Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

69sexsearch infection 01/11/05

Started by mtsebro , Jan 11 2005 12:47 PM

  • Please log in to reply

#1
mtsebro
Posted 11 January 2005 - 12:47 PM

mtsebro

    New Member

  • Member
  • Pip
  • 5 posts
Please, please help with my most recent infection. The following websites keep poping up 69sexsearch and reasearchcc
Below is my logfile. Accoring to my readings this was the best site to turn to. Thank you in advance


Logfile of HijackThis v1.99.0
Scan saved at 1:45:04 PM, on 1/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\upt32ca.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...38400000&N=&O=A
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [tibs3] C:\WINNT\system32\tibs3.exe
O4 - HKLM\..\Run: [A9486963] C:\WINNT\system32\upt32ca.exe
O4 - HKLM\..\Run: [FA6ED356] C:\WINNT\system32\x40atsr.exe
O4 - HKLM\..\Run: [9F63E9E6] C:\WINNT\system32\atgntdtc.exe
O4 - HKLM\..\Run: [AFDDC84E] C:\WINNT\system32\adsnmpmp.exe
O4 - HKLM\..\Run: [C9AE58C6] C:\WINNT\system32\atFATommd.exe
O4 - HKLM\..\Run: [D1314966] C:\WINNT\system32\upscamre.exe
O4 - HKLM\..\Run: [16559B46] C:\WINNT\system32\mibd2API.exe
O4 - HKLM\..\Run: [9AE8F9F6] C:\WINNT\system32\mstsxmp.exe
O4 - HKLM\..\Run: [D0CF3D63] C:\WINNT\system32\ctdacap.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [A9486963] C:\WINNT\system32\upt32ca.exe
O4 - HKCU\..\Run: [FA6ED356] C:\WINNT\system32\x40atsr.exe
O4 - HKCU\..\Run: [9F63E9E6] C:\WINNT\system32\atgntdtc.exe
O4 - HKCU\..\Run: [AFDDC84E] C:\WINNT\system32\adsnmpmp.exe
O4 - HKCU\..\Run: [C9AE58C6] C:\WINNT\system32\atFATommd.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [D1314966] C:\WINNT\system32\upscamre.exe
O4 - HKCU\..\Run: [16559B46] C:\WINNT\system32\mibd2API.exe
O4 - HKCU\..\Run: [9AE8F9F6] C:\WINNT\system32\mstsxmp.exe
O4 - HKCU\..\Run: [D0CF3D63] C:\WINNT\system32\ctdacap.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
  • 0

Advertisements

#2
ilago
Posted 12 January 2005 - 07:32 AM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi mtsebro

We have a bit of work to do here. You may need to print this out so you can keep track of the deletions when you are working in Safe Mode and not connected to the internet.

Download Deldomains.inf from here http://www.mvps.org/.../DelDomains.inf and save it so you can find it easily a bit later.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find these processes in the list, select them and click on "Kill Process". They need to be done one at a time. They may not all be visible but kill the ones that are. Read the names very carefully as there will be some names that are similar but that are genuine files.

xpsp2fw.exe
upt32ca.exe
exec.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and click on Fix checked.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...38400000&N=&O=A
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [tibs3] C:\WINNT\system32\tibs3.exe
O4 - HKLM\..\Run: [A9486963] C:\WINNT\system32\upt32ca.exe
O4 - HKLM\..\Run: [FA6ED356] C:\WINNT\system32\x40atsr.exe
O4 - HKLM\..\Run: [9F63E9E6] C:\WINNT\system32\atgntdtc.exe
O4 - HKLM\..\Run: [AFDDC84E] C:\WINNT\system32\adsnmpmp.exe
O4 - HKLM\..\Run: [C9AE58C6] C:\WINNT\system32\atFATommd.exe
O4 - HKLM\..\Run: [D1314966] C:\WINNT\system32\upscamre.exe
O4 - HKLM\..\Run: [16559B46] C:\WINNT\system32\mibd2API.exe
O4 - HKLM\..\Run: [9AE8F9F6] C:\WINNT\system32\mstsxmp.exe
O4 - HKLM\..\Run: [D0CF3D63] C:\WINNT\system32\ctdacap.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - HKCU\..\Run: [A9486963] C:\WINNT\system32\upt32ca.exe
O4 - HKCU\..\Run: [FA6ED356] C:\WINNT\system32\x40atsr.exe
O4 - HKCU\..\Run: [9F63E9E6] C:\WINNT\system32\atgntdtc.exe
O4 - HKCU\..\Run: [AFDDC84E] C:\WINNT\system32\adsnmpmp.exe
O4 - HKCU\..\Run: [C9AE58C6] C:\WINNT\system32\atFATommd.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [D1314966] C:\WINNT\system32\upscamre.exe
O4 - HKCU\..\Run: [16559B46] C:\WINNT\system32\mibd2API.exe
O4 - HKCU\..\Run: [9AE8F9F6] C:\WINNT\system32\mstsxmp.exe
O4 - HKCU\..\Run: [D0CF3D63] C:\WINNT\system32\ctdacap.exe
9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O15 - Trusted Zone: http://*.69sexsearch.com


Open Windows Explorer and find the deldomains.inf file. Right-click and select > Install

This will remove all entries in the "Trusted Zone" and "Ranges" also. You may need to replace any entries that you had in trusted zones already.


Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up. When the Windows 2000 advanced menu comes up - Choose Safe Mode. You don't need any networking.

Open Windows Explorer and go to >Tools>Folder Options>View, select:

Show hidden files and folders
Display the contents of system folders

Uncheck:

Hide protected operating system files

Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:

Search System folders
Search Hidden Files and folders
Search SubFolders

Delete all the files and folders noted in bold below. Some may not be there but use the search function in Windows Explorer to make sure.

Open Windows Explorer and delete the following files:

C:\WINNT\system32\xpsp2fw.exe - file only
C:\WINNT\system32\tibs3.exe - file only
C:\WINNT\system32\upt32ca.exe - file only
C:\WINNT\system32\x40atsr.exe - file only
C:\WINNT\system32\atgntdtc.exe - file only
C:\WINNT\system32\adsnmpmp.exe - file only
C:\WINNT\system32\atFATommd.exe - file only
C:\WINNT\system32\upscamre.exe - file only
C:\WINNT\system32\mibd2API.exe - file only
C:\WINNT\system32\mstsxmp.exe - file only
C:\WINNT\system32\ctdacap.exe - file only
C:\WINNT\system32\wuclient.exe - file only


Open Control Panel > Add/Remove Programs and check if the following programs are listed:

Spyware Begone
NetZero

If they are use this program to remove them. If they are not listed then delete these folders:

C:\freescan\freescan.exe -FastScan - remove entire folder
C:\Program Files\ NetZero\exec.exe - remove entire folder

Reboot into normal mode and do an on line virus scan here http://housecall.antivirus.com/ and select to fix/repair. Reboot if required.

Run a fresh HijackThis log and post it so it can be checked. Some types of spyware take more than one attempt to fully remove.
  • 0

#3
mtsebro
Posted 12 January 2005 - 07:30 PM

mtsebro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for your help..
Here is the new log.

Logfile of HijackThis v1.99.0
Scan saved at 8:30:25 PM, on 1/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
  • 0

#4
ilago
Posted 13 January 2005 - 03:39 AM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi metsebro

Nearly there now. Your log is clean except for this last item.

Open HijackThis and click on Do a system scan only. Check this item. Close all open windows and click on Fix Checked.

O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun

Reboot and run a new HijackThis log and post it to make sure it's now clean.

Please have a look at these links for some of the things you can do to prevent this happening again.

Keep your antivirus software up to date and do regular scans.

Keep Adaware updated and do regular scans.

Consider adding Spybot Search and Destroy to your arsenal http://security.kolla.de/

Windows Update - keep your Windows fully up to date by making sure that have autmatic updating turned on.

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

SpywareGuard http://www.javacools...sgdownload.html - gives real time monitoring of common spyware changes.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...ww/resource.htm

Consider using a less targetted browser than Internet Explorer

Firefox - http://www.mozilla.org
Firefox is similar to Internet Explorer but much more powerful in lots of ways.
Opera - http://www.opera.com
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP