from agent.bl to wheaterbug.a, a mess, plz help

WinMe
AMD Athlon (authentic)
512mb ram

It seems no matter what I am trying, this is just seems to be getting worse. Once stung yesterday morning, I started working on the tutorial.

first, my AVG keeps telling me that "To finish the update, it is necessary to restart the computer". To no avail. It did tell me that Smitfraud was present when I was hit yesterday, and I put that in the virus vault. It was empty today. The usual morning scan came up clean.

Next, when attempting to install the updates to Spybot S&D after downloading them, it says it couldn't because of "Bad Checksum". I did follow the additional information on the spybot section of the tutorial with regards to the advanced.

Both Spybot and AdAware found and (claimed to) fix a load of things, including BackWebLite, spysheriff etc. Each scan today came up mostly clear with these.

The first HijackThis log was a mess yesterday, the latest one didn't look so bad.

However, here are the scan results from a number of the listed online scanners, (I'm most worried about those listed as password protected)

windowsecurity trojan scan

Didn't find any way to copy results. I took a screen shot, available by request.


bitdefender:

BitDefender Online Scanner
Scan report generated at: Wed, Nov 16, 2005 - 22:08:22
Scan path: C:\;C:\My Documents;
Statistics
Time
01:16:59
Files
346062
Folders
2555
Boot Sectors
2
Archives
2918
Packed Files
6856
Results
Identified Viruses
4
Infected Files
8
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
7
Engines Info
Virus Definitions
233813
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
38
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status

C:\WINDOWS\SYSTEM\atlbu.exe
Infected with: GenPack:Trojan.Downloader.Agent.TD
C:\WINDOWS\SYSTEM\atlbu.exe
Disinfection failed
C:\WINDOWS\SYSTEM\atlbu.exe
Deleted
C:\WINDOWS\ssk3b5doublemedia.exe=>(NSIS o)=>zlib_nsis0004
Infected with: Trojan.Dropper.Small.QN
C:\WINDOWS\ssk3b5doublemedia.exe=>(NSIS o)=>zlib_nsis0004
Deleted
C:\WINDOWS\ssk3b5doublemedia.exe=>(NSIS o)
Update failed
C:\WINDOWS\ntwa32.exe
Infected with: GenPack:Trojan.Agent.BI
C:\WINDOWS\ntwa32.exe
Deleted
C:\PQSC\CPS\000037\FILES\003\A996F0.DAT=>wise0008
Detected with: Adware.Wheaterbug.A
C:\PQSC\CPS\000037\FILES\003\A996F0.DAT=>wise0008
Disinfection failed
C:\PQSC\CPS\000037\FILES\003\A996F0.DAT=>wise0008
Deleted
C:\PQSC\CPS\000037\FILES\003\A996F0.DAT
Update failed
C:\PQSC\CPS\000037\FILES\003\A996F1.DAT=>wise0008
Detected with: Adware.Wheaterbug.A
C:\PQSC\CPS\000037\FILES\003\A996F1.DAT=>wise0008
Disinfection failed
C:\PQSC\CPS\000037\FILES\003\A996F1.DAT=>wise0008
Deleted
C:\PQSC\CPS\000037\FILES\003\A996F1.DAT
Update failed
C:\PQSC\CPS\000037\FILES\005\A9A95B.DAT=>wise0041=>wise0008
Detected with: Adware.Wheaterbug.A
C:\PQSC\CPS\000037\FILES\005\A9A95B.DAT=>wise0041=>wise0008
Disinfection failed
C:\PQSC\CPS\000037\FILES\005\A9A95B.DAT=>wise0041=>wise0008
Deleted
C:\PQSC\CPS\000037\FILES\005\A9A95B.DAT=>wise0041
Update failed
C:\PQSC\CPS\000056\FILES\001\AFE7FA.DAT
Detected with: Adware.Wheaterbug.A
C:\PQSC\CPS\000056\FILES\001\AFE7FA.DAT
Disinfection failed
C:\PQSC\CPS\000056\FILES\001\AFE7FA.DAT
Delete failed
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Detected with: Adware.Wheaterbug.A
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Disinfection failed
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Deleted
C:\Program Files\AIM\Sysfiles\WxBug.EXE
Update failed

aSquared:

c:\WINDOWS\Cookies\default@windowsmedia[2].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@adsremote.scripps[1].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@adknowledge[1].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@burstnet[1].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@count.digitalpoint[2].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@community[2].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@community[1].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@realmedia[1].txt Trace.TrackingCookie c:\WINDOWS\Cookies\default@statcounter[1].txt Trace.TrackingCookie c:\PQSC\CPS\00009D\FILES\001\BB69FA.DAT Adware.BackWeb.a c:\PQSC\CPS\0000A2\FILES\001\BCAA83.DAT Adware.BackWeb.a c:\PQSC\CPS\0000A2\FILES\001\BCAAAF.DAT Adware.BackWeb.a c:\PQSC\CPS\000030\FILES\001\A320BA.DAT Adware.BackWeb.a c:\PQSC\CPS\00005E\FILES\001\B1BA09.DAT Adware.BackWeb.a c:\PQSC\CPS\00006A\FILES\001\B27430.DAT Adware.BackWeb.a c:\PQSC\CPS\00008F\FILES\00C\B85000.DAT Adware.WebHancer.351 c:\PQSC\CPS\00008F\FILES\00C\B85001.DAT Adware.WebHancer c:\Program Files\hijackthis\backups\backup-20050923-021349-595.dll Adware.WebHancer c:\Program Files\hijackthis\backups\backup-20050923-021349-375.dll Adware.Win32.BetterInternet.ad c:\Program Files\mIRC\mirc.exe Riskware.Client-IRC.Win32.mIRC.16
c:\!KillBox\0.93 Adware.MediaMotor.i
c:\!KillBox\ms32.tmp Trojan-Downloader.Win32.Small.azk

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 17, 2005 11:48:17
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/11/2005
Kaspersky Anti-Virus database records: 150668
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\
f:\

Scan Statistics:
Total number of scanned objects: 145929
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 2
Duration of the scan process: 5557 sec

Infected Object Name - Virus Name
c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AbetterInternetAurora2.zip/bundle_mediamotor1004.exe Suspicious: Password-protected-EXE
c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AbetterInternetAurora2.zip Suspicious: Password-protected-EXE
c:\WINDOWS\ssk3b5doublemedia.exe/data0005 Infected: Trojan-Dropper.Win32.Small.qn
c:\WINDOWS\ssk3b5doublemedia.exe Infected: Trojan-Dropper.Win32.Small.qn
c:\WINDOWS\mxjgwu.dat Infected: Trojan-Downloader.Win32.Agent.bc
c:\WINDOWS\npwagx.dat Infected: Trojan-Downloader.Win32.Agent.bc
c:\Program Files\hijackthis\backups\backup-20050923-021349-943.dll Infected: Trojan-Downloader.Win32.VB.ov
c:\Program Files\hijackthis\backups\backup-20051116-141219-852.dll Infected: Trojan-Downloader.Win32.Agent.bc

Scan process completed.

Panda:
(this morning)

Adware:adware/webhancer No disinfected C:\WINDOWS\whCC-GIANT.exe
Adware:adware/antivirus-gold No disinfected C:\WINDOWS\desktop.html
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/wupd No disinfected Windows Registry
Adware:Adware/WebHancer No disinfected C:\_RESTORE\ARCHIVE\FS693.CAB[W0246981.CPY]
Adware:Adware/WebHancer No disinfected C:\_RESTORE\ARCHIVE\FS693.CAB[W0246983.CPY]
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe[whAgent.inf]
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe[WhAgent.exe]
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe[whInstaller.exe]
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe[WhSurvey.exe]
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe[Webhdll.dll]
Adware:Adware/WebHancer No disinfected C:\WINDOWS\whCC-GIANT.exe[whiehlpr.dll]
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\desktop.html
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/WebHancer No disinfected C:\PQSC\CPS\000096\FILES\001\B9DAE3.DAT
Adware:Adware/WebHancer No disinfected C:\PQSC\CPS\000096\FILES\001\B9DAE4.DAT
Adware:Adware/WebHancer No disinfected C:\PQSC\CPS\0000AC\FILES\001\BEAAC5.DAT
Adware:Adware/Transponder No disinfected C:\PQSC\CPS\0000AC\FILES\001\BEAAC7.DAT
Adware:Adware/WebHancer No disinfected C:\PQSC\CPS\0000AC\FILES\001\BEC54C.DAT
Adware:Adware/WebHancer No disinfected C:\PQSC\CPS\0000AD\FILES\001\BF20B0.DAT
Adware:Adware/WUpd No disinfected C:\PQSC\CPS\00008F\FILES\00C\B84FFC.DAT
Adware:Adware/Mirar No disinfected C:\Program Files\hijackthis\backups\backup-20050923-021349-564.dll

Avast and AVERT found nothing wrong, but even as I type this bit here, I type the word on one line and it jumps up to the line before when I finish and space for the next word, as well as problems when I open a file, say a jpg image, and then I cant close it, the machine has trouble shutting down completely. Loads of blue screens, a few black ones requiring resetting. Permission boxes keep coming up to upgrade the macromedia flashplayer to a version I already have, and every one of the major geeks pages comes up claiming it requires a font file I dont have and do I want to download that?

I dont know if some of what I've done has fixed some or what, and I will wait until asked for a fresh HiJack This log, (or any of the other four or so I've done since yesterday). I can take this machine offline and use the laptop on dialup for any fix offered.

Thank you in advance!

 

will do, and my apologies.

Yes. I can check yet again and run another scan if needed?

Er, can you explain or is there information someplace on how to do this please?

It's loaded there, but I haven't used it in a long long time.

I dont know how to do that either, it doesn't have a right click option on the systray icon to disable it. I cant even find a way to clear checkpoints. This is probably why past eradications have been so frustrating.

again thank you

 

Just did that, thank you!

Just did that (it rocks!) thank you, and will do now

 

Yes, still comes up in scans (in the attached txt files) as

AbetterInternetAurora2.zip Suspicious: Password-protected-EXE
AbetterInternetAurora2.zip/bundle_mediamotor1004.exe Suspicious: Password-protected-EXE
Trojan-Dropper.Win32.Small.qn
Trojan-Downloader.Win32.Agent.bc
WebHancer
Antivirus-gold
SaHagent
wupd
SpySheriff
Media-Motor
Mirar

I also checked, and the system restore is still turned off, the hiddens, system files and file extensions exposed.

 

gonna work this now, here's this so far:

off to safe mode for the rest and thank you so very much!

 

problem.

I rebooted to safe mode. Here's what happened:

this I couldn't find in the WINDOWS folder. I found it using the search files and folders and deleted it successfully.

Here's the problem:

the error box said:

I tried right click/properties uncheck archive, it wouldn't allow that, I clicked "ignore" the archive box was unchecked, and it still wouldn't delete

All of the rest of the files deleted successfully.

 

PQSC is gone, deleted in add/remove yesterday.

and this is weird, (to me anyway) but that "disable system restore" has actually remained checked for a long long time, (I never did reenable it) So, I unchecked the "disable system restore", restarted the machine, then disabled it again and checked to be sure the hiddens were still all showing (they were), rebooted the machine to safe mode, used the search find files and folders, and couldn't find the file in question. Apparently even though it argued, it did delete it, or enabling and redisabling system restore did it. Either way, it's gone now.

Just did that, thank you.

Is there something I need to do with the information I gathered from this step?

 

Panda came up with nothing in the scan.

 

Two HJT logs in attachments.

The first one from 11 16, and the one I just did after the pandascan came up clear.

 

seems to be working okay, that was pretty scary!

Thank you!

 

another mess or maybe some wasn't found? plz help

wish I wouldn't have missed your last post. Stung again. SpySweeper (installed via instructions from bjgarrick's thread) really came through where spybot and adaware fell down at finding more mess. Spybot claimed to fix a few it found, and AdAware, the same. However, it seems Spysweeper isn't eradicating some of this mess. I ran this twice. The logs from it are in attachments.

 

in safe mode I got an error message that SpySweeper detected an authentication failure, please reinstall SpySweeper and a web link if I have further trouble.

 

it did that twice now.

 

it seems spysweeper does not want to run at all in safe mode, (and tho I waded through the help database, I found nothing that applied, maybe because I'm up too late and sleep challenged) but it did run in regular mode once I'd reinstalled it. 3rd log in the attachments.

As I ran this scan, my AVG popped up and warned me that I'd been infected with CLICKER.fb, which I was able to quarantine, unlike the other that started this leg of mess, which AVG was unable to quarantine, delete or otherwise.

My IE wont even work, keeps resetting my homepage to msn when it will finally open, I'm using firefox and unsure whether to run the Panda scan offline with that, whether to submit a support query to webroot about the inability for spysweeper to run in safe mode and await info, and thank you very much!

p.s. I think I'll disconnect the ethernet cable, and check this thread from the laptop when I wake.

 

None of these were present, however when I rebooted to come let you know, spysweeper alerted me that these new programs will start when windows starts, (do I want to delete them, this box is asking me), I've added none of these, but that first one does look somewhat familiar as something that was on here (whether or not it's a bad program or one that has been corrupted, I dont know)

devldr16.exe
csott.exe
dmuhj.exe

My start page has always been set on my own preferred page:
http://www.garageband.com/bbs/online.pl?Cat=
and NEVER on msn, ever. However, I try to change it back to what I want, and it keeps changing back to msn.

 

(from the laptop on dialup)

I looked before I leaped on that one. the devldr16.exe is part of Creative sound card. I found no info on the other two so I checked to delete those.

no. It just presented them as a warning in a box with a check box next to each after I'd rebooted. As though it woke up and warned me, I'd not yet had a chance to open spysweeper.

will do, from that machine in a few minutes.

Yep, in one of the prior messes, I had to use it to boot into safe mode. (truly, it sounds like this machine doesn't behave like any other computer!)

I just tried, and an error box came up about five minutes into the scan that "spysweeper will now close". I'll try again and hopefully have a log to post.

 

(from laptop)

I wasn't able to get a spysweeper sweep completed. I pulled the cable, uninstalled the old zapro, put the cable back in and downloaded a new trial of zapro, then uninstalled and reinstalled spysweeper. The sweep is running now. I'll post the results from that machine when I can. (if?)

Here's hoping.

 

No. I had an old trial version on here that was not in operation (they wanted money when the trial ended) and wanted to install a new trial version (another free trial) in the event that whatever this is that keeps sneaking stuff onto the machine could be either stopped or I could see what and where it is in the zapro screens, and block it there.

bitdefender found cswdr.exe and deleted it.

trend micro found SPYW_GETMIRAR.A and dealt with that.

The Panda activescan log is in the attachments, (the problems weren't dealt with as of yet) along with the hjt log

Hmmm, this says "the attachment is in progress. can be deleted here" and isn't attaching. (not quite sure how to proceed there, if it means I'm supposed to delete some of the old ones or ?)

It's rather short:


Adware:adware/xupiter Not disinfected C:\WINDOWS\Favorites\cool
stuff Adware:adware/gator Not disinfected Windows Registry Virus:Trj/Agent.AWH Not disinfected C:\WINDOWS\SYSTEM\dmpnz.exe



These three online scans all found stuff after the latest SpySweeper sweep claimed this machine was clear.

 

will do, thank you!

The new zapro surprised me with a scan, found and quarantined Alexa toolbar and something called UcontrolScan. the machine was running slow last night, but I checked several of the online scans and they found nothing. It seems to be okay today.