blockin messages from adultcash com

i started getting adult messages from adultcash.com...

where do they come from and how do i prevent them ?
thanx to all

 

Re: i started getting adult messages from adultcash.com...

Hi spinsky

Welcome to Wilders.

First thing u need to do is clean your system of this malware.

Please follow the instuctions here,

https://www.wilderssecurity.com/showthread.php?t=15913

then start a new thread in the hijack cleaning forum, post your log, with a full description of your problem and one of the experts will give u recommendations on any Malware found.


snowbound

 

i started getting popups while surfing , apparently from adultcash.com origin.
i installed spyware blaster - the popups still appear without the text inserts.

please find the hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 17:56:44, on 16/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\INSUR\SEC\BIN\FWENC.EXE
C:\INSUR\SEC\BIN\SRWATCH.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\BMPKM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HCPCSVCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://a7.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=3000&exp=4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
F1 - win.ini: load=essspk.exe
F1 - win.ini: run=hpfsched
O1 - Hosts: 202.1.1.21 www.clalnet.co.il
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ohb - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\SYSTEM\WINALOT32.DLL
O2 - BHO: (no name) - {BD0BA5CD-7C8E-47ED-935E-1ABBAC9B29E0} - C:\WINDOWS\ALL USERS\APPLICATION DATA\HSERVICES\88313.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [fwenc.exe] C:\INSUR\SEC\bin\fwenc.exe
O4 - HKLM\..\Run: [srwatch.exe] C:\INSUR\SEC\bin\srwatch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [bmpkm] C:\WINDOWS\SYSTEM\bmpkm.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [MsCheckout] C:\WINDOWS\FASTFIND.EXE
O4 - HKLM\..\Run: [PIX501] C:\WINDOWS\MSPROTECT.EXE
O4 - HKLM\..\Run: [ActiveMovie] C:\WINDOWS\MSPLAYER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [msmedia] C:\WINDOWS\MSFW.EXE
O4 - HKLM\..\Run: [FHC] C:\PROGRAM FILES\FREE HISTORY CLEANER\FREEHISTORYCLEANER.exe
O4 - HKLM\..\Run: [HCPCSVCD] C:\WINDOWS\SYSTEM\HCPCSVCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [fwenc.exe] C:\INSUR\SEC\bin\fwenc.exe -b
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Mightyfax.exe.lnk = C:\Program Files\MFAX\MF.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Free History Cleaner (HKLM)
O9 - Extra 'Tools' menuitem: Free History Cleaner (HKLM)
O9 - Extra button: Searchalot (HKCU)
O9 - Extra button: Downloads (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://www.clalnet.co.il
O15 - Trusted Zone: http://*.menora.co.il
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5B551344-7AE7-4916-B552-EA7B673A8DC5} (ClalInsSystem Class) - http://www.clalnet.co.il/E_HAFAKA/e_insure/Objects/ClalInsServices.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.clalnet.co.il/E_HAFAKA/e_insure/objects/smsx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37887.1288425926
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - http://applications.menora.co.il/download/dolcontrol.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {94D2A476-84BC-4E4C-820A-2C5372CF89BF} (MailConfig Class) - http://lotus.netvision.net.il/help/MailCfg.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.nana.co.il/Cabs/launcher.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {C15B7EA2-A360-43E8-A591-5FAEDC7C4E1D} (ADM Class) - http://www.adultpeer.com/install/adm4.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - ms-its:mhtml:file://C:\ss.MHT!http://www.traffichog.com/chm.chm::/files/initial.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F04} (Download Coach Installer) - http://clients.objectcube.com/sincity/files/objectCubeInstall.cab

thank you for your advice.

 

Hi spinsky,

Could you please mail me a copy of:
C:\WINDOWS\SYSTEM\WINALOT32.DLL
I don't trust it one bit.
The address is pieterATwilderssecurity.org (replace AT with @)

Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchdirs.com/?aff=3000&exp=4

O2 - BHO: ohb - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\SYSTEM\WINALOT32.DLL
O2 - BHO: (no name) - {BD0BA5CD-7C8E-47ED-935E-1ABBAC9B29E0} - C:\WINDOWS\ALL USERS\APPLICATION DATA\HSERVICES\88313.DLL

O4 - HKLM\..\Run: [bmpkm] C:\WINDOWS\SYSTEM\bmpkm.exe

O4 - HKLM\..\Run: [MsCheckout] C:\WINDOWS\FASTFIND.EXE
O4 - HKLM\..\Run: [PIX501] C:\WINDOWS\MSPROTECT.EXE
O4 - HKLM\..\Run: [ActiveMovie] C:\WINDOWS\MSPLAYER.EXE

O4 - HKLM\..\Run: [msmedia] C:\WINDOWS\MSFW.EXE
O4 - HKLM\..\Run: [FHC] C:\PROGRAM FILES\FREE HISTORY CLEANER\FREEHISTORYCLEANER.exe

O9 - Extra button: Free History Cleaner (HKLM)
O9 - Extra 'Tools' menuitem: Free History Cleaner (HKLM)
O9 - Extra button: Searchalot (HKCU)

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

O16 - DPF: {C15B7EA2-A360-43E8-A591-5FAEDC7C4E1D} (ADM Class) - http://www.adultpeer.com/install/adm4.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - ms-its:mhtml:file://C:\ss.MHT!http://www.traffichog.com/chm.chm::/files/initial.cab

Ddownload and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Then reboot and delete:
C:\WINDOWS\ALL USERS\APPLICATION DATA\HSERVICES\88313.DLL
C:\WINDOWS\SYSTEM\bmpkm.exe
C:\WINDOWS\FASTFIND.EXE
C:\WINDOWS\MSPROTECT.EXE
C:\WINDOWS\MSPLAYER.EXE
C:\WINDOWS\MSFW.EXE

Regards,

Pieter

 

pieter, thank you. your recommendations worked.

 

My pleasure.

Please read: https://www.wilderssecurity.com/showthread.php?t=27971
on how to help prevent this from happening again.

Regards,

Pieter