Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008, Antispyware 2008 Xp


  • This topic is locked This topic is locked
9 replies to this topic

#1 jstyle711

jstyle711

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 28 August 2008 - 12:31 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:37: VIRUS ALERT!, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\printer.exe
C:\DOCUME~1\johnd\LOCALS~1\Temp\lsass.exe
C:\WINDOWS\system32\lphce15j0e18g.exe
C:\Documents and Settings\johnd\Local Settings\Temp\.tt417.tmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\johnd\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\johnd\Desktop\spyware\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BhoApp Class - {28A73C97-A538-08EE-FA8A-1CF3009DB0D0} - C:\Program Files\altcmd\altcmd32.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: QXK Olive - {CF36791A-1847-4059-8BB4-89C28E514C6D} - C:\WINDOWS\rodqgpvlkmb.dll
O2 - BHO: (no name) - {DD861218-A2AC-46EA-AD5A-6E97F48ACA50} - C:\WINDOWS\system32\pmnljijI.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: qalkfxor - {D15D9083-1F4E-406F-B1EA-F38E43FBC59D} - C:\WINDOWS\qalkfxor.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SYSTEM.rt32] C:\DOCUME~1\johnd\LOCALS~1\Temp\lsass.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [lphce15j0e18g] C:\WINDOWS\system32\lphce15j0e18g.exe
O4 - HKLM\..\Run: [inrhca15j0e18g] C:\Documents and Settings\johnd\Local Settings\Temp\.tt417.tmp.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\johnd\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorun
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.wpcuds.usace.army.mil (HKLM)
O15 - ESC Trusted Zone: *.wpcuds.usace.army.mil (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eis.ds.usace.army.mil
O17 - HKLM\Software\..\Telephony: DomainName = eis.ds.usace.army.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eis.ds.usace.army.mil
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = eis.ds.usace.army.mil
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: pmnljijI - C:\WINDOWS\SYSTEM32\pmnljijI.dll
O21 - SSODL: rqbmvpso - {2991936D-761D-4A67-9012-04AD0988D443} - C:\WINDOWS\rqbmvpso.dll
O21 - SSODL: pdoskegl - {D1C2ED7C-BEB7-415A-BC9F-C8DF3AA194FE} - C:\WINDOWS\pdoskegl.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 10503 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 28 August 2008 - 03:16 PM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). I am still in training, so my responses to you must be checked by a coach.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it may not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 jstyle711

jstyle711
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 28 August 2008 - 06:34 PM

Hi, downloaded a program, installed it. Bad mistake. Windows started to pop up, did not install any of the programs that was recommended due to me being somewhat familiar with this situation. Decided to do a hijack this log and post it on here.

Thanks

Edited by jstyle711, 28 August 2008 - 06:35 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 30 August 2008 - 07:52 AM

Hello jstyle711.

Your machine is heavily infected :thumbsup: . Are you posting from another computer? If so, please transer required files over to the infected computer's desktop.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Remove WebHancer
Copy down the rest of the instructions for remoing WebHancer in case you lose Internet access.

Download LSPFix.zip to your desktop for later use. Extract the contents by right clicking and selecting Extract All.

Uninstall WebHancer using Add/Remove Programs. You may require a restart.
  • Double click lspfix.exe to run it.
  • Check the I know what I'm doing (or enjoy re-installing my operating system) box.
  • Click Finish without changing any settings.
Download and Run SDFix
You can find complete instructions on running SDFix in the link below:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

SDfix is for Windows 2000 and Windows XP only,
  • Download SDfix setup onto your desktop.
  • Run the installer. Leave the install location at your system root.
  • After the install, boot into Safe Mode (refer to the instructions below). Print these instructions or save it onto your desktop as you will now be able to view them in Safe Mode.
  • Click your Start Menu. Click Run. Type in c:\sdfix\runthis.bat. Hit OK.
  • The prompt window will open. Type Y and hit Enter.
  • Wait for the scan to finish.
  • You will be prompted to restart. Press anykey to do so. Allow Sdfix to boot the computer into normal boot.
  • At reboot, the prompt window will pop-up, along with a log (\rapport.txt) shortly after. Copy the contents of the log back in your next reply.
How to boot into Safe Mode
If you are unfimiliar with the boot process, please jot down the boot instructions. Copy down any instructions you need for Safe Mode.
  • Shutdown your computer.
  • Press the power on button.
  • Wait for your computer to beep.
  • After hearing the beep, hit the F8 key repeatedly until you see a selection screen.
  • Use your arrow keys to navigate the highlight to Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP, if the highlight was not already on it.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.


Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:-------------
Please post back with:
-the SDFix log
-the MalwareBytes log
-a new HijackThis log

Also comment on how your computer is running now.

With Regards,
The Panda

Edited by PropagandaPanda, 30 August 2008 - 11:57 AM.


#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:43 PM

Posted 07 September 2008 - 12:02 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:43 PM

Posted 09 September 2008 - 09:58 AM

Topic reopened per request. :thumbsup:
SNOWHITE
Posted Image

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 09 September 2008 - 10:39 AM

Hello.

From PM:

SDFix: Version 1.220
Run by johnd on Mon 09/08/2008 at 22:33

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper
Resetting SecurityProviders Value
Restoring Default ScreenSaver value
Restoring Windows Product ID To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert
Resetting AppInit_DLLs value


Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\lphce15j0e18g.exe - Deleted
C:\WINDOWS\system32\pmnljijI.dll - Deleted
C:\WINDOWS\system32\phce15j0e18g.bmp - Deleted
C:\WINDOWS\system32\blphce15j0e18g.scr - Deleted
C:\WINDOWS\EBPX.EXE - Deleted
C:\Documents and Settings\johnd\Application Data\printer.exe - Deleted
C:\Documents and Settings\johnd\Application Data\Microsoft\dtsc\10804.exe - Deleted
C:\Documents and Settings\johnd\Application Data\Microsoft\dtsc\s - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080827001437573.log - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080827213511043.log - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080828100900428.log - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080902221231181.log - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080902221415481.log - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080908215233669.log - Deleted
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
C:\Documents and Settings\johnd\Local Settings\Temp\.tt417.tmp.exe - Deleted
C:\Documents and Settings\johnd\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\johnd\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\johnd\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\johnd\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\johnd\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\johnd\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\Program Files\altcmd\altcmd.inf - Deleted
C:\Program Files\altcmd\altcmd32.dll - Deleted
C:\Program Files\altcmd\uninstall.bat - Deleted
C:\Program Files\Dot1XCfg\Dot1XCfg.exe - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt3.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt4.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt411.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt417.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt429.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt5.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt6.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt7.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.ttA.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.ttB.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.ttC.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.ttD.tmp - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt417.tmp.exe - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt3.tmp.vbs - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt4.tmp.vbs - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt411.tmp.vbs - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt5.tmp.vbs - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.tt6.tmp.vbs - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\.ttB.tmp.vbs - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\lwpwer.exe.bat - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\WINDOWS\rodqgpvlkmb.dll - Deleted
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\johnd\Start Menu\Programs\Startup\findfast.exe - Deleted
C:\Documents and Settings\johnd\Application Data\temp.dll - Deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\services\services.dll - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\lsass.exe - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\lwpwer.exe - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\removalfile.bat - Deleted
C:\DOCUME~1\johnd\LOCALS~1\Temp\sys.exe - Deleted
C:\WINDOWS\pdoskegl.dll - Deleted
C:\WINDOWS\qalkfxor.dll - Deleted
C:\WINDOWS\rqbmvpso.dll - Deleted
C:\WINDOWS\rvoelbxt.exe - Deleted
C:\WINDOWS\shell.exe - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\spoolvs.exe - Deleted
C:\WINDOWS\twain_16.dll - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted



Folder C:\Documents and Settings\johnd\Application Data\Microsoft\dtsc - Removed
Folder C:\Documents and Settings\All Users.WINDOWS\Application Data\Secure Solutions - Removed
Folder C:\Documents and Settings\All Users.WINDOWS\Application Data\services - Removed
Folder C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008 - Removed
Folder C:\Program Files\altcmd - Removed
Folder C:\Program Files\Dot1XCfg - Removed
Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 22:42:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272cadf6d]
"0012477ebf6f"=hex:14,e2,ed,35,a3,0a,ea,9a,86,42,fb,1d,ba,c0,b8,d5
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,46,58,f1,2c,0f,a2,40,c6,82,f2,7e,4a,98,37,25,14,06,..
"hj34z0"=hex:f4,d6,6b,d9,3d,ae,68,3e,ad,24,32,60,92,a2,c5,06,12,4e,1c,82,f9,..
"hj34z1"=hex:34,d7,ad,a7,57,af,1a,ba,ae,24,2e,ea,91,a2,03,89,10,4e,6c,17,03,..
"hj34z2"=hex:31,d7,9a,ad,52,af,59,44,ab,24,41,1f,94,a2,77,82,15,4e,ee,0b,06,..
"hj34z3"=hex:3a,d7,70,c9,59,af,8e,2a,a0,24,99,79,9f,a2,ab,18,1e,4e,2d,a1,0d,..
"hj34z4"=hex:26,d7,62,85,45,af,ef,5e,bc,24,35,05,83,a2,41,6f,02,4e,1e,ec,11,..
"hj34z5"=hex:22,d7,8c,bc,41,af,43,54,b8,24,5c,0e,87,a2,71,74,06,4e,e5,f4,15,..
"hj34z6"=hex:2e,d7,74,e7,4d,af,59,7c,b4,24,70,26,8b,a2,90,4c,0a,4e,75,cc,19,..
"hj34z7"=hex:2d,d7,39,29,4e,af,51,ca,b7,24,03,98,88,a2,f1,fa,09,4e,20,82,1d,..
"hj34z8"=hex:29,d7,ec,5c,4a,af,0c,b7,b3,24,76,ed,8c,a2,e4,97,0d,4e,e1,16,1e,..
"hj34z9"=hex:14,d7,5b,2e,77,af,82,c4,8e,24,90,9e,b1,a2,99,04,31,4e,0f,84,22,..
"hj34z10"=hex:10,d7,00,e6,73,af,82,7c,8a,24,5b,26,b5,a2,23,4f,34,4e,7c,cf,27,..
"hj34z11"=hex:1f,d7,a4,b0,7c,af,59,53,85,24,a0,10,ba,a2,33,75,3b,4e,49,f5,28,..
"hj34z12"=hex:1a,d7,93,a2,79,af,56,41,80,24,b6,e2,bf,a2,08,83,3e,4e,08,0b,2d,..
"hj34z13"=hex:19,d7,86,59,7a,af,50,ba,83,24,4a,e7,bc,a2,6a,8c,3d,4e,c2,0f,2e,..
"hj34z14"=hex:04,d7,d1,ab,67,af,bb,4b,9e,24,de,18,a1,a2,c2,7a,20,4e,3d,fd,33,..
"hj34z15"=hex:03,d7,c6,96,60,af,d9,6c,99,24,88,35,a6,a2,00,5e,27,4e,d0,d9,34,..
"hj34z16"=hex:0e,d7,4c,c8,6d,af,73,2a,94,24,3d,77,ab,a2,3b,1f,2a,4e,ed,9e,39,..
"hj34z17"=hex:0c,d7,ac,18,6f,af,c1,fa,96,24,b8,a7,a9,a2,a8,cc,28,4e,4c,4f,3b,..
"hj34z18"=hex:0b,d7,67,bc,68,af,b7,59,91,24,82,0a,ae,a2,41,6b,2f,4e,4a,f2,3c,..
"hj34z19"=hex:09,d7,2b,db,15,af,64,3b,ec,24,d7,67,d3,a2,79,0c,52,4e,8b,8f,41,..
"hj34z20"=hex:74,d7,8c,57,17,af,d9,af,ee,24,48,f4,d1,a2,80,91,50,4e,0c,18,43,..
"hj34z21"=hex:73,d7,8a,d7,10,af,e0,2f,e9,24,03,74,d6,a2,12,10,57,4e,61,9b,44,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272cadf6d]
"0012477ebf6f"=hex:14,e2,ed,35,a3,0a,ea,9a,86,42,fb,1d,ba,c0,b8,d5

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}]
"DisplayName"="DAEMON Tools"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\Java\\jre1.6.0_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_04\\bin\\javaw.exe:*:Disabled:Java™ Platform SE binary"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Documents and Settings\\johnd\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"="C:\\Documents and Settings\\johnd\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe:*:Enabled:Main program for Octoshape client"
"C:\\Documents and Settings\\johnd\\Application Data\\printer.exe"="C:\\Documents and Settings\\johnd\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\johnd\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\johnd\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\johnd\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\johnd\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Documents and Settings\\johnd\\Application Data\\printer.exe"="C:\\Documents and Settings\\johnd\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\johnd\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\johnd\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\johnd\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\johnd\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 27 May 2005 46,080 A..H. --- "C:\John\JOHN\~WRL0001.tmp"
Mon 30 May 2005 43,520 A..H. --- "C:\John\JOHN\~WRL0002.tmp"
Sun 5 Jun 2005 37,376 A..H. --- "C:\John\JOHN\~WRL0003.tmp"
Sun 19 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Tue 15 Nov 2005 78,104 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Tue 15 Nov 2005 12,912 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Tue 7 Feb 2006 114 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti4A.tmp"
Wed 30 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv02.tmp"
Tue 6 Feb 2007 20,480 A..H. --- "C:\Documents and Settings\johnd\Desktop\School crap\BIOSOLIDS\~WRL0002.tmp"
Sun 19 Mar 2006 4,348 A..H. --- "C:\Documents and Settings\johnd\My Documents\My Music\License Backup\drmv1key.bak"
Mon 16 Oct 2006 20 A..H. --- "C:\Documents and Settings\johnd\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 16 Oct 2006 9,656 A.SH. --- "C:\Documents and Settings\johnd\My Documents\My Music\License Backup\drmv2key.bak"

Finished!




Malwarebytes' Anti-Malware 1.25
Database version: 1127
Windows 5.1.2600 Service Pack 2

11:23:21 PM 9/8/2008
mbam-log-09-08-2008 (23-23-21).txt

Scan type: Quick Scan
Objects scanned: 64690
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 5
Files Infected: 21

Memory Processes Infected:
C:\Program Files\webHancer\Programs\whagent.exe (Adware.WebHancer) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\webHancer\Programs\webhdll.dll (Adware.WebHancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj.1 (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.bafv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\webhancer agent (Adware.WebHancer) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Delete on reboot.
C:\WINDOWS\system32\append.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xlib254.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhca15j0e18g (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\webHancer\Programs\webhdll.dll (Adware.WebHancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs\whiehlpr.dll (Adware.WebHancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs\whagent.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifgDtsP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\johnd\Local Settings\Temporary Internet Files\Content.IE5\A3R4L8HH\td1[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\johnd\Local Settings\Temporary Internet Files\Content.IE5\A3R4L8HH\d100526[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\johnd\Local Settings\Temporary Internet Files\Content.IE5\J9U2AK3D\dkf[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\johnd\Local Settings\Temporary Internet Files\Content.IE5\J9U2AK3D\cntr[1].gif (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\johnd\Local Settings\Temporary Internet Files\Content.IE5\QG4XU89Z\sys[1].exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\johnd\Local Settings\Temporary Internet Files\Content.IE5\QG4XU89Z\installercash[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\license.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\readme.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\SET15.tmp (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\SET17.tmp (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\SET1B.tmp (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\SET1D.tmp (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\SET1F.tmp (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\sporder.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whagent.ini (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whinstaller.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\secdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:31:08, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Sandboxie\SandboxieServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\johnd\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\johnd\Desktop\spyware1\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SYSTEM.rt32] C:\DOCUME~1\johnd\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\johnd\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.wpcuds.usace.army.mil (HKLM)
O15 - ESC Trusted Zone: *.wpcuds.usace.army.mil (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eis.ds.usace.army.mil
O17 - HKLM\Software\..\Telephony: DomainName = eis.ds.usace.army.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eis.ds.usace.army.mil
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Sandboxie Service (SandboxU) - tzuk - C:\Program Files\Sandboxie\SandboxieServer.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 8112 bytes

The Panda

Edited by PropagandaPanda, 09 September 2008 - 10:40 AM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 09 September 2008 - 06:24 PM

Hello Jstyle711.

Thing look much better, but we are not quite finished.

First of all, MalwareBytes quarentined a false postive.

Please open MBAM, go to the Quarentine tab, and select the following item:
C:\WINDOWS\system32\drivers\secdrv.sys
Click Restore.

The next time this entry appears in a scan, put that under the Ignore List.

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • Wait a few moments for the list to be compiled.
  • To the left of each entry you will see a check box. Check the box next to the following entries:

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O4 - HKLM\..\Run: [SYSTEM.rt32] C:\DOCUME~1\johnd\LOCALS~1\Temp\lsass.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)

    If you no longer see some of the entries, don't worry. It is possible that the uninstaller or removal tool already took care of it. If it is marked " (file missing) ", put a check mark next to its box anyways.
  • Close all open windows except HijackThis.
  • Click Posted Image and OK at the prompt.
  • The screen will clear itself.
  • Close out of HijackThis.

Download and Run OTMoveIT
  • Please download OTMoveIt2 by OldTimer to your desktop.
  • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    SDhelper
    C:\DOCUME~1\johnd\LOCALS~1\Temp\lsass.exe

  • Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Click the red Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both C:\rsit\log.txt (< and
    C:\rsit\info.txt (<


Please post back with:
-the OTMoveIt log
-the Kaspersky log
-the RSIT logs

With Regards,
The Panda

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 PM

Posted 12 September 2008 - 08:08 PM

Hello Jstyle711.

Are you still here? Do you still need help?

It is important that you respond promptly because the things can change quickly.

Please give me an update on the situation.

With Regards,
The Panda

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:43 PM

Posted 16 September 2008 - 01:42 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users