Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cant delete a file, none of the typical fixes work [RESOLVED]


  • This topic is locked This topic is locked

#1
bradstacey

bradstacey

    Member

  • Member
  • PipPip
  • 21 posts
Well, I downloaded a rather large video from the internet, and it didn't turn out to be what I thought I was downloading, so I tried to delete it. I got an error of the typical 'cannot delete, file in use' variety, but i had no video playing programs running, not bsplayer, not real, not mp classic, not windows mp, not quiktime, not quiktime alternative....
so, first i updated norton and ran it, nothing found, no problems there. then i updated swb, restarted. tried again to delete the file, no luck. im running adaware right now, but there are currently 0 objects recognized.
ran bazooka, with nothing detected.
rebooted in safe mode, file still protected somehow.
i haven't noticed too many problems, maybe a slight slowing, maybe thats imaginary, not sure. but i know that this file should not be so delete resistant, and when i could play the file it showed some kind of screen that showed a girl with the word 'private' beneath her, almost like a feature film of some sort, but the file was only about 3 seconds long despite being 700 or so odd M.
Thanks beforehand to anyone and everyone who gives a moment to solving this. You guys have helped me cure my pc in the past, a talented bunch indeed.
So that's the background, heres my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:45:03 AM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\Program Files\Winamp\winamp.exe
D:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe
C:\Programs\BSPlayer\bsplayer.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\abdul na\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] D:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Creative WebCam Tray] "D:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://130.13.204.12...amPlayerWeb.ocx
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\System32\Tablet.exe
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Firstly, What is the location (FILE PATH) of the file that needs to be deleted?

(ie C:\PROGRAM FILES\????????)
  • 0

#3
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The file im trying to delete is at C:\Kazaa Lite K++\Share.
Since the error message says the file is in use, I'm guessing that the file using it is some sort of hidden malware, as I've ctrl-alt-deleted all the processes I recognized.
b
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
OK firstly, please consider removing Kazaa from your PC. File sharing programs such as Kazaa are one of the worst offenders of spreading malware around the world.

OK here we go.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Please download Cleanup from here:
Cleanup. Do not run it yet.

Set up PC to show hidden files.(Click link if you do not know how)
Show hidden files

I need you to copy all of the Killbox file paths below and paste them into Notepad.

C:\Kazaa Lite K++\Share

* Please download the http://www.bleepingc...es/killbox.php]Killbox by Option^Explicit[/url]. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Whilst your pc is rebooting, boot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

After Cleanup! is finished:
  • Run Ewido.
  • Click on scanner
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report[list]
[*]Click Save report
[*]Save the report to your desktop
[*]Exit Ewido

Now scan with HJT and check the following entries if they still exist:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone


Ensure no windows open except HJT and click fix checked

Now reboot pc normally.

Run this online virus scan: ActiveScan - Save the results from the scan!

Rescan with HJT and post the log back, with the ewido and panda logs.
  • 0

#5
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
still workin on your to-do list. killbox was unable to delete the file on restart, but i did the standard file kill without reboot, and it killed the errant file.
your instructions say to click start scan in ewido, but there is no option i can see... maybe this is a new version. it just gives a list of scan types. as soon as you click a type, the scan begins. I chose the full system scan, and its scanning right now, no infections yet.
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
any logs yet?
  • 0

#7
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
:tazz:
ah, sorry so late with the logs:

hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 1:29:06 AM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\Program Files\Kazaa Lite K++\Kazaa.kpp
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\abdul na\Desktop\pc health\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] D:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Creative WebCam Tray] "D:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://130.13.204.12...amPlayerWeb.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\System32\Tablet.exe



ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:26:48 PM, 7/10/2005
+ Report-Checksum: C4EC0480

+ Scan result:

C:\HijackThis\backups\backup-20050203-233715-890.dll -> TrojanDownloader.IstBar.gp : Cleaned with backup
D:\Documents and Settings\abdul na\Desktop\acds.zip/Keygen/CORE2000.EXE -> Worm.Finaldo.a : Error during cleaning
D:\WINDOWS\editexplorer.exe:wphhb -> TrojanDownloader.Small.ajr : Cleaned with backup
D:\WINDOWS\ModemLog_Gateway Data Fax Modem.txt:dplyh -> TrojanDownloader.Agent.bq : Cleaned with backup
D:\WINDOWS\ntbtlog.txt:rvskp -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

The Panda one found nothing but some ADaware backups. Looks like I had one 'error during cleaning' which worries me. worms are bad, mkayyy.
Sidenote: the "download a new version" notification has links that don't work in firefox.
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi again,

Rescan with HJT, CHECK THE FOLLOWING ENTRY:

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

Ensure no windows open except HJT and click fix checked

Using windows explorer locate and delete the following file:

D:\Documents and Settings\abdul na\Desktop\acds.zip/Keygen/CORE2000.EXE

Rescan with HJT and post the log back
  • 0

#9
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks for your attention to my little problem.
Here's a new hjt log with apparent internet hijacking... what is webhancer?

Logfile of HijackThis v1.99.1
Scan saved at 2:44:52 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\Program Files\180SearchAssistant\sa\245\saap.exe
D:\Program Files\webHancer\programs\whAgent.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\abdul na\Desktop\pc health\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - D:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] D:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [saap] d:\program files\180searchassistant\sa\245\saap.exe
O4 - HKLM\..\Run: [webHancer Agent] "D:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "D:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Creative WebCam Tray] "D:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://130.13.204.12...amPlayerWeb.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\System32\Tablet.exe
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
:tazz:

Well isn't that nice, you appear to have picked up a new infection. Webhancer is a program that monitors Web sites visited and sends this information to a remote server. Comes bundled with Filesharing programs such as Grokster and Audio Galaxy.

We'll remove that first:

Click Start > Settings > Control Panel or Start > Control Panel (this varies with the operating system).

In the Control Panel window, double-click Add/Remove Programs.

Click WebHancer Survey Companion.

Note: You may need to use the scroll bar to view the whole list.

Click Add/Remove, Change/Remove, or Remove (this varies with the operating system).

Click WebHancer Customer Companion.

Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

Now Reboot into Safe Mode and scan with HJT. Check the following entries if they still exist:

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - D:\Program Files\webHancer\programs\whiehlpr.dll
O4 - HKLM\..\Run: [saap] d:\program files\180searchassistant\sa\245\saap.exe
O4 - HKLM\..\Run: [webHancer Agent] "D:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "D:\Program Files\webHancer\Programs\whSurvey.exe"


Ensure no windows open except HJT and click fix checked.

Ensure pc setup to show hidden files and using windows explorer locate and delete the following if still present:

D:\Program Files\webHancer <<--entire folder
d:\program files\180searchassistant <<--entire folder


Reboot pc normally.

Rescan with Panda active

Rescan with HJT and post both logs back
  • 0

#11
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I think I picked up Webhancer from downloading smileyface emoticons for msn. Not even junk like that is safe, I guess.
I actually started researching it as soon as I saw it in the registry, cause having an entry state "hijacking" makes me pee my pants.
I tried doing add/remove, and it had me reboot. This appeared to work until I removed the 'webhancer survey companion' entry in add/remove also. after i did that, the webhancer reappeared. luckily, norton had a removal tool which painstakingly combed EVERY SINGLE FILE on my system and reported to have removed three files.
I tell you, these spyware people are getting obnoxious. I'm really glad the internet creates jobs for people that would otherwise be picking pockets, but this stuff is still a waste of time to fix. I'm almost ready to quit the internet. Why hasn't Total Quality Management found its way into Internet Marketing yet?
I'm at work at the moment, but I'll post up my new HJT log later today after I make sure all your suggestions are done.
Thanks again
Brad
  • 0

#12
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Okay, its off the program list, off al detections, and I deleted the folders, including one d:\programs\whinstall.

here is the latest hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 1:39:07 AM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Tablet.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\system32\WTablet\TabUserW.exe
D:\Program Files\Common Files\Symantec Shared\NMain.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\abdul na\Desktop\pc health\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BootWarn] D:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Creative WebCam Tray] "D:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - Startup: SpywareBlaster (2).lnk = D:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS\system32\WTablet\TabUserW.exe
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://130.13.204.12...amPlayerWeb.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS\System32\Tablet.exe

Thanky so muuuch
b
  • 0

#13
Guest_usetobe_*

Guest_usetobe_*
  • Guest
From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#14
bradstacey

bradstacey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Fantastic list of measures there. I've installed spyguard to see how it works.
Thank you all so much for spending time addressing my issue/s. This isn't the first time yall have assisted me. The internet is a better place for your presence.
(Can I kiss some more [bleep] here? Nope, I think that's my limit. )
I have been using Mozilla for quite a while, and my problems have diminished severly since, its one of the best suggestions I've received from here. The other programs are a definate necessity, too. I've updated my hosts file and made a backup.
May you help someone who can afford to donate millions to your just cause
Brad
  • 0

#15
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP