Still having problems

If you have run ALL the steps from this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal , and you still have a problem, follow the guidelines below and post you HijackThis log.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

You have HijackThis running from here:

C:\DOCUME~1\Amanda\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

That means you are running from the ZIP file which we do not want you to do. You must create a folder called C:\Program Files\HJT and extract the hijackthis.exe ZIP file to that folder. Then run it from that directory. You will not get backups otherwise.
You MUST do this before continuing. If you cannot figure out how to do that let me know before you proceed with the below.


First go back to Add/Remove Programs and uninstall if found:
Ares <--- P2P file downloaders like this are were many of your problems came from.
WeatherBug <--- Adds spy/ad-ware to your computer unless you have the purchased version.

Next a few questions:
1) Do you know if you need this next proxy server entry? Is it for your ISP?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1090
2) Do you have any idea what this 3TC program is? It looks suspicious to me.
C:\windows\3TC.exe
O4 - HKLM\..\Run: [3TC] C:\windows\3TC.exe

You have some Peper Trojan issues. Run the two below programs.
http://www.memorywatcher.com/uninst.exe
http://tools.zerosrealm.com/PeperFix.exe
Running these may fix some items that I give below in the HijackThis cleanup. So if you don't see them later, don't worry about it.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\active.exe
C:\WINDOWS\System32\BROWSEUI.exe
C:\WINDOWS\system32\?hkdsk.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {3C9D851C-17FC-1E0E-FD7B-1F943C9DDB95} - C:\WINDOWS\system32\kpvmhtie.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Amanda\Local Settings\Temp\pyR.dll
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKLM\..\Run: [4#PJTK33HE3397] C:\WINDOWS\system32\Oval63H.exe
O4 - HKLM\..\Run: [zaQixtQ57] C:\documents and settings\amanda\local settings\temp\zaQixtQ57.exe
O4 - HKLM\..\Run: [Mpt] c:\documents and settings\amanda\local settings\temp\Mpt.exe
O4 - HKLM\..\Run: [Fz9wtD] C:\documents and settings\amanda\local settings\temp\Fz9wtD.exe
O4 - HKLM\..\Run: [6407e5b024ba] C:\WINDOWS\System32\BROWSEUI.exe
O4 - HKCU\..\Run: [ares] "D:\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Blwlp] C:\WINDOWS\system32\?hkdsk.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\maxspeed.exe (file missing)
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (if they still exist):
C:\active.exe
C:\WINDOWS\System32\BROWSEUI.exe
C:\WINDOWS\system32\?hkdsk.exe
C:\WINDOWS\system32\SearchBar.htm
C:\WINDOWS\system32\kpvmhtie.dll
C:\Documents and Settings\Amanda\Local Settings\Temp\pyR.dll
C:\active.exe
C:\WINDOWS\system32\Oval63H.exe
C:\documents and settings\amanda\local settings\temp\zaQixtQ57.exe
c:\documents and settings\amanda\local settings\temp\Mpt.exe
C:\documents and settings\amanda\local settings\temp\Fz9wtD.exe
C:\WINDOWS\System32\BROWSEUI.exe
D:\Ares <--- the whole folder
C:\Program Files\AWS <--- the whole folder
C:\WINDOWS\system32\ezPopStub.exe
C:\Program Files\Web Offer <--- the whole folder

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Let's ignore the localhosts line but I want to find out what the C:\windows\3TC.exe program is. Open Windows Explorer and navigate to the c:\windows directory and find the 3tc.exe file. Right click on it and select Properties. Then see if there is a version Tab. Is so, click the version tab and now there will be an Item name box. Click on each item name field and you can get info about things like company name, version, internal name and more. Let me know what you find.

No you should not have deleted chkdsk.exe it is a system process. But before we do anything else, go to the C:\WINDOWS\system32 folder and look in there for anything similarly named to chkdsk.exe (perhaps anything that ends with hkdsk.exe - leaving off the first character. If so, tell me the filesize and date. Then bring up your Recycle Bin (I'm assuming you have not emptied it yet and don't) see if the chkdsk.exe file is in the Recycle Bin.

Educational Note: When working on stuff like this and following directions, if something does not match exactly a name give or an instruction is confusing. Stop and ask questions before continuing. Removing the wrong file can result in a non-bootable PC and malware tries to trick you and name things very similar to files you need.

For Web Offers, click Start, Run and enter regedit and click OK. This will bring up the registry editor. Click Edit and select Find. In the Find What: box enter Web Offer (or WebOffer, I'm not sure how they save it in the registry). Then click the Find Next button. When found write down the full registry registry key. Then hit the F3 key (this will continue the search from where it stopped). Repeat until end of registry is reached.

You log is clean so do the above and come back and post me answers to my questions.

 

That program is in your Windows folder ===> C:\windows\3TC.exe
How big is the file?


Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Web Offer

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the Web Offer one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

Are you sure that was the only place it appeared? Search again after deleting the above key. I would expect something in the Uninstall registry key. That would be the reason for it appearing in Add/Remove programs.

As far as chkdsk.exe, lets see if we can get a copy back into the system32 folder.
Look in for one of these two folders on your PC:
c:\i386
c:\windows\i386

If you have either one of them, get into the i386 folder and locate chkdsk.exe there. Right click the chkdsk.exe file and then select copy. Now navigate to c:\windows\system32 and click anywhere in the right right window pane. Then hit CTRL-V to paste a copy of chkdsk.exe into the system32 folder. Make sure you see the file there.

If you do not see chkdsk.exe but see chkdsk.ex_ let me know. We will have to expand the compressed file first.

If you do not find either of those i386 folders, do a Windows file search for chkdsk.exe and see if you get any matches. Otherwise, do you have an original WinXP CD?

 

Yes, delete that registry key and then look in Add/Remove programs to make sure Web Offer is gone.

Click Start, Search, All files and folders, enter the chkdsk (yes without the extension) in the box provided, then click More advanced options and make sure you have checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
The click the Search button.

Tell me if you get any matches.
Do you have an original full copy of a WinXP CD?

I'd like you to PM me with an email address so we can talk about sending me a copy of that 3tc.exe