Tech Support Forum - View Single Post - PC hijacked by various things, porn dialers, virus's, bho's etc.

khelbena · 04-21-2005, 10:58 AM

I have cleaned up the majority of things but there is still a P0rn dialer on here and it is a persistant thing. As near as i can tell it is some form of WebSiteViewer. I have tried the manual removal instructions but they dont work for me. I have run various anti-spyware tools, ie Adaware SE w/ vx2 addon, Spybot 1.3 latest defs, also used cwshredder 2.14. Also used Xclean, and MS Antispyware (beta). each of these programs found various things which I have then removed.

also have deleted the temp files, prefetch, cookies, and such that I could find.

I had some strange services listed that were like "cqywirhgkshdfgut" etc.... I had about 6 of those which I have removed each one was a different file located in C:\windows\system32\VARIOUSDIR\Filename.

I still get some popups and this dialer is still on here somewhere if someone can browse my HiJack this log and or provide me with some addition instructions or removal tips. THanks MIke

PS. Something also keeps modifying my hosts file even though its marked read only.

here is a copy of my hijack this log.

Logfile of HijackThis v1.99.0
Scan saved at 12:46:50 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Windows\System32\mrtMngr.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\agencysupport\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O15 - Trusted Zone: *.*******.com (this is my local intranet)
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: Domain = ********.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer = *.*.*.*
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

04-21-2005, 10:58 AM	#1 (permalink)
khelbena Member Join Date: Apr 2005 Posts: 35 OS: WIN XP	PC hijacked by various things, porn dialers, virus's, bho's etc. I have cleaned up the majority of things but there is still a P0rn dialer on here and it is a persistant thing. As near as i can tell it is some form of WebSiteViewer. I have tried the manual removal instructions but they dont work for me. I have run various anti-spyware tools, ie Adaware SE w/ vx2 addon, Spybot 1.3 latest defs, also used cwshredder 2.14. Also used Xclean, and MS Antispyware (beta). each of these programs found various things which I have then removed. also have deleted the temp files, prefetch, cookies, and such that I could find. I had some strange services listed that were like "cqywirhgkshdfgut" etc.... I had about 6 of those which I have removed each one was a different file located in C:\windows\system32\VARIOUSDIR\Filename. I still get some popups and this dialer is still on here somewhere if someone can browse my HiJack this log and or provide me with some addition instructions or removal tips. THanks MIke PS. Something also keeps modifying my hosts file even though its marked read only. here is a copy of my hijack this log. Logfile of HijackThis v1.99.0 Scan saved at 12:46:50 PM, on 4/21/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Windows\Explorer.EXE C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe C:\Windows\System32\hkcmd.exe C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe C:\Windows\System32\mrtMngr.EXE C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\agencysupport\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe O15 - Trusted Zone: .****.com (this is my local intranet) O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: Domain = *****.com O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer = ...* O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe Last edited by khelbena; 04-21-2005 at 11:07 AM.