PC hijacked by various things, porn dialers, virus's, bho's etc.

[khelbena]

I have cleaned up the majority of things but there is still a P0rn dialer on here and it is a persistant thing. As near as i can tell it is some form of WebSiteViewer. I have tried the manual removal instructions but they dont work for me. I have run various anti-spyware tools, ie Adaware SE w/ vx2 addon, Spybot 1.3 latest defs, also used cwshredder 2.14. Also used Xclean, and MS Antispyware (beta). each of these programs found various things which I have then removed.

also have deleted the temp files, prefetch, cookies, and such that I could find.

I had some strange services listed that were like "cqywirhgkshdfgut" etc.... I had about 6 of those which I have removed each one was a different file located in C:\windows\system32\VARIOUSDIR\Filename.

I still get some popups and this dialer is still on here somewhere if someone can browse my HiJack this log and or provide me with some addition instructions or removal tips. THanks MIke

PS. Something also keeps modifying my hosts file even though its marked read only.

here is a copy of my hijack this log.

Logfile of HijackThis v1.99.0
Scan saved at 12:46:50 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Windows\System32\mrtMngr.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\agencysupport\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O15 - Trusted Zone: *.*******.com (this is my local intranet)
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: Domain = ********.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer = *.*.*.*
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

[jgvernonco]

Hello, and welcome to TSF!

Let's see if this doesn't help, a little.


We'll need to unload Spybot's Teatimer before we begin. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit".

===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"


===============

Download, then unzip to "C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer = *.*.*.*
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let me know how everything goes.

[khelbena]

killed spybot teatimer and then reran the cwshredder nothing was found

updated hijack this here is new log

Logfile of HijackThis v1.99.1
Scan saved at 2:07:09 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Windows\System32\mrtMngr.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\agencysupport\HijackThis.exe

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O15 - Trusted Zone: *.**************.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: Domain = ******.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer = *.*.*.* (THESE ARE CORRECT)
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


Still have the dialer and some popups

I also ran the Trendmicro housecall virus scan and it came up with 5 infected files which i deleted as well.

[khelbena]

trying to upload an image of my C:\windows\system32 folder. it has some folders with interesting names on them that may help us -- not sure though.

[IMG]C:\Documents and Settings\agent3\My Documents\sys32.jpg[/IMG]

hmm not sure if i did that right or not if you think you want to see it ill email you if this doesnt work.

[greyknight17]

No, that's not the way to post an image. You have it on your computer and you need to upload/attach it here. That's ok, we'll take a look at them now.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

[khelbena]

StartDreck (build 2.1.7 public stable) - 2005-04-21 @ 15:16:15 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as agent3 at CSI0186-PC3

Registry
Run Keys
Current User
Run
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
RunOnce
Default User
Run
RunOnce
Local Machine
Run
*WinPatrol=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
*Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
*ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
*McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
*IgfxTray=C:\Windows\System32\igfxtray.exe
*HPDJ Taskbar Utility=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
*HotKeysCmds=C:\Windows\System32\hkcmd.exe
*CSISetup=S:\PCSetup\disk1\setup.exe -fdailysetup.ins
*CPQEASYACC=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
RunOnce
RunServices
*CPQDFWAG=C:\Windows\Cpqdiag\CpqDfwAg.exe
RunServicesOnce
RunOnceEx
RunServicesOnceEx
File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
Active Setup (LM)
+Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\Windows\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{86EEAFA8-6F38-4657-B4F7-ED1033D2EA1C}S04947
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
Browser Helper Objects (LM)
Internet Explorer
Current User
*Local Page=C:\Windows\System32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.msn.com/
+SearchUrl
*provider=
Default User
*Search Bar=
*Search Page=http://ie.search.msn.com
+SearchUrl
Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.google.com
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
Special NT Values
Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
Files
Autostart Folders
Current User
*C:\Documents and Settings\agent3\Start Menu\Programs\Startup\desktop.ini
Default User
Local Machine
*C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\desktop.ini
*C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\QuickBooks 2001 Delivery Agent.lnk
INI-Files
WIN.INI\[windows]
*LOAD=
*RUN=
SYSTEM.INI\[boot]
*SHELL=Explorer.exe
Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\Windows
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows XP Professional" /fastdetect
*C:\msdos.sys
*C:\Windows\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\Windows\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
`lh %SystemRoot%\system32\nw16
`lh %SystemRoot%\system32\vwipxspx
*C:\Windows\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
`lh %SystemRoot%\system32\nw16
`lh %SystemRoot%\system32\vwipxspx
*C:\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\Windows\wininit.ini
`[Rename]
`nul=C:\Program Files\EnergyPlugIn\EnergyPlugin.exe
`NUL=p8wDwp}w:w
*C:\Windows\System32\drivers\etc\hosts
`127.0.0.1 www01.paypopup.com
`127.0.0.1 www02.paypopup.com
`127.0.0.1 www03.paypopup.com
`127.0.0.1 www04.paypopup.com
`127.0.0.1 www05.paypopup.com
`127.0.0.1 www06.paypopup.com
`127.0.0.1 www07.paypopup.com
`127.0.0.1 www08.paypopup.com
`127.0.0.1 www09.paypopup.com
`127.0.0.1 www10.paypopup.com
`127.0.0.1 count.exitexchange.com
Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\Windows\System32\win.com
*C:\Windows\explorer.exe
%PATH% Companion Files
+C:\Windows\System32\TASKMGR.COM
*C:\Windows\System32\taskmgr.exe
+C:\Windows\System32\notepad.exe
*C:\Windows\NOTEPAD.EXE
+C:\Windows\System32\taskman.exe
*C:\Windows\TASKMAN.EXE
+C:\Windows\System32\winhlp32.exe
*C:\Windows\winhlp32.exe
+C:\Windows\REGEDIT.COM
*C:\Windows\regedit.exe
+C:\PROGRA~1\REFLEC~1\cnectwiz.exe
*C:\Program Files\Reflection\cnectwiz.exe
*C:\Program Files\Reflection\cnectwiz.exe
+C:\PROGRA~1\REFLEC~1\ed3270db.exe
*C:\Program Files\Reflection\ed3270db.exe
*C:\Program Files\Reflection\ed3270db.exe
+C:\PROGRA~1\REFLEC~1\ed5250db.exe
*C:\Program Files\Reflection\ed5250db.exe
*C:\Program Files\Reflection\ed5250db.exe
+C:\PROGRA~1\REFLEC~1\Edit3270.exe
*C:\Program Files\Reflection\Edit3270.exe
*C:\Program Files\Reflection\Edit3270.exe
+C:\PROGRA~1\REFLEC~1\Edit5250.exe
*C:\Program Files\Reflection\Edit5250.exe
*C:\Program Files\Reflection\Edit5250.exe
+C:\PROGRA~1\REFLEC~1\Hllsetup.exe
*C:\Program Files\Reflection\Hllsetup.exe
*C:\Program Files\Reflection\Hllsetup.exe
+C:\PROGRA~1\REFLEC~1\Nthlltsr.exe
*C:\Program Files\Reflection\Nthlltsr.exe
*C:\Program Files\Reflection\Nthlltsr.exe
+C:\PROGRA~1\REFLEC~1\R8win.exe
*C:\Program Files\Reflection\R8win.exe
*C:\Program Files\Reflection\R8win.exe
+C:\PROGRA~1\REFLEC~1\rbd240ex.exe
*C:\Program Files\Reflection\rbd240ex.exe
*C:\Program Files\Reflection\rbd240ex.exe
+C:\PROGRA~1\REFLEC~1\Rdoshll.exe
*C:\Program Files\Reflection\Rdoshll.exe
*C:\Program Files\Reflection\Rdoshll.exe
+C:\PROGRA~1\REFLEC~1\Receive.exe
*C:\Program Files\Reflection\Receive.exe
*C:\Program Files\Reflection\Receive.exe
+C:\PROGRA~1\REFLEC~1\rftpc.exe
*C:\Program Files\Reflection\rftpc.exe
*C:\Program Files\Reflection\rftpc.exe
+C:\PROGRA~1\REFLEC~1\rnPing.exe
*C:\Program Files\Reflection\rnPing.exe
*C:\Program Files\Reflection\rnPing.exe
+C:\PROGRA~1\REFLEC~1\Rvd.exe
*C:\Program Files\Reflection\Rvd.exe
*C:\Program Files\Reflection\Rvd.exe
+C:\PROGRA~1\REFLEC~1\Send.exe
*C:\Program Files\Reflection\Send.exe
*C:\Program Files\Reflection\Send.exe
+C:\PROGRA~1\REFLEC~1\Sfxlate.exe
*C:\Program Files\Reflection\Sfxlate.exe
*C:\Program Files\Reflection\Sfxlate.exe
+C:\PROGRA~1\REFLEC~1\Snaeng.exe
*C:\Program Files\Reflection\Snaeng.exe
System/Drivers
Running Processes
+0=<idle>
+4=<system>
+636=<unkown>
+688=<unkown>
+712=<unkown>
+756=<unkown>
+768=<unkown>
+936=<unkown>
+1044=<unkown>
+1204=<unkown>
+1236=<unkown>
+1364=<unkown>
+1480=<unkown>
+1496=<unkown>
+1508=<unkown>
+1572=<unkown>
+1696=<unkown>
+1724=<unkown>
+1856=<unkown>
+1864=<unkown>
+1920=<unkown>
+1980=<unkown>
+196=<unkown>
+3784=C:\Windows\Explorer.EXE
+3864=C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
+3872=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
+3876=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
+3888=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
+3900=C:\Windows\System32\igfxtray.exe
+3912=C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
+3896=C:\Windows\System32\hkcmd.exe
+128=C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
+260=C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
+436=C:\Windows\System32\mrtMngr.EXE
+4000=C:\Compaq\EAKDRV\EAUSBKBD.EXE
+3636=C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
+3772=C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
+2548=<unkown>
+576=C:\agencysupport\startdreck\StartDreck.exe
NT Services
*Altiris Client Service AClient - disabled
*Alerter Alerter - on demand
*Application Layer Gateway Service ALG - on demand
*Application Management AppMgmt - on demand
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Compaq Local Alerter CPQALERT running auto
*Compaq Remote Diagnostics Enabling Agent CpqDfwWebAgent running auto
*cpqdmi cpqdmi running auto
*Compaq DMI Web Agent cpqWebDmi running auto
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom - on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*IMAPI CD-Burning COM Service ImapiService - on demand
*IPv6 Internet Connection Firewall Ip6FwHlp - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*McAfee Framework Service McAfeeFramework running auto
*Network Associates McShield McShield running auto
*Network Associates Task Manager McTaskManager running auto
*Machine Debug Manager MDM running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Telnet TlntSvr - on demand
*Distributed Link Tracking Client TrkWks running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*WIN32SL WIN32SL running auto
*Windows Management Instrumentation winmgmt running auto
*VNC Server winvnc running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi - on demand
`sions
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
VMM32Files (LM)
%System%\VMM32
%System%\IOSUBSYS
Application specific
MS Office 97/8.0 STARTUP-PATH
Current User
Default User
Local Machine
ICQ NetDetect
Current User
Default User

[greyknight17]

Any idea what this program is for?

C:\Program Files\EnergyPlugIn\EnergyPlugin.exe

If you don't know, uninstall it and then delete the whole folder -> C:\Program Files\EnergyPlugIn\

Go to C:\Windows\ and double click on wininit.ini to open it. Delete these two lines (for EnergyPlugIn, delete that also unless you know what it's for):

`nul=C:\Program Files\EnergyPlugIn\EnergyPlugin.exe
`NUL=p8wDwp}w:w

Save the file and close it.

Give us these logs now:

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download FindQoologic-Narrator.zip at http://forums.net-integration.net/in...post&id=134981 and save it to your Desktop. Create a new folder on your desktop (right click and select New->Folder) and call it FindQoologic. Now unzip the file contents of that zip file into that folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens and post that in your next reply.

Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

[khelbena]

"Any idea what this program is for?

C:\Program Files\EnergyPlugIn\EnergyPlugin.exe

If you don't know, uninstall it and then delete the whole folder -> C:\Program Files\EnergyPlugIn\"

never heard of this before and its not on the system under program files either... will continue to look for it and post other logs in a few.

[khelbena]

ok removed the entries from wininit.ini
here is first log
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" ["Analog Devices, Inc."]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"IgfxTray" = "C:\Windows\System32\igfxtray.exe" ["Intel Corporation"]
"HPDJ Taskbar Utility" = "C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" ["HP"]
"HotKeysCmds" = "C:\Windows\System32\hkcmd.exe" ["Intel Corporation"]
"CSISetup" = "S:\PCSetup\disk1\setup.exe -fdailysetup.ins" ["InstallShield Software Corporation"]
"CPQEASYACC" = "C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" ["Compaq Computer Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Here is the qoologic file

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files found


startup files


Checking Global Startup

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
QuickBooks 2001 Delivery Agent.lnk

User Startup:
C:\Documents and Settings\agent3\Start Menu\Programs\Startup
.
..
desktop.ini

Registry Entries Found

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
<NO NAME> REG_SZ {85BBD920-42A0-1069-A2E4-08002B30309D}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
<NO NAME> REG_SZ {cda2863e-2497-4c49-9b89-06840e070a87}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Active setup

"Find activesetup", version1, launched at: 16:05
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\Windows\inf\unregmp2.exe /ShowWMP" [MS]

here is the dllcompare log

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,332 items found: 1,332 files, 0 directories.
Total of file sizes: 265,719,476 bytes 253.41 M

Administrator Account = False

--------------------End log---------------------


after doing this i realized i wasnt admin so i reran it with admin rights. below is new log

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,332 items found: 1,332 files, 0 directories.
Total of file sizes: 265,719,476 bytes 253.41 M

Administrator Account = True

--------------------End log---------------------


Also about the energyplugin thing, still haven't found in C:\program Files. I have show hidden files checked and i have also unchecked the hide protected OS files as well. I still dont see it though.

[khelbena]

bump for final review and resolutions.

thanks for the help

[greyknight17]

Since you can't find it, let's try this:

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\Program Files\EnergyPlugIn\

I assume you don't know what that program is for right? The above will delete it if it still exists. If not, then it was removed already.

Restart and post a new HijackThis log.

[khelbena]

ok did the killbox thing and it didnt show up in blue but i did it anyway. rebooted here is new Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 2:19:29 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Windows\System32\mrtMngr.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\agencysupport\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O15 - Trusted Zone: *.csic.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: Domain = csic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer = 65.196.134.14,65.196.134.16
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

[greyknight17]

Did you put these in your hosts file?

C:\Windows\System32\drivers\etc\hosts
`127.0.0.1 www01.paypopup.com
`127.0.0.1 www02.paypopup.com
`127.0.0.1 www03.paypopup.com
`127.0.0.1 www04.paypopup.com
`127.0.0.1 www05.paypopup.com
`127.0.0.1 www06.paypopup.com
`127.0.0.1 www07.paypopup.com
`127.0.0.1 www08.paypopup.com
`127.0.0.1 www09.paypopup.com
`127.0.0.1 www10.paypopup.com
`127.0.0.1 count.exitexchange.com

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

Restart and run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

[khelbena]

No I didnt put anything in the hosts file. It should be blank everytime i remove stuff it apparently gets put back on. gonig to delete the suggested items will repost logs shortly.

[khelbena]

ok i ran HIjack this and checked the 4 items, and one of them wouldn't delete. THe item that wouldn't delete is the 2nd O15. I tried to do this twice still wouldn't delete. then I ran the hijack this analyzer here is the log.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:52:19 AM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\agencysupport\HijackThis.exe

O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O15 - Trusted Zone: *.csic.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: Domain = csic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer = 65.196.134.14,65.196.134.16
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

[POADB]

Have you run this tool yet:

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Try and fix the 015's after running the tool.

[khelbena]

okk downloaded and ran the inf you provided. I was able to remove the 015 using HJT after that here is a new log. THis log was runn through tthe HJT analyzer program from earlier as well.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:07:07 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\agencysupport\HijackThis.exe

O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: Domain = csic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{690AE506-E142-4A46-AAC0-47C45963CE9D}: NameServer =
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

[greyknight17]

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[khelbena]

thanks for the help please move to the Resolved HJT Threads