How to remove Rootkit & Wheaterbug.A [HJT log]

Hello, I have found two different virus and/or spyware. I do a spyware scan daily with SpySweeper v4.5.7 today it said >RootKit masked files: items found 1 Accociated traces Found 7. Then it said, SpySweeper has detected files hidden from windows: this is potentially an indication of the presence of Rootkit. Then it says after I click remove, SpySweeper has identified some threat traces that cannot be removed until you restart your computer. I do the restart and then I run another scan and the same thing comes up. I did 4 different scans and it is the same thing SpySweeper say Rootkit has 7 critical items and traces. I have SpySweeper on all the time and do a scan daily. This is the first time anything has showed up. I also use Spybot-Search & Destroy 1.4 daily and it did not find anything. I also use Ad-Aware SE 1.06r1 and scan with it daily it did not find anything. I do not have these two scanning all the time only manually. I have PC-cillin Internet Security 2005 for my antivirus program and it is on all the time and updated as all are up to date. (I only use virus protection from the suite) and it did not find anything on a manual scan I did after SpySweeper found the Rootkit or what ever that is. I did as you say to do in the sticky before posting. I did an online scan with BitDefender and it found "Adware.Wheaterbug.A" it did not fix it. On the report it says it is in the file "Install_AIM.exe" that file has been on my computer since 9-16-2004 and it has never been installed or opened. It is in My Documents folder. I have the report from BitDefender. It is a HTML file. And I have a hijackthis.log. I will give you the hijackthis log. But I do not know how to put the BitDefender report here. I am not experencing any funny or different actions from my computer it is not slow or does not seem slow. I have Win XP Pro sp2 512 MB Ram and I am behind a Netgear Web Safe Router RP614. And i use a cable ISP. Can you help me get rid of these items or what should I do.

Logfile of HijackThis v1.99.1
Scan saved at 10:15:06 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\PGPserv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\system32\wwSecure.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\SpyWareHijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Advanced Searchbar -

{57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
O3 - Toolbar: FraudEliminator - {A5181F8A-0B9D-43AC-8BE5-EB61651DB685}

- C:\Program Files\FraudEliminator\2.4.1\FETB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet

Security 2005\pccguide.exe "
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program

Files\Creative\SBLive\PROGRAM\ADGJDet.exe "
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: &Copy Location - C:\WINNT\WEB\graburl.htm
O8 - Extra context menu item: &Translate English Word -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} -

"C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file

missing)
O9 - Extra 'Tools' menuitem: PC Confidential -

{53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC

Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: Advanced Searchbar -

{57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -

{57F02779-3D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra button: PC Confidential -

{925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC

Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} -

C:\WINNT\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone -

{B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINNT\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} -

C:\WINNT\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone -

{BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINNT\system32\webzone.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} -

C:\WINNT\system32\oline.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE

Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend

Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PGPserv - PGP Corporation -

C:\WINNT\system32\PGPserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot

Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro

Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software,

Inc. - C:\WINNT\system32\wwSecure.exe

 

Thanks TonyT for the information about weatherbug.a I read the link and I just delteted the file. But I cannot get rid of the rootkit files. SpySweeper new definitions have found the files and tried to delete them but could not. I tried to delete them and I could not. Can some one tell me how to delete these files. there are three of them. SpySweeper said "System Monitor found: potentially Rootkit-masked files (3) these are the ones it identified >

C:\documents and settings\all users\start menu\programs\mailwasherpro.Ink
C:\documents and settings\all users\start menu\programs\mailwasherprohelp.Ink
C:\documents and settings\all users\start menu\programs\uninstall mailwasherpro.Ink

When I try to delete these files I get the message: Cannot delete Mailwasher Pro Help. Ink: Access is Denied I get the same message for all three files and SpySweeper cannot delete them either. Mailwasher Pro is not installed on my computer now, it was, but I uninstalled it. Is there any way of deleting these files and the Mailwasher folder they are in. I have a new program to install, but I am afraid to install it not knowing what these Rootkit-Masked files will do. Thanks for any help or advice.

Dan

 

Use this program from our benefactor to remove the leftover registry entries.

Registry First Aid

These are the top suggested rootkit removal programs. You need to login as administrator to install/use them.

BlackLight

RootkitRevealer

Malicious Software Removal Tool from Microsoft

 

Thank You Whiskeyman for the names of the programs to remove the leftovers. I have used Microsoft's already today so hopefully the others you have listed will do the job. Again thanks. I will give results when all is completed.

Dan

 

Whiskeyman, I ran all the programs you suggested to detect Rootkit and they said my computer is clean. I used the registry cleaner, but the the files I have named are still there and nothing will remove them. I tried in safe mode also. Always he same error: Access is denied files are in use. It seems these are shortcuts to a program that is not installed now. And something is locking them. Anyone have any ideas. thanks

Dan

 

Try renaming those files to .old then deleting. Also check to see if they are listed in Startup. If so uncheck them. If that doesn't work try MoveOnBoot.

 

Whiskeyman, thanks for trying, but nothing has worked. The program MoveOnBoot did not work either. When I entered the file in the program and clicked next it gave me the same message "Access is denied" I tried a couple times but aleays same results. I am out of ideas. Thanks for your help.

Dan

 

Want to manually remove programs from XP?