Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

realsearch, 69sexsearch problem


  • Please log in to reply

#1
zd_ice

zd_ice

    Member

  • Member
  • PipPip
  • 12 posts
Whenever I close IE, 69sexsearch opens in multiple windows. I've tried several adware/spyware removal programs but none of them have worked. Any help would be greatly appreciated.

Hijack This logfile



Logfile of HijackThis v1.99.0
Scan saved at 3:15:23 PM, on 1/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\documents and settings\owner\local settings\temp\Z.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\wselar.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Owner\Application Data\rpen.exe
C:\WINDOWS\System32\??rss.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {35AA1676-9A11-08CA-D704-11550C862B6F} - C:\WINDOWS\System32\zgia.dll (file missing)
O2 - BHO: (no name) - {70748747-4983-4750-A6DF-46C6FE11C4B1} - C:\WINDOWS\System32\phhpnsxs.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\sYL5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PLkqGWrG] C:\documents and settings\owner\local settings\temp\PLkqGWrG.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\Vqxt.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AutoLoader2Fwl1LbXLYaU] "C:\WINDOWS\System32\csrinet.exe"
O4 - HKLM\..\Run: [2sFP39e] csrinet.exe
O4 - HKLM\..\Run: [bAu7] C:\documents and settings\owner\local settings\temp\bAu7.exe
O4 - HKLM\..\Run: [4T5ZNEqXP] C:\documents and settings\owner\local settings\temp\4T5ZNEqXP.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [uFAD8V] C:\documents and settings\owner\local settings\temp\uFAD8V.exe
O4 - HKLM\..\Run: [Z] C:\documents and settings\owner\local settings\temp\Z.exe
O4 - HKLM\..\Run: [hVdU] C:\documents and settings\owner\local settings\temp\hVdU.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKLM\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKLM\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKLM\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [mdwmdmsp] C:\WINDOWS\system32\mdwmdmsp.exe
O4 - HKCU\..\Run: [JBwFRVK3Q] iyutetab.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Owner\Application Data\rpen.exe
O4 - HKCU\..\Run: [Fuyqeved] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKCU\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKCU\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKCU\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.69sexsearch.com
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I can't say i know much about computers, but from looking at similair topics. It looks like i should fix these files using Hijack This

O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKLM\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKLM\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKLM\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.exe

O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKCU\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKCU\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKCU\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.e

O15 - Trusted Zone: http://*.69sexsearch.com

Then reboot in safe mode and delete

C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\wuclient.exe
C:\WINDOWS\system32\wselar.exe
C:\WINDOWS\system32\pvcnatt.exe
C:\WINDOWS\system32\amoaclu.exe
C:\WINDOWS\system32\WSErypt.exe

I could be completely wrong, anyone know if i'm right
  • 0

#3
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
anyone know?
  • 0

#4
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi zd_ice

You Have quite a few problems there. The ones you've noted are certainly part of it. But we'll make a start with the removal of the Peper trojan.

Download the removal tool from here
http://www.geekstogo...desc&perpage=20

Save the file on your desktop and double-click on the file to run it.

Reboot and run the removal tool again.

Your computer should now be clean of the Peper Trojan. Please run a fresh Hijackthis log and post that so we can continue.
  • 0

#5
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here's the new HiJackThis logfile


Logfile of HijackThis v1.99.0
Scan saved at 7:21:59 PM, on 1/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\documents and settings\owner\local settings\temp\Z.exe
C:\documents and settings\owner\local settings\temp\hVdU.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\wselar.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Owner\Application Data\rpen.exe
C:\WINDOWS\System32\??rss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mamma.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {35AA1676-9A11-08CA-D704-11550C862B6F} - C:\WINDOWS\System32\zgia.dll (file missing)
O2 - BHO: (no name) - {70748747-4983-4750-A6DF-46C6FE11C4B1} - C:\WINDOWS\System32\phhpnsxs.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\5Wzno.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PLkqGWrG] C:\documents and settings\owner\local settings\temp\PLkqGWrG.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AutoLoader2Fwl1LbXLYaU] "C:\WINDOWS\System32\csrinet.exe"
O4 - HKLM\..\Run: [2sFP39e] csrinet.exe
O4 - HKLM\..\Run: [bAu7] C:\documents and settings\owner\local settings\temp\bAu7.exe
O4 - HKLM\..\Run: [4T5ZNEqXP] C:\documents and settings\owner\local settings\temp\4T5ZNEqXP.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [uFAD8V] C:\documents and settings\owner\local settings\temp\uFAD8V.exe
O4 - HKLM\..\Run: [Z] C:\documents and settings\owner\local settings\temp\Z.exe
O4 - HKLM\..\Run: [hVdU] C:\documents and settings\owner\local settings\temp\hVdU.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKLM\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKLM\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKLM\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.exe
O4 - HKLM\..\Run: [536B5156] C:\WINDOWS\system32\6tosyatmf.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C8357BE6] C:\WINDOWS\system32\ivevpmgr.exe
O4 - HKLM\..\Run: [D69BBA6B] C:\WINDOWS\system32\cctacle.exe
O4 - HKLM\..\Run: [E8F930EE] C:\WINDOWS\system32\dslwsel.exe
O4 - HKLM\..\Run: [C5832906] C:\WINDOWS\system32\sldtmpv.exe
O4 - HKLM\..\Run: [8F125B6E] C:\WINDOWS\system32\atsrl3dv.exe
O4 - HKLM\..\Run: [F5027E5E] C:\WINDOWS\system32\msatt.exe
O4 - HKLM\..\Run: [C9F821EE] C:\WINDOWS\system32\elvpsdmo.exe
O4 - HKLM\..\Run: [D9C14186] C:\WINDOWS\system32\aceterckb.exe
O4 - HKLM\..\Run: [FCB24CEB] C:\WINDOWS\system32\gntcnsvsole.exe
O4 - HKLM\..\Run: [8F48D26B] C:\WINDOWS\system32\fsiamoc.exe
O4 - HKLM\..\Run: [4E5A92EE] C:\WINDOWS\system32\tifcn.exe
O4 - HKLM\..\Run: [5EA33F6E] C:\WINDOWS\system32\ctesn.exe
O4 - HKLM\..\Run: [BEE9A14E] C:\WINDOWS\system32\dlldima.exe
O4 - HKLM\..\Run: [852C7966] C:\WINDOWS\system32\ipcvc.exe
O4 - HKLM\..\Run: [A013A2CE] C:\WINDOWS\system32\ccolmo.exe
O4 - HKLM\..\Run: [835CEDD3] C:\WINDOWS\system32\dfvcol.exe
O4 - HKLM\..\Run: [8C55B87E] C:\WINDOWS\system32\ootvam.exe
O4 - HKLM\..\Run: [BC63C47E] C:\WINDOWS\system32\ti3d8psa.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [mdwmdmsp] C:\WINDOWS\system32\mdwmdmsp.exe
O4 - HKCU\..\Run: [JBwFRVK3Q] iyutetab.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Owner\Application Data\rpen.exe
O4 - HKCU\..\Run: [Fuyqeved] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKCU\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKCU\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKCU\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.exe
O4 - HKCU\..\Run: [536B5156] C:\WINDOWS\system32\6tosyatmf.exe
O4 - HKCU\..\Run: [C8357BE6] C:\WINDOWS\system32\ivevpmgr.exe
O4 - HKCU\..\Run: [D69BBA6B] C:\WINDOWS\system32\cctacle.exe
O4 - HKCU\..\Run: [E8F930EE] C:\WINDOWS\system32\dslwsel.exe
O4 - HKCU\..\Run: [C5832906] C:\WINDOWS\system32\sldtmpv.exe
O4 - HKCU\..\Run: [8F125B6E] C:\WINDOWS\system32\atsrl3dv.exe
O4 - HKCU\..\Run: [F5027E5E] C:\WINDOWS\system32\msatt.exe
O4 - HKCU\..\Run: [C9F821EE] C:\WINDOWS\system32\elvpsdmo.exe
O4 - HKCU\..\Run: [D9C14186] C:\WINDOWS\system32\aceterckb.exe
O4 - HKCU\..\Run: [FCB24CEB] C:\WINDOWS\system32\gntcnsvsole.exe
O4 - HKCU\..\Run: [8F48D26B] C:\WINDOWS\system32\fsiamoc.exe
O4 - HKCU\..\Run: [4E5A92EE] C:\WINDOWS\system32\tifcn.exe
O4 - HKCU\..\Run: [5EA33F6E] C:\WINDOWS\system32\ctesn.exe
O4 - HKCU\..\Run: [BEE9A14E] C:\WINDOWS\system32\dlldima.exe
O4 - HKCU\..\Run: [852C7966] C:\WINDOWS\system32\ipcvc.exe
O4 - HKCU\..\Run: [A013A2CE] C:\WINDOWS\system32\ccolmo.exe
O4 - HKCU\..\Run: [835CEDD3] C:\WINDOWS\system32\dfvcol.exe
O4 - HKCU\..\Run: [8C55B87E] C:\WINDOWS\system32\ootvam.exe
O4 - HKCU\..\Run: [BC63C47E] C:\WINDOWS\system32\ti3d8psa.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.69sexsearch.com
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi zd_ice

We have a bit of work to do here. You may need to print this out so you can keep track of the deletions when you are working in Safe Mode and not connected to the internet.

Disable System Restore. Right click the My Computer icon on the desktop and go to Properties and System Restore tab. Check the "Turn off System Restore on all drives" box. You can re-enable System Restore when the cleanup is finished.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find these processes in the list and click on "Kill Process". They need to be done one at a time. They may not all be visible but kill all the ones that are. Read the names very carefully as there will be some names that are similar but that are genuine files.

wsxsvc.exe
vmss.exe
Z.exe
hVdU.exe
xpsp2fw.exe
wselar.exe
rpen.exe
??rss.exe - this file really has ?? at the start but the file may not be visible
id53.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then close all open windows including this browser window and click on Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mamma.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {35AA1676-9A11-08CA-D704-11550C862B6F} - C:\WINDOWS\System32\zgia.dll (file missing)
O2 - BHO: (no name) - {70748747-4983-4750-A6DF-46C6FE11C4B1} - C:\WINDOWS\System32\phhpnsxs.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\5Wzno.dll
O4 - HKLM\..\Run: [PLkqGWrG] C:\documents and settings\owner\local settings\temp\PLkqGWrG.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AutoLoader2Fwl1LbXLYaU] "C:\WINDOWS\System32\csrinet.exe"
O4 - HKLM\..\Run: [2sFP39e] csrinet.exe
O4 - HKLM\..\Run: [bAu7] C:\documents and settings\owner\local settings\temp\bAu7.exe
O4 - HKLM\..\Run: [4T5ZNEqXP] C:\documents and settings\owner\local settings\temp\4T5ZNEqXP.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [uFAD8V] C:\documents and settings\owner\local settings\temp\uFAD8V.exe
O4 - HKLM\..\Run: [Z] C:\documents and settings\owner\local settings\temp\Z.exe
O4 - HKLM\..\Run: [hVdU] C:\documents and settings\owner\local settings\temp\hVdU.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKLM\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKLM\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKLM\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.exe
O4 - HKLM\..\Run: [536B5156] C:\WINDOWS\system32\6tosyatmf.exe
O4 - HKLM\..\Run: [C8357BE6] C:\WINDOWS\system32\ivevpmgr.exe
O4 - HKLM\..\Run: [D69BBA6B] C:\WINDOWS\system32\cctacle.exe
O4 - HKLM\..\Run: [E8F930EE] C:\WINDOWS\system32\dslwsel.exe
O4 - HKLM\..\Run: [C5832906] C:\WINDOWS\system32\sldtmpv.exe
O4 - HKLM\..\Run: [8F125B6E] C:\WINDOWS\system32\atsrl3dv.exe
O4 - HKLM\..\Run: [F5027E5E] C:\WINDOWS\system32\msatt.exe
O4 - HKLM\..\Run: [C9F821EE] C:\WINDOWS\system32\elvpsdmo.exe
O4 - HKLM\..\Run: [D9C14186] C:\WINDOWS\system32\aceterckb.exe
O4 - HKLM\..\Run: [FCB24CEB] C:\WINDOWS\system32\gntcnsvsole.exe
O4 - HKLM\..\Run: [8F48D26B] C:\WINDOWS\system32\fsiamoc.exe
O4 - HKLM\..\Run: [4E5A92EE] C:\WINDOWS\system32\tifcn.exe
O4 - HKLM\..\Run: [5EA33F6E] C:\WINDOWS\system32\ctesn.exe
O4 - HKLM\..\Run: [BEE9A14E] C:\WINDOWS\system32\dlldima.exe
O4 - HKLM\..\Run: [852C7966] C:\WINDOWS\system32\ipcvc.exe
O4 - HKLM\..\Run: [A013A2CE] C:\WINDOWS\system32\ccolmo.exe
O4 - HKLM\..\Run: [835CEDD3] C:\WINDOWS\system32\dfvcol.exe
O4 - HKLM\..\Run: [8C55B87E] C:\WINDOWS\system32\ootvam.exe
O4 - HKLM\..\Run: [BC63C47E] C:\WINDOWS\system32\ti3d8psa.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [mdwmdmsp] C:\WINDOWS\system32\mdwmdmsp.exe
O4 - HKCU\..\Run: [JBwFRVK3Q] iyutetab.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Owner\Application Data\rpen.exe
O4 - HKCU\..\Run: [Fuyqeved] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [D013164B] C:\WINDOWS\system32\wselar.exe
O4 - HKCU\..\Run: [E623D36E] C:\WINDOWS\system32\pvcnatt.exe
O4 - HKCU\..\Run: [EC9B9883] C:\WINDOWS\system32\amoaclu.exe
O4 - HKCU\..\Run: [D0E103FB] C:\WINDOWS\system32\WSErypt.exe
O4 - HKCU\..\Run: [536B5156] C:\WINDOWS\system32\6tosyatmf.exe
O4 - HKCU\..\Run: [C8357BE6] C:\WINDOWS\system32\ivevpmgr.exe
O4 - HKCU\..\Run: [D69BBA6B] C:\WINDOWS\system32\cctacle.exe
O4 - HKCU\..\Run: [E8F930EE] C:\WINDOWS\system32\dslwsel.exe
O4 - HKCU\..\Run: [C5832906] C:\WINDOWS\system32\sldtmpv.exe
O4 - HKCU\..\Run: [8F125B6E] C:\WINDOWS\system32\atsrl3dv.exe
O4 - HKCU\..\Run: [F5027E5E] C:\WINDOWS\system32\msatt.exe
O4 - HKCU\..\Run: [C9F821EE] C:\WINDOWS\system32\elvpsdmo.exe
O4 - HKCU\..\Run: [D9C14186] C:\WINDOWS\system32\aceterckb.exe
O4 - HKCU\..\Run: [FCB24CEB] C:\WINDOWS\system32\gntcnsvsole.exe
O4 - HKCU\..\Run: [8F48D26B] C:\WINDOWS\system32\fsiamoc.exe
O4 - HKCU\..\Run: [4E5A92EE] C:\WINDOWS\system32\tifcn.exe
O4 - HKCU\..\Run: [5EA33F6E] C:\WINDOWS\system32\ctesn.exe
O4 - HKCU\..\Run: [BEE9A14E] C:\WINDOWS\system32\dlldima.exe
O4 - HKCU\..\Run: [852C7966] C:\WINDOWS\system32\ipcvc.exe
O4 - HKCU\..\Run: [A013A2CE] C:\WINDOWS\system32\ccolmo.exe
O4 - HKCU\..\Run: [835CEDD3] C:\WINDOWS\system32\dfvcol.exe
O4 - HKCU\..\Run: [8C55B87E] C:\WINDOWS\system32\ootvam.exe
O4 - HKCU\..\Run: [BC63C47E] C:\WINDOWS\system32\ti3d8psa.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O15 - Trusted Zone: http://*.69sexsearch.com


------------------
Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up. When the menu comes up choose Safe Mode without networking and choose Windows XP as the operating system if asked.

Open Windows Explorer and go to >Tools>Folder Options>View, select:

Show hidden files and folders
Display the contents of system folders

Uncheck:

Hide protected operating system files

Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:

Search System folders
Search Hidden Files and folders
Search SubFolders

Delete all the files and folders noted in bold below. Some may not be there but use the search function in Windows Explorer to make sure.

C:\WINDOWS\System32\ zgia.dll
C:\WINDOWS\System32\ phhpnsxs.dll
C:\WINDOWS\System32\ smiehlp.dll
C:\WINDOWS\System32\ IEHost.exe
C:\Program Files\Common files\ updmgr\updmgr.exe - delete entire folder
C:\WINDOWS\System32\ csrinet.exe
C:\WINDOWS\System32\ wsxsvc\wsxsvc.exe delete entire folder
C:\WINDOWS\System32\ ??rss.exe
c:\installer\ id53.exe
C:\WINDOWS\System32\ vmss\vmss.exe delete entire folder
C:\WINDOWS\system32\ xpsp2fw.exe
C:\WINDOWS\system32\ wselar.exe
C:\WINDOWS\system32\ pvcnatt.exe
C:\WINDOWS\system32\ amoaclu.exe
C:\WINDOWS\system32\ WSErypt.exe
C:\WINDOWS\system32\ 6tosyatmf.exe
C:\WINDOWS\system32\ ivevpmgr.exe
C:\WINDOWS\system32\ cctacle.exe
C:\WINDOWS\system32\ dslwsel.exe
C:\WINDOWS\system32\ sldtmpv.exe
C:\WINDOWS\system32\ atsrl3dv.exe
C:\WINDOWS\system32\ msatt.exe
C:\WINDOWS\system32\ elvpsdmo.exe
C:\WINDOWS\system32\ aceterckb.exe
C:\WINDOWS\system32\ gntcnsvsole.exe
C:\WINDOWS\system32\ fsiamoc.exe
C:\WINDOWS\system32\ tifcn.exe
C:\WINDOWS\system32\ ctesn.exe
C:\WINDOWS\system32\ dlldima.exe
C:\WINDOWS\system32\ ipcvc.exe
C:\WINDOWS\system32\ ccolmo.exe
C:\WINDOWS\system32\ dfvcol.exe
C:\WINDOWS\system32\ ootvam.exe
C:\WINDOWS\system32\ ti3d8psa.exe
C:\Program Files\ CLOCKS~1\Sync.exe /q - delete entire folder
C:\WINDOWS\system32\ mdwmdmsp.exe
C:\Documents and Settings\Owner\Application Data\rpen.exe
C:\WINDOWS\system32\ wuclient.exe
C:\WINDOWS\System32\ ms.exe - this may be missing
iyutetab.exe - you will need to search for this one but it may be in the Windows folder

There are several malicious files loading from the temp folder - rather than list the files:

Navigate to c:\documents and settings\owner\local settings\temp folder and delete all the files in the \temp folder and the temporary internet files folder and sub-folders.

If there are other users on the computer you must also delete all the temp and temporary internet files in their folders as well.

c:\documents and settings\<other user name>\local settings\temp folders and \temporary internet files

Desktop.ini and index.dat don't need to be deleted.

Navigate to c:\windows\prefetch and delete all the files in that folder

Reboot into normal mode and do an online antivirus scan here http://housecall.antivirus.com/ and select to fix/repair

Reboot if required by the virus scan and do a fresh HijackThis log so it can be checked.

Edited by ilago, 11 January 2005 - 06:58 AM.

  • 0

#7
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here's the new Logfile.

Logfile of HijackThis v1.99.0
Scan saved at 7:33:48 PM, on 1/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\EUIryen.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CA490966] C:\WINDOWS\system32\EUIryen.exe
O4 - HKLM\..\Run: [FC3CD5CB] C:\WINDOWS\system32\edssfe.exe
O4 - HKLM\..\Run: [80E25266] C:\WINDOWS\system32\upsterr32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [CA490966] C:\WINDOWS\system32\EUIryen.exe
O4 - HKCU\..\Run: [FC3CD5CB] C:\WINDOWS\system32\edssfe.exe
O4 - HKCU\..\Run: [80E25266] C:\WINDOWS\system32\upsterr32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

What should i do now the problem still occurs
  • 0

#8
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi zd_ice

Lots of spyware takes more than one attempt to fully remove. You are getting somewhere though - that's heaps better than before - just a couple more things to do. Once again print out the parts of this that might be hard to remember when you are in safe mode.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find these processes in the list and click on "Kill Process". They need to be done one at a time and they may not all be there.

EUIryen.exe
edssfe.exe
upsterr32.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows.


O4 - HKLM\..\Run: [CA490966] C:\WINDOWS\system32\EUIryen.exe
O4 - HKLM\..\Run: [FC3CD5CB] C:\WINDOWS\system32\edssfe.exe
O4 - HKLM\..\Run: [80E25266] C:\WINDOWS\system32\upsterr32.exe
O15 - Trusted Zone: http://*.69sexsearch.com



Download Deldomains.inf from here http://www.mvps.org/.../DelDomains.inf and save it so you can find it easily.

Open Windows Explorer and find the deldomains.inf file. Right-click and select > Install

This will remove all entries in the "Trusted Zone" and "Ranges" also. You may need to replace any genuine entries that you had in the trusted zone.

Reboot into Safe Mode by tapping F8 as soon as your computer starts booting up. Select Safe Mode without Networking and Windows XP as the operating system

Open Windows Explorer and delete the following files.

C:\WINDOWS\system32\EUIryen.exe
C:\WINDOWS\system32\edssfe.exe
C:\WINDOWS\system32\upsterr32.exe

Reboot into normal mode and do a new log and post it. If it is clean then we'll make some suggestions for future protection and prevention.
  • 0

#9
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here's the new log file.


Logfile of HijackThis v1.99.0
Scan saved at 6:50:43 PM, on 1/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [CA490966] C:\WINDOWS\system32\EUIryen.exe
O4 - HKCU\..\Run: [FC3CD5CB] C:\WINDOWS\system32\edssfe.exe
O4 - HKCU\..\Run: [80E25266] C:\WINDOWS\system32\upsterr32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi again zd_ice

*69sexsearch has gone and no new files have appeared. So all you need to do is remove the last of the files.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Check if any of these processes are in the list and click on "Kill Process".

EUIryen.exe
edssfe.exe
upsterr32.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows and click fix checked.


O4 - HKLM\..\Run: [CA490966] C:\WINDOWS\system32\EUIryen.exe
O4 - HKLM\..\Run: [FC3CD5CB] C:\WINDOWS\system32\edssfe.exe
O4 - HKLM\..\Run: [80E25266] C:\WINDOWS\system32\upsterr32.exe



Reboot into Safe Mode by tapping F8 as soon as your computer starts booting up. Select Safe Mode without Networking and Windows XP as the operating system

Open Windows Explorer and delete the following files.

C:\WINDOWS\system32\EUIryen.exe
C:\WINDOWS\system32\edssfe.exe
C:\WINDOWS\system32\upsterr32.exe


Reboot into normal mode. Update your antivirus protection and do a full scan. Then do a fresh HijackThis log. If it is clear then I'll post some recommendations for preventing you getting infected again.
  • 0

Advertisements


#11
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
do you mean the

O4 - HKCU\..\Run: [CA490966] C:\WINDOWS\system32\EUIryen.exe
O4 - HKCU\..\Run: [FC3CD5CB] C:\WINDOWS\system32\edssfe.exe
O4 - HKCU\..\Run: [80E25266] C:\WINDOWS\system32\upsterr32.exe

just wanna make sure before i delete them
  • 0

#12
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi zd_ice

I'm sorry if I wasn't clear. Follow the instructions from the top down in my last post.

Yes - the items and files you named - exactly as you listed.

They are part of the 69 sexsearch problem and were installed by the hijacker. Once you have done that post a fresh log to check that you are now clear.

Once you are cleaned up have a look at these links for some of the things you can do to prevent this happening again.

Windows Update - keep your Windows fully up to date by making sure that have autmatic updating turned on.

Keep your antivirus up to date and do regular scans. Make sure your firewall is setup correctly.

Keep Adaware and Spybot Search and Destroy up to date and do regular scans.

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

SpywareGuard http://www.javacools...sgdownload.html - gives real time monitoring of common spyware changes.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. https://netfiles.uiu...ww/resource.htm The download is well down the page but the page is well worth reading.


Think about using a less targetted and more secure browser than Internet Explorer and perhaps a more secure email program as well.

Firefox - http://www.mozilla.org Firefox is similar to Internet Explorer but much more powerful and secure in lots of ways. Thunderbird is the associated email program.
Opera - http://www.opera.com
  • 0

#13
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I never could have fixed this on my own, Thank you for all the help.
  • 0

#14
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Happy to help :tazz:
  • 0

#15
zd_ice

zd_ice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Oops forgot to post the final log you asked for



Logfile of HijackThis v1.99.0
Scan saved at 6:55:24 PM, on 1/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP