Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please help - persistent 69sexsearch.com Pop-Up

Started by adriang , Dec 29 2004 11:34 PM

Please log in to reply

#1
adriang

Posted 29 December 2004 - 11:34 PM

New Member

Member
4 posts

Good Morning All,

I have a problem whereby whenever I log onto my PC I get a lot of pop-up for a site called www.69sexsearch.com. I have tried all the top spyware removal tools and popup blockers to no avail. Can someone please help me eliminate this problem. Below is the Hijack Log and your assistance will be greatly appreciated:

Logfile of HijackThis v1.98.2
Scan saved at 1:27:51 AM, on 12/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\etlisrv.exe
C:\Program Files\UMS\httpserv\httpserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\UMS\Director\bin\twgipcsv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ICO.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\luinap.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\WINNT\system32\etlitr50.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\UMS\Director\bin\twgipc.exe
C:\PROGRA~1\UMS\Director\bin\twgescli.exe
C:\PROGRA~1\UMS\Director\bin\twgmonit.exe
C:\PROGRA~1\UMS\Director\bin\twgtopo.exe
C:\PROGRA~1\UMS\Director\bin\nfUMSagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavIEHelper Class - {4E9ED978-F94F-11d4-A42E-00105AE60EA3} - C:\UnisysFinancialTransactionMgr40\Client\navigatoralerts.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINNT\system32\smiehlp.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dllInit ibmasstw.dll] "C:\Program Files\UMS\utils\DLLINIT.EXE" ibmasstw.dll
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [F1685543] C:\WINNT\system32\luinap.exe
O4 - HKLM\..\Run: [EC8443E6] C:\WINNT\system32\Nodelbca.exe
O4 - HKLM\..\Run: [9A0E484E] C:\WINNT\system32\avdfv.exe
O4 - HKLM\..\Run: [8F0B96D3] C:\WINNT\system32\adml3d3.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [F1685543] C:\WINNT\system32\luinap.exe
O4 - HKCU\..\Run: [EC8443E6] C:\WINNT\system32\Nodelbca.exe
O4 - HKCU\..\Run: [9A0E484E] C:\WINNT\system32\avdfv.exe
O4 - HKCU\..\Run: [8F0B96D3] C:\WINNT\system32\adml3d3.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Alerts - {D179CF80-389B-11d3-A2DB-00105AE60EA3} - C:\UnisysFinancialTransactionMgr40\Client\navigatoralerts.dll
O9 - Extra button: AS400 - {69BD830D-3560-4C30-A039-7A1FA9883B68} - C:\Program Files\IBM\Client Access\Emulator\Private\BBAS400.WS (HKCU)
O9 - Extra button: Snagit - {BCE4C600-5038-42FF-B270-8A6775B8CD59} - C:\Program Files\TechSmith\SnagIt\SnagIt32.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...dPage|viewpoint
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://10.6.107.171/msrdp.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intl.bns
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C44962F-583A-4D37-9824-2FE9BCFF722F}: NameServer = 205.214.199.130 205.214.199.131
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intl.bns
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intl.bns
O20 - AppInit_DLLs: TwgProc.DLL

Regards.

A

#2
adriang

Posted 30 December 2004 - 07:13 AM

New Member

Topic Starter
Member
4 posts

Hi All,

I have installed all of my spyware removal software to make thing a little easier to discern. Here is the new log. Please help.

Logfile of HijackThis v1.98.2
Scan saved at 9:09:40 AM, on 12/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\etlisrv.exe
C:\Program Files\UMS\httpserv\httpserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\UMS\Director\bin\twgipcsv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\ICO.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\UMS\utils\DLLINIT.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\luinap.exe
C:\WINNT\system32\internat.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\WINNT\system32\etlitr50.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\UMS\Director\bin\twgipc.exe
C:\PROGRA~1\UMS\Director\bin\twgescli.exe
C:\PROGRA~1\UMS\Director\bin\twgmonit.exe
C:\PROGRA~1\UMS\Director\bin\twgtopo.exe
C:\PROGRA~1\UMS\Director\bin\nfUMSagent.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=gateway.bns:8000;gopher=10.0.44.33:8000;http=10.0.44.33:8000;https=gateway.bns:443;socks=10.0.44.33:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;192.*.*.*;172.*.*.*;199.*.*.*;*.bns;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavIEHelper Class - {4E9ED978-F94F-11d4-A42E-00105AE60EA3} - C:\UnisysFinancialTransactionMgr40\Client\navigatoralerts.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [dllInit ibmasstw.dll] "C:\Program Files\UMS\utils\DLLINIT.EXE" ibmasstw.dll
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [F1685543] C:\WINNT\system32\luinap.exe
O4 - HKLM\..\Run: [EC8443E6] C:\WINNT\system32\Nodelbca.exe
O4 - HKLM\..\Run: [9A0E484E] C:\WINNT\system32\avdfv.exe
O4 - HKLM\..\Run: [8F0B96D3] C:\WINNT\system32\adml3d3.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [F1685543] C:\WINNT\system32\luinap.exe
O4 - HKCU\..\Run: [EC8443E6] C:\WINNT\system32\Nodelbca.exe
O4 - HKCU\..\Run: [9A0E484E] C:\WINNT\system32\avdfv.exe
O4 - HKCU\..\Run: [8F0B96D3] C:\WINNT\system32\adml3d3.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Entrust.lnk = C:\WINNT\system32\etlitr50.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: Alerts - {D179CF80-389B-11d3-A2DB-00105AE60EA3} - C:\UnisysFinancialTransactionMgr40\Client\navigatoralerts.dll
O9 - Extra button: AS400 - {69BD830D-3560-4C30-A039-7A1FA9883B68} - C:\Program Files\IBM\Client Access\Emulator\Private\BBAS400.WS (HKCU)
O9 - Extra button: Snagit - {BCE4C600-5038-42FF-B270-8A6775B8CD59} - C:\Program Files\TechSmith\SnagIt\SnagIt32.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...dPage|viewpoint
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://10.6.107.171/msrdp.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intl.bns
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intl.bns
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intl.bns
O20 - AppInit_DLLs: TwgProc.DLL

Regards.

Ryan

#3
adriang

Posted 30 December 2004 - 07:15 AM

New Member

Topic Starter
Member
4 posts

Sorry that should have been "UN-INSTALLED"

#4
admin

Posted 30 December 2004 - 12:19 PM

Founder Geek

Community Leader
24,639 posts

Download and save file -- Unzip. To execute this file: in Explorer - right-click (this file). Select Install from the Menu.

Download here: http://www.geekstogo...=download&id=40

Please Download CoolWebShredder, from http://www.geekstogo...=download&id=17 , Extract it & run the program. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants. Afterwards, Please Post a fresh Hijack This log.

#5
adriang

Posted 30 December 2004 - 02:53 PM

New Member

Topic Starter
Member
4 posts

Thank you very much for your reply "admin". I actually followed one of the previous treads and was able to correct my problem. I used the advice given as a guide and "presto" ....it worked. Hijackthis seems to be a great piece of software. This site is great also....I wouldn't have solved this problem otherwise.

Ryan.

#6
admin

Posted 30 December 2004 - 02:56 PM

Founder Geek

Community Leader
24,639 posts

You're welcome!

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox

.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :tazz: