HOTXXX/Nasty Sex - Help me get rid of it!!!

Discussion in 'adware, spyware & hijack cleaning' started by Toady, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. Toady

    Toady Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    4
    I am sick to death of this thing. I have noticed other people have complained about this intrusion on the forum (thats why i registered in the hope that you can help me!). I recently paid £20.00 for a spyware remover (spyware Killer) but it did not work. I have also tried using 'ad-aware 6.0' and something called 'a2' - all couldn't help remove it. The dialer disconnects me after being online only for a few moments and i usualy have to re-start my computer before i can re-connect using my connection again! I have noticed on other threads you have mentioned something called 'Hijack this' will this work? Please help - this the first time i have dealt with anything like this and i have no idea what to do?

    Thanks for your time!

    Toady
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Let's have a look:

    Go to https://www.wilderssecurity.com/showthread.php?t=12516, and download Hijack This.

    Unzip to a folder other than your Desktop or the Temp folder, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.

    Someone here will be happy to help you analyze the results.
     
  3. Toady

    Toady Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    4
    Thanks for trying to help so quickly! Here's the log you requested:-

    Logfile of HijackThis v1.97.7
    Scan saved at 20:51:44, on 18/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMON32A.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\MSOCFG.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
    C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
    C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.EXE
    C:\WINDOWS\SLLIGHTS.EXE
    C:\MY DOCUMENTS\HIJACKTHIS1977.EXE

    O2 - BHO: (no name) - {DE3BEBDB-AEE7-4277-8B6E-4EEFFA9508AE} - C:\WINDOWS\SYSTEM\WIHEHU.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\msocfg.exe /i
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUpld32.exe" -l
    O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMon32a.exe"
    O4 - HKCU\..\Run: [Morpheus] "C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRAM FILES\SPYWAREKILLA\SPYWAREKILLA.EXE" /s
    O4 - HKCU\..\Run: [Popup Zapper] C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.exe
    O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O12 - Plugin for .com/adclick/CID=000039d764e3f66300000000/SITE=EAS/AAMSZ=IAB_FULL_BANNER/AREA=HOMEPAGE/acc_random=912410: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.DLL
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://download.yahoo.com/dl/installs/bt/yregucfg.cab

    Again, i really appreciate your time!

    Toady
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Start your computer in Safe Mode (it may help if you print this out), and delete:

    C:\WINDOWS\msocfg.exe

    The SpyKiller and SpywareKilla folders in C:\Program Files

    NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    Next, still in Safe Mode, run Hijack This, and have it fix these items:

    BHO: (no name) - {DE3BEBDB-AEE7-4277-8B6E-4EEFFA9508AE} - C:\WINDOWS\SYSTEM\WIHEHU.DLL

    O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\msocfg.exe /i

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRAM FILES\SPYWAREKILLA\SPYWAREKILLA.EXE" /s



    Now start your computer normally, and please post a fresh log.
     
  5. Toady

    Toady Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    4
    I have deleted all the files you asked! Here is the log:-

    Logfile of HijackThis v1.97.7
    Scan saved at 21:47:07, on 18/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMON32A.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
    C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\HIJACKTHIS1977.EXE

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUpld32.exe" -l
    O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMon32a.exe"
    O4 - HKCU\..\Run: [Morpheus] "C:\Program Files\StreamCast\Morpheus\Morpheus.exe" -min
    O4 - HKCU\..\Run: [Popup Zapper] C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.exe
    O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O12 - Plugin for .com/adclick/CID=000039d764e3f66300000000/SITE=EAS/AAMSZ=IAB_FULL_BANNER/AREA=HOMEPAGE/acc_random=912410: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.DLL
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://download.yahoo.com/dl/installs/bt/yregucfg.cab

    Hopefully its gone, although, at one time it appeard after being on line for nearly 2 hours.

    I'm hoping.....!!

    :rolleyes: Toady
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Clean log; a couple of observations, though:
    You don't appear to be running an antivirus, so I suggest you get one!

    And you're running an antiquated and therefore extremely unsafe version of Internet Explorer.

    You NEED to upgrade to IE 6.0 SP1 (Make sure you get the correct language version for your operating system! ).

    Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.
    That will fix innumerable bugs, update a large number of important system files, and plug many security holes.
     
  7. Toady

    Toady Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    4
    :D Thanks for all your help! I am very impressed!

    Now i know where to come if i have furure problems!!!

    Thanks again!

    Toady
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're very welcome; glad we were able to help. :)
     
Thread Status:
Not open for further replies.