secure Application Manager --> D:\Program Files\Juniper Networks\Secure Application Manager\UninstallSAM.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "D:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MiKTeX 2.7 --> "D:\Program Files\MiKTeX 2.7\miktex\bin\copystart_admin.exe" "D:\Program Files\MiKTeX 2.7\miktex\config\uninstall.dat"
Mozilla Firefox (2.0.0.14) --> D:\Program Files\Mozilla Firefox\uninstall\helper.exe
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
Network Monitor --> wscript "D:\WINDOWS\uninstall_nmon.vbs"
NetXfer 2.57.399 --> "D:\Program Files\Xi\NetXfer\unins000.exe"
PDFill PDF Editor with FREE PDF Writer and Tools --> MsiExec.exe /I{D12EBB4E-CF21-496D-979F-89D9DE58C5B8}
PDFill PDF Writer --> D:\WINDOWS\system32\uninstpw.exe D:\Program Files\PlotSoft\PDFill
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
SimplyCapture --> "D:\WINDOWS\SimplyCapture\uninstall.exe" "/U:D:\Program Files\SimplyCapture\irunin.xml"
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
VideoLAN VLC media player 0.8.6f --> D:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> D:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "D:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinEdt --> "D:\Program Files\WinEdt Team\WinEdt\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type403 / Error
Event Submitted/Written: 06/16/2008 04:06:38 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application avgsetup.exe, version 8.0.0.100, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type393 / Error
Event Submitted/Written: 06/12/2008 03:25:17 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module firefox.exe, version 1.8.20080.40413, fault address 0x0073aa47.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type392 / Error
Event Submitted/Written: 06/12/2008 03:14:28 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.40413, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type391 / Error
Event Submitted/Written: 06/12/2008 02:58:58 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x000109fb.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type390 / Error
Event Submitted/Written: 06/12/2008 02:56:57 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.40413, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1345 / Error
Event Submitted/Written: 06/17/2008 06:55:40 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Network Monitor service failed to start due to the following error:
%%2

Event Record #/Type1323 / Error
Event Submitted/Written: 06/17/2008 06:44:30 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%10106

Event Record #/Type1322 / Error
Event Submitted/Written: 06/17/2008 06:44:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Network Monitor service failed to start due to the following error:
%%2

Event Record #/Type1321 / Error
Event Submitted/Written: 06/17/2008 06:44:30 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).

Event Record #/Type1320 / Warning
Event Submitted/Written: 06/17/2008 06:44:20 PM
Event ID/Source: 1006 / Dhcp
Event Description:
Your computer was unable to automatically configure the IP parameters for
the Network Card with the network address 000EA65231CD. The following error occurred
during configuration: %%10106.



-- End of Deckard's System Scanner: finished at 2008-06-17 19:11:58 ------------

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-17 19:07:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-06-17 23:07:58 UTC - RP71 - Deckard's System Scanner Restore Point
41: 2008-06-17 21:18:22 UTC - RP70 - Installed SUPERAntiSpyware Professional
40: 2008-06-16 08:07:44 UTC - RP69 - Configured AVG Free 8.0
39: 2008-06-16 08:06:25 UTC - RP68 - Installed AVG Free 8.0
38: 2008-06-16 07:51:46 UTC - RP67 - Last known good configuration


-- First Restore Point --
1: 2008-06-16 07:51:30 UTC - RP30 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:58 PM, on 6/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\Administrator\Desktop\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\iftuyszv.exe,
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - D:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [webHancer Agent] D:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [1&1 EasyLogin] D:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] D:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\19822.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download all by NetXfer - D:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - D:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - D:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210547427203
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.voyagerlearning.com/dana-cac...perSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayWNGWN - yayWNGWN.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\RA\command.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - D:\WINDOWS\444.470.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6164 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 modemm - d:\windows\system32\drivers\modemm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "d:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "d:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Viewpoint Manager Service - "d:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 cmdService (Command Service) - d:\windows\ra\command.exe (file missing)
S2 MsSecurity1.209.4 (MsSecurity Updated) - d:\windows\444.470 service (file missing)
S2 Network Monitor - d:\program files\network monitor\netmon.exe service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&35F762C4&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&35F762C4&0
Service: i8042prt

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24D6&SUBSYS_8129104D&REV_02\3&267A616A&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24D6&SUBSYS_8129104D&REV_02\3&267A616A&0&FE
Service:


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 18:07:59 0 d-------- D:\Program Files\Trend Micro
2008-06-17 17:28:39 0 d-------- D:\Documents and Settings\David\Application Data\SUPERAntiSpyware.com
2008-06-17 17:18:33 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-17 17:18:24 0 d-------- D:\Program Files\SUPERAntiSpyware
2008-06-17 17:18:24 0 d-------- D:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-17 17:18:02 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 17:16:54 0 d--hs---- D:\WINDOWS\CSC
2008-06-17 16:08:13 0 --a------ D:\ejgjmpsv
2008-06-17 11:38:14 0 d--h----- D:\$AVG8.VAULT$
2008-06-17 11:28:40 0 d-------- D:\Documents and Settings\David\Application Data\Mozilla
2008-06-17 11:28:29 0 d-------- D:\Documents and Settings\David\Application Data\Juniper Networks
2008-06-17 11:28:08 0 d-------- D:\Documents and Settings\David\Application Data\ATI
2008-06-17 11:27:24 0 d-------- D:\Documents and Settings\David\Application Data\Identities
2008-06-17 11:26:28 0 d--h----- D:\Documents and Settings\David\Local Settings
2008-06-17 11:26:28 0 dr------- D:\Documents and Settings\David\Favorites
2008-06-17 11:26:28 0 d-------- D:\Documents and Settings\David\Desktop
2008-06-17 11:26:28 0 d--hs---- D:\Documents and Settings\David\Cookies
2008-06-17 11:26:28 0 dr-h----- D:\Documents and Settings\David\Application Data
2008-06-17 11:26:28 0 d---s---- D:\Documents and Settings\David\Application Data\Microsoft
2008-06-17 11:26:27 0 d--h----- D:\Documents and Settings\David\Templates
2008-06-17 11:26:27 0 dr------- D:\Documents and Settings\David\Start Menu
2008-06-17 11:26:27 0 dr-h----- D:\Documents and Settings\David\SendTo
2008-06-17 11:26:27 0 dr-h----- D:\Documents and Settings\David\Recent
2008-06-17 11:26:27 0 d--h----- D:\Documents and Settings\David\PrintHood
2008-06-17 11:26:27 1048576 --ah----- D:\Documents and Settings\David\NTUSER.DAT
2008-06-17 11:26:27 0 d--h----- D:\Documents and Settings\David\NetHood
2008-06-17 11:26:27 0 dr------- D:\Documents and Settings\David\My Documents
2008-06-16 04:07:54 0 d-------- D:\WINDOWS\system32\drivers\Avg
2008-06-16 04:06:26 0 d-------- D:\Program Files\AVG
2008-06-16 04:06:25 0 d-------- D:\Documents and Settings\All Users\Application Data\avg8
2008-06-16 03:52:19 81408 --a------ D:\WINDOWS\system32\hgswwgpg.dll
2008-06-16 03:51:19 1631 --ahs---- D:\WINDOWS\system32\tCcIkUvw.ini2
2008-06-16 03:47:28 0 d-------- D:\Documents and Settings\LocalService\Application Data\NetMon
2008-06-16 03:47:25 0 d-------- D:\Program Files\Network Monitor
2008-06-16 03:47:24 0 d--hs---- D:\WINDOWS\RA
2008-06-16 03:47:18 0 d-------- D:\WINDOWS\system32\pb109
2008-06-16 03:47:18 0 d-------- D:\WINDOWS\system32\dgi
2008-06-16 03:47:18 0 d-------- D:\WINDOWS\system32\3039a
2008-06-16 03:47:10 0 d-------- D:\WINDOWS\system32\netrax06
2008-06-16 03:46:58 0 d-------- D:\Program Files\webHancer
2008-06-16 03:46:37 0 d-------- D:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-16 03:46:32 0 d-------- D:\Program Files\uTorrent
2008-06-16 03:46:26 4 --a------ D:\WINDOWS\system32\hljwugsf.bin
2008-06-03 01:11:15 0 d-------- D:\Documents and Settings\All Users\Application Data\Google
2008-05-28 21:16:56 0 d-------- D:\Documents and Settings\Administrator\Application Data\acccore
2008-05-28 21:16:12 0 d-------- D:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-28 21:16:10 0 d-------- D:\Program Files\Viewpoint
2008-05-28 21:15:55 0 d-------- D:\Documents and Settings\All Users\Application Data\AOL
2008-05-28 21:15:55 0 d-------- D:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-28 21:15:30 0 d-------- D:\Program Files\Common Files\AOL
2008-05-28 21:15:15 0 d-------- D:\Program Files\AIM6
2008-05-23 22:00:00 0 d-------- D:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-05-23 18:20:02 0 d-------- D:\Documents and Settings\Administrator\Application Data\Help
2008-05-23 18:19:09 0 d-------- D:\Program Files\Ghostgum
2008-05-22 13:05:01 0 d-------- D:\Documents and Settings\Administrator\Application Data\1&1
2008-05-22 13:04:56 0 d-------- D:\Program Files\1&1
2008-05-22 12:32:17 0 d-------- D:\Documents and Settings\Administrator\Application Data\Inkscape
2008-05-22 12:27:29 0 d-------- D:\Program Files\Inkscape
2008-05-22 04:54:55 0 d-------- D:\Documents and Settings\Administrator\Application Data\AceBIT
2008-05-22 04:54:48 446976 --a------ D:\WINDOWS\system32\acebitaw.dll <Not Verified; AceBIT GmbH; >
2008-05-22 04:54:45 0 d-------- D:\Program Files\AceBIT
2008-05-22 04:06:18 0 d-------- D:\Program Files\gs
2008-05-22 04:05:25 53248 --a------ D:\WINDOWS\system32\uninstpw.exe
2008-05-22 04:05:25 90112 --a------ D:\WINDOWS\system32\custmon2k.dll
2008-05-22 04:05:17 24576 --a------ D:\WINDOWS\system32\custsave.exe <Not Verified; Acro Software Inc.; CutePDF Application>
2008-05-22 04:05:10 0 d-------- D:\Program Files\PlotSoft
2008-05-22 01:36:28 0 d-------- D:\Program Files\Xi
2008-05-21 23:53:53 6022652 --a------ D:\Documents and Settings\Administrator\Desktop(2)
2008-05-21 18:56:07 0 d-------- D:\WINDOWS\Prefetch
2008-05-21 18:35:00 0 d-------- D:\WINDOWS\system32\scripting
2008-05-21 18:35:00 0 d-------- D:\WINDOWS\l2schemas
2008-05-21 18:34:59 0 d-------- D:\WINDOWS\system32\en
2008-05-21 18:34:59 0 d-------- D:\WINDOWS\system32\bits
2008-05-21 18:32:45 0 d-------- D:\WINDOWS\ServicePackFiles
2008-05-21 18:30:13 0 d-------- D:\WINDOWS\network diagnostic
2008-05-21 18:13:22 0 d-------- D:\WINDOWS\system32\appmgmt
2008-05-21 17:52:57 0 d-------- D:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-21 17:52:54 0 d-------- D:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-21 14:47:09 0 d-------- D:\Documents and Settings\NetworkService\Application Data\Juniper Networks
2008-05-21 14:34:02 0 d-------- D:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-05-19 12:48:29 0 d-------- D:\Program Files\Juniper Networks
2008-05-19 12:47:55 0 d-------- D:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-05-17 12:07:01 0 d-------- D:\Program Files\Citrix


-- Find3M Report ---------------------------------------------------------------

2008-06-17 17:18:02 0 d-------- D:\Program Files\Common Files
2008-06-16 03:50:31 0 d-------- D:\Program Files\BitLord
2008-06-16 01:44:56 0 d-------- D:\Documents and Settings\Administrator\Application Data\WinEdt
2008-05-22 04:54:45 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-05-22 04:54:23 0 d-------- D:\Program Files\Common Files\InstallShield
2008-05-21 18:35:24 0 d-------- D:\Program Files\Messenger
2008-05-21 18:34:59 0 d-------- D:\Program Files\Movie Maker
2008-05-21 18:32:26 0 d-------- D:\Program Files\Windows NT
2008-05-21 18:13:20 0 d-------- D:\Program Files\Common Files\Symantec Shared
2008-05-19 14:51:31 0 d-------- D:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-19 14:51:30 0 d-------- D:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-15 04:27:36 0 d-------- D:\Program Files\FLV Player
2008-05-15 00:57:17 0 d-------- D:\Documents and Settings\Administrator\Application Data\dvdcss
2008-05-15 00:57:08 0 d-------- D:\Documents and Settings\Administrator\Application Data\vlc
2008-05-15 00:56:17 0 d-------- D:\Program Files\VideoLAN
2008-05-15 00:54:20 0 d-------- D:\Program Files\Vim
2008-05-14 20:01:16 0 d-------- D:\Documents and Settings\Administrator\Application Data\Sun
2008-05-14 20:01:01 0 d-------- D:\Program Files\Java
2008-05-14 20:00:14 0 d-------- D:\Program Files\Common Files\Java
2008-05-13 10:52:13 0 d-------- D:\Program Files\SimplyCapture
2008-05-13 01:56:02 0 d-------- D:\Program Files\Windows Media Connect 2
2008-05-13 01:32:22 0 d-------- D:\Program Files\Netflix
2008-05-13 00:57:09 0 d-------- D:\Program Files\WinEdt Team
2008-05-12 23:43:14 0 d-------- D:\Program Files\Common Files\Adobe
2008-05-12 23:41:03 1007 --a------ D:\WINDOWS\mozver.dat
2008-05-12 23:33:42 0 d-------- D:\Program Files\MiKTeX 2.7
2008-05-12 13:57:21 0 d-------- D:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-12 13:57:18 0 d-------- D:\Program Files\iTunes
2008-05-12 13:57:07 0 d-------- D:\Program Files\iPod
2008-05-12 13:56:48 0 d-------- D:\Program Files\Bonjour
2008-05-12 13:56:42 0 d-------- D:\Program Files\QuickTime
2008-05-12 13:56:02 0 d-------- D:\Program Files\Apple Software Update
2008-05-12 13:55:17 0 d-------- D:\Program Files\Common Files\Apple
2008-05-12 12:31:16 0 d-------- D:\Program Files\Microsoft Works
2008-05-12 12:31:00 0 d-------- D:\Program Files\MSBuild
2008-05-12 12:29:41 0 d-------- D:\Program Files\Microsoft.NET
2008-05-12 12:27:48 0 d-------- D:\Program Files\Microsoft Visual Studio 8
2008-05-11 20:03:44 0 d-------- D:\Documents and Settings\Administrator\Application Data\ATI
2008-05-11 20:01:11 0 d-------- D:\Program Files\ATI Technologies
2008-05-11 19:17:45 0 --a------ D:\WINDOWS\nsreg.dat
2008-05-11 19:17:42 0 d-------- D:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-11 19:09:15 0 d-------- D:\Program Files\Intel


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 mpa.one.microsoft.com


-- End of Deckard's System Scanner: finished at 2008-06-17 19:11:58 ------------

Edited by zukertort, 17 June 2008 - 07:16 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:30 AM

Posted 20 June 2008 - 11:21 PM

Hello zukertort,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:30 AM

Posted 27 June 2008 - 11:12 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users