Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


please check this log: is there an infection?

  • This topic is locked This topic is locked
4 replies to this topic

#1 doolak


  • Members
  • 8 posts
  • Local time:04:56 AM

Posted 24 December 2004 - 09:06 AM

hi all!!!

could u please check this logfile, if there is any infection on that computer???

Logfile of HijackThis v1.99.0
Scan saved at 13:42:34, on 24.12.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Internet Explorer\IEXPLORE.EXE

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [CleanUp] C:\DOKUME~1\CKONE_~1\LOKALE~1\Temp\2004122413626_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SMS-Manager] C:\PROGRA~1\GMX\GMXSMS~1\SMSMngr.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103746493195
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{96154B7B-454C-4A9F-8B8A-A0CA8B28DFBD}: NameServer =
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

waiting for ur reply.....



BC AdBot (Login to Remove)


#2 phawgg


    Learning Daily

  • Members
  • 4,543 posts
  • Location:Washington State, USA
  • Local time:01:56 AM

Posted 24 December 2004 - 07:56 PM

Happy Holidays and welcome to BC, doolak. I'll check your log. I could take me a day. I'll get back with you. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 Chingy


  • Members
  • 40 posts
  • Local time:04:56 AM

Posted 24 December 2004 - 08:53 PM

Happy Holidays and welcome to BC, doolak. I'll check your log. I could take me a day. I'll get back with you. :flowers:

hey phawgg, could you check my Log out to please? :thumbsup:

#4 phawgg


    Learning Daily

  • Members
  • 4,543 posts
  • Location:Washington State, USA
  • Local time:01:56 AM

Posted 25 December 2004 - 04:10 PM

doolak, it's good to see you are fully updated! Yes there is an infection.

Please download Hijack This 1.99 installer. This will install to C:\Program Files\HijackThis automatically when you unzip it.
The current location, C:\DOKUME~1\CKONE_~1\LOKALE~1\Temp\Rar$EX00.329\HijackThis.exe, will cause problems
because we will be deleting that one later in the fix procedure when we clean the temp folder. That's OK.
From now on, when you use HJT, simply open it from it's new location, closing all other windows when you do.

Copy/paste these instructions to a notepad/wordpad or choose file-->save page as: HJT instructions
Please read the information provided at the "download locations". Other info links may be of interest to you.
The fix is sequential. Please follow the steps as outlined.
You will lose your Internet connection temporarily during the fix procedure.

You should be careful to run only one anti-virus program, as they often conflict. One is enough.

I'm recommending an additional anti-malware program that is effective against the problem you have.
It doesn't conflict with either of the anti-virus software you have.
You should continue to use it after this fix.

Download and install Ad-Aware SE Personal 1.05, unless you already have this version on this PC.
You should uninstall an older version before installing this.
Refer to the programs "help" menu, and read a basic tutorial for helpful advice.

Run Ad-Aware and immediately check for updates. Exit after updating.

You will need another tool on your desktop.
You may run it from the desktop.
Download it from the link.
  • LSP Fix. Do not run this program yet, please.
Set your PC to: show hidden files.
From the desktop use: Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Start-->Add or Remove Programs-->(if found) Uninstall any instances of
webHancer info only

Open your C:\Program Files\HijackThis and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

Fix button is clicked when you are certain of the deletions.

Reboot your computer into Safe Mode by tapping F8 until
the DOS screen appears. Yes. Use the up arrow to choose safe mode. Hit enter. OK. From the desktop:
Search for, locate and delete the following file(s) or folder(s)
(Don't be concerned if they don't exist, the previous steps may have eliminated them.)
Do not delete the main folders C:\WINDOWS or C:\Program Files.
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders". Enter the filename. Hit "search".

Or simply navigate to the appropriate folder, right-click-->delete individual file(s) or folder(s).

Delete manually:
C:\Program Files\webHancer<--this folder & contents in it.

Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.
This should open up the temp directory that your machine uses.
Please delete all files that are found there.
If you get an error when deleting a file, skip that file and delete all the others.
Doing this in Safe Mode you should be able to delete all the files.

Reboot your computer to go back to normal mode.

Delete Temporary Internet Files

Open up Internet Explorer, and click on the Tools menu and then Internet Options.
At the General tab, which should be the first tab you are currently on, click on the Delete Files button
and put a checkmark in Delete offline content. Then press the OK button.
This may take quite a while, so do not be alarmed with how long it takes.
When it is done, your Temporary Internet Files will be deleted.

Empty the recycle bin.

Run Ad-Aware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next".
Let Ad-Aware remove anything it finds.

Go online as you normally would. If you experience difficulties doing so follow these steps:

Open LSPFix
Check I know what I'm doing.
Select all listed entries for whiehlpr.dll
Click the right-pointing arrow.
Click Finish.
This program attempts to correct Internet connection problems resulting from buggy or improperly-removed
Layered Service Provider (LSP) software. No changes will be made until you press the 'Finish' button.
To exit without making any changes, simply close the program instead of pressing Finish.
LSP-Fix is not a malware removal utility and does not target specific products. LSP-Fix does not delete any files.

Run HijackThis again and post the new log as a reply to this post. Please add comments.
Is it running better? Any problems?
patiently patrolling, plenty of persisant pests n' problems ...

#5 phawgg


    Learning Daily

  • Members
  • 4,543 posts
  • Location:Washington State, USA
  • Local time:01:56 AM

Posted 25 January 2005 - 09:29 PM

Closed. Lack of responses.
If you originated this thread, and need it re-opened:
You may also contact a HJT Team Member, and reference the link location address. Thanks. :thumbsup:

If referring to this thread for any other reason, you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.
patiently patrolling, plenty of persisant pests n' problems ...

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users