SecThought.E Trojan is evil

Discussion in 'adware, spyware & hijack cleaning' started by Miskatonika, Jun 20, 2004.

Thread Status:
Not open for further replies.
  1. Miskatonika

    Miskatonika Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    2
    I ran Ad-Aware. Here is my log file...seems to be a lot of dirty sites and then a whole bunch of other stuff that i have no clue about. Also, when I start up my computer, it opens the System32 window for some reason. I'm glad this site is here ^.^

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    AVG Anti-Virus says that the file is located in C:\Documents and Settings\OWNER\Local Settings\Temporary Internet Files\CONTENT.IE5\27WJKBK7\INSTAL~1.EXE

    Logfile of HijackThis v1.97.7
    Scan saved at 2:00:45 AM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\system32\ps2.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\zghrtaew.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\windows\temp\A7WWJ.exe
    G:\Program Files\iTunesHelper.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
    G:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    G:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hotmail.com/
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.tjem.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O1 - Hosts: 81.211.105.12 193.125.201.50
    O1 - Hosts: 81.211.105.12 206.161.200.105
    O1 - Hosts: 81.211.105.12 209.66.114.130
    O1 - Hosts: 81.211.105.12 216.200.3.32
    O1 - Hosts: 81.211.105.12 64.124.45.181
    O1 - Hosts: 81.211.105.12 66.250.130.194
    O1 - Hosts: 81.211.105.12 66.40.16.131
    O1 - Hosts: 81.211.105.12 alfa-search.com
    O1 - Hosts: 81.211.105.12 allhyperlinks.com
    O1 - Hosts: 81.211.105.12 approvedlinks.com
    O1 - Hosts: 81.211.105.12 bestcrawler.com
    O1 - Hosts: 81.211.105.12 ewebsearch.net
    O1 - Hosts: 81.211.105.12 global-finder.com
    O1 - Hosts: 81.211.105.12 idgsearch.com
    O1 - Hosts: 81.211.105.12 ie-search.com
    O1 - Hosts: 81.211.105.12 itseasy.us
    O1 - Hosts: 81.211.105.12 jetseeker.com
    O1 - Hosts: 81.211.105.12 martfinder.com
    O1 - Hosts: 81.211.105.12 rightfinder.net
    O1 - Hosts: 81.211.105.12 runsearch.com
    O1 - Hosts: 81.211.105.12 search.unipages.cc
    O1 - Hosts: 81.211.105.12 search.xrenoder.com
    O1 - Hosts: 81.211.105.12 search-2003.com
    O1 - Hosts: 81.211.105.12 searchdot.net
    O1 - Hosts: 81.211.105.12 searchv.com
    O1 - Hosts: 81.211.105.12 searchxp.com
    O1 - Hosts: 81.211.105.12 seekwell.net
    O1 - Hosts: 81.211.105.12 slawsearch.com
    O1 - Hosts: 81.211.105.12 srch-us6.hpwis.com
    O1 - Hosts: 81.211.105.12 start-space.com
    O1 - Hosts: 81.211.105.12 searchmyrequest.com
    O1 - Hosts: 81.211.105.12 therealsearch.com
    O1 - Hosts: 81.211.105.12 topsearcher.com
    O1 - Hosts: 81.211.105.12 unipages.cc
    O1 - Hosts: 81.211.105.12 webcoolsearch.com
    O1 - Hosts: 81.211.105.12 worldnet.att.net
    O1 - Hosts: 81.211.105.12 yourbookmarks.ws
    O1 - Hosts: 81.211.105.5 www.0190-dialer.com
    O1 - Hosts: 81.211.105.5 www.22469.com
    O1 - Hosts: 81.211.105.5 www.3wisp.com
    O1 - Hosts: 81.211.105.5 www.adult-cinema.org
    O1 - Hosts: 81.211.105.5 www.adultfreehosting.com
    O1 - Hosts: 81.211.105.5 www.adulthosting.com
    O1 - Hosts: 81.211.105.5 www.adultlinks1.com
    O1 - Hosts: 81.211.105.5 www.adultmegamovies.com
    O1 - Hosts: 81.211.105.5 www.adultsexmovie.net
    O1 - Hosts: 81.211.105.5 www.adultwall.com
    O1 - Hosts: 81.211.105.5 www.afro-sex.com
    O1 - Hosts: 81.211.105.5 www.agreathost.net
    O1 - Hosts: 81.211.105.5 www.alehina.com
    O1 - Hosts: 81.211.105.5 www.allnichestgp.com
    O1 - Hosts: 81.211.105.5 www.allowednet.com
    O1 - Hosts: 81.211.105.5 www.amateurlips.com
    O1 - Hosts: 81.211.105.5 www.amateurnudephoto.com
    O1 - Hosts: 81.211.105.5 www.amateursgonebad.com
    O1 - Hosts: 81.211.105.5 www.ambersamateurhardcore.com
    O1 - Hosts: 81.211.105.5 www.anyamateur.com
    O1 - Hosts: 81.211.105.5 www.apornhost.com
    O1 - Hosts: 81.211.105.5 www.findmodels.com
    O1 - Hosts: 81.211.105.5 www.asianscum.com
    O1 - Hosts: 81.211.105.5 www.awethumbs.com
    O1 - Hosts: 81.211.105.5 www.badassxxx.com
    O1 - Hosts: 81.211.105.5 www.badbimbo.com
    O1 - Hosts: 81.211.105.5 www.beautifulbondage.com
    O1 - Hosts: 81.211.105.5 www.bestpornhost.com
    O1 - Hosts: 81.211.105.5 www.biggestdickinporn.net
    O1 - Hosts: 81.211.105.5 www1.3wisp.com
    O1 - Hosts: 81.211.105.5 www1.kinghost.com
    O1 - Hosts: 81.211.105.5 www1.ndhosting.com
    O1 - Hosts: 81.211.105.5 www1.sexls.com
    O1 - Hosts: 81.211.105.5 www1.smutserver.com
    O1 - Hosts: 81.211.105.5 www1.toptgphost.com
    O1 - Hosts: 81.211.105.5 www1.xfreehosting.com
    O1 - Hosts: 81.211.105.5 www10.kinghost.com
    O1 - Hosts: 81.211.105.5 www10.smutserver.com
    O1 - Hosts: 81.211.105.5 www11.kinghost.com
    O1 - Hosts: 81.211.105.5 www11.smutserver.com
    O1 - Hosts: 81.211.105.5 www12.kinghost.com
    O1 - Hosts: 81.211.105.5 www12.smutserver.com
    O1 - Hosts: 81.211.105.5 www13.smutserver.com
    O1 - Hosts: 81.211.105.5 www14.smutserver.com
    O1 - Hosts: 81.211.105.5 www15.smutserver.com
    O1 - Hosts: 81.211.105.5 www16.smutserver.com
    O1 - Hosts: 81.211.105.5 www17.smutserver.com
    O1 - Hosts: 81.211.105.5 www18.smutserver.com
    O1 - Hosts: 81.211.105.5 www19.smutserver.com
    O1 - Hosts: 81.211.105.5 www2.3wisp.com
    O1 - Hosts: 81.211.105.5 www2.kinghost.com
    O1 - Hosts: 81.211.105.5 www2.ndhosting.com
    O1 - Hosts: 81.211.105.5 www2.smutserver.com
    O1 - Hosts: 81.211.105.5 www2.toptgphost.com
    O1 - Hosts: 81.211.105.5 www2.xfreehosting.com
    O1 - Hosts: 81.211.105.5 www2.zpornstars.com
    O1 - Hosts: 81.211.105.5 www20.smutserver.com
    O1 - Hosts: 81.211.105.5 www21.smutserver.com
    O1 - Hosts: 81.211.105.5 www22.smutserver.com
    O1 - Hosts: 81.211.105.5 www23.smutserver.com
    O1 - Hosts: 81.211.105.5 www24.smutserver.com
    O1 - Hosts: 81.211.105.5 www25.smutserver.com
    O1 - Hosts: 81.211.105.5 www26.smutserver.com
    O1 - Hosts: 81.211.105.5 www27.smutserver.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {E5BEBE80-C7E1-9D19-DBAB-D6FD3A2D2C1D} - C:\WINDOWS\system32\efqgjbpf.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\overnet.exe -t
    O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
    O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "G:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O4 - HKLM\..\Run: [snmmqbmb] C:\WINDOWS\zghrtaew.exe
    O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
    O4 - HKLM\..\Run: [m] C:\WINDOWS\System32\iavtwt.exe
    O4 - HKLM\..\Run: C:\WINDOWS\System32\fqbgds.exe
    O4 - HKLM\..\Run: [AVG_CC] G:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [A7WWJ.exe] C:\windows\temp\A7WWJ.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [iTunesHelper] G:\Program Files\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
    O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
    O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
    O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvit.exe
    O4 - Startup: Otaku Mascot.lnk = C:\Program Files\Accursed Toys\Otaku Mascot\Mascot.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/152804ff1c352751a304/netzip/RdxIE601.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=200321913
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.6323842593
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webadmin.is.tcu.edu/av/Deploy/WebInst/webinst.cab
    O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{96E462B1-E299-4B17-8A1D-1B9EC5E04705}: NameServer = 151.164.17.201 151.164.20.201
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello MisKatonika !

    Welcome to Wilders ! :)

    Miss you have lots of junk... :)

    On the top go to windows control panel add remove software sections and remove the following programs, if found :

    Bearshare
    Winfavourites
    TV Media
    Ultimate Popup killer
    PSD Tools


    Now, before you start fixing your HJT log , please move HijackThis.Exe to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a folder with other programs.

    Now, Close down all the window instances, IE window, running programs and have hijackthis fix the following entries :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = +s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)

    O1 - Hosts: 81.211.105.12 193.125.201.50
    O1 - Hosts: 81.211.105.12 206.161.200.105
    O1 - Hosts: 81.211.105.12 209.66.114.130
    O1 - Hosts: 81.211.105.12 216.200.3.32
    O1 - Hosts: 81.211.105.12 64.124.45.181
    O1 - Hosts: 81.211.105.12 66.250.130.194
    O1 - Hosts: 81.211.105.12 66.40.16.131
    O1 - Hosts: 81.211.105.12 alfa-search.com
    O1 - Hosts: 81.211.105.12 allhyperlinks.com
    O1 - Hosts: 81.211.105.12 approvedlinks.com
    O1 - Hosts: 81.211.105.12 bestcrawler.com
    O1 - Hosts: 81.211.105.12 ewebsearch.net
    O1 - Hosts: 81.211.105.12 global-finder.com
    O1 - Hosts: 81.211.105.12 idgsearch.com
    O1 - Hosts: 81.211.105.12 ie-search.com
    O1 - Hosts: 81.211.105.12 itseasy.us
    O1 - Hosts: 81.211.105.12 jetseeker.com
    O1 - Hosts: 81.211.105.12 martfinder.com
    O1 - Hosts: 81.211.105.12 rightfinder.net
    O1 - Hosts: 81.211.105.12 runsearch.com
    O1 - Hosts: 81.211.105.12 search.unipages.cc
    O1 - Hosts: 81.211.105.12 search.xrenoder.com
    O1 - Hosts: 81.211.105.12 search-2003.com
    O1 - Hosts: 81.211.105.12 searchdot.net
    O1 - Hosts: 81.211.105.12 searchv.com
    O1 - Hosts: 81.211.105.12 searchxp.com
    O1 - Hosts: 81.211.105.12 seekwell.net
    O1 - Hosts: 81.211.105.12 slawsearch.com
    O1 - Hosts: 81.211.105.12 srch-us6.hpwis.com
    O1 - Hosts: 81.211.105.12 start-space.com
    O1 - Hosts: 81.211.105.12 searchmyrequest.com
    O1 - Hosts: 81.211.105.12 therealsearch.com
    O1 - Hosts: 81.211.105.12 topsearcher.com
    O1 - Hosts: 81.211.105.12 unipages.cc
    O1 - Hosts: 81.211.105.12 webcoolsearch.com
    O1 - Hosts: 81.211.105.12 worldnet.att.net
    O1 - Hosts: 81.211.105.12 yourbookmarks.ws
    O1 - Hosts: 81.211.105.5 www.0190-dialer.com
    O1 - Hosts: 81.211.105.5 www.22469.com
    O1 - Hosts: 81.211.105.5 www.3wisp.com
    O1 - Hosts: 81.211.105.5 www.adult-cinema.org
    O1 - Hosts: 81.211.105.5 www.adultfreehosting.com
    O1 - Hosts: 81.211.105.5 www.adulthosting.com
    O1 - Hosts: 81.211.105.5 www.adultlinks1.com
    O1 - Hosts: 81.211.105.5 www.adultmegamovies.com
    O1 - Hosts: 81.211.105.5 www.adultsexmovie.net
    O1 - Hosts: 81.211.105.5 www.adultwall.com
    O1 - Hosts: 81.211.105.5 www.afro-sex.com
    O1 - Hosts: 81.211.105.5 www.agreathost.net
    O1 - Hosts: 81.211.105.5 www.alehina.com
    O1 - Hosts: 81.211.105.5 www.allnichestgp.com
    O1 - Hosts: 81.211.105.5 www.allowednet.com
    O1 - Hosts: 81.211.105.5 www.amateurlips.com
    O1 - Hosts: 81.211.105.5 www.amateurnudephoto.com
    O1 - Hosts: 81.211.105.5 www.amateursgonebad.com
    O1 - Hosts: 81.211.105.5 www.ambersamateurhardcore.com
    O1 - Hosts: 81.211.105.5 www.anyamateur.com
    O1 - Hosts: 81.211.105.5 www.apornhost.com
    O1 - Hosts: 81.211.105.5 www.findmodels.com
    O1 - Hosts: 81.211.105.5 www.asianscum.com
    O1 - Hosts: 81.211.105.5 www.awethumbs.com
    O1 - Hosts: 81.211.105.5 www.badassxxx.com
    O1 - Hosts: 81.211.105.5 www.badbimbo.com
    O1 - Hosts: 81.211.105.5 www.beautifulbondage.com
    O1 - Hosts: 81.211.105.5 www.bestpornhost.com
    O1 - Hosts: 81.211.105.5 www.biggestdickinporn.net
    O1 - Hosts: 81.211.105.5 www1.3wisp.com
    O1 - Hosts: 81.211.105.5 www1.kinghost.com
    O1 - Hosts: 81.211.105.5 www1.ndhosting.com
    O1 - Hosts: 81.211.105.5 www1.sexls.com
    O1 - Hosts: 81.211.105.5 www1.smutserver.com
    O1 - Hosts: 81.211.105.5 www1.toptgphost.com
    O1 - Hosts: 81.211.105.5 www1.xfreehosting.com
    O1 - Hosts: 81.211.105.5 www10.kinghost.com
    O1 - Hosts: 81.211.105.5 www10.smutserver.com
    O1 - Hosts: 81.211.105.5 www11.kinghost.com
    O1 - Hosts: 81.211.105.5 www11.smutserver.com
    O1 - Hosts: 81.211.105.5 www12.kinghost.com
    O1 - Hosts: 81.211.105.5 www12.smutserver.com
    O1 - Hosts: 81.211.105.5 www13.smutserver.com
    O1 - Hosts: 81.211.105.5 www14.smutserver.com
    O1 - Hosts: 81.211.105.5 www15.smutserver.com
    O1 - Hosts: 81.211.105.5 www16.smutserver.com
    O1 - Hosts: 81.211.105.5 www17.smutserver.com
    O1 - Hosts: 81.211.105.5 www18.smutserver.com
    O1 - Hosts: 81.211.105.5 www19.smutserver.com
    O1 - Hosts: 81.211.105.5 www2.3wisp.com
    O1 - Hosts: 81.211.105.5 www2.kinghost.com
    O1 - Hosts: 81.211.105.5 www2.ndhosting.com
    O1 - Hosts: 81.211.105.5 www2.smutserver.com
    O1 - Hosts: 81.211.105.5 www2.toptgphost.com
    O1 - Hosts: 81.211.105.5 www2.xfreehosting.com
    O1 - Hosts: 81.211.105.5 www2.zpornstars.com
    O1 - Hosts: 81.211.105.5 www20.smutserver.com
    O1 - Hosts: 81.211.105.5 www21.smutserver.com
    O1 - Hosts: 81.211.105.5 www22.smutserver.com
    O1 - Hosts: 81.211.105.5 www23.smutserver.com
    O1 - Hosts: 81.211.105.5 www24.smutserver.com
    O1 - Hosts: 81.211.105.5 www25.smutserver.com
    O1 - Hosts: 81.211.105.5 www26.smutserver.com
    O1 - Hosts: 81.211.105.5 www27.smutserver.com

    O2 - BHO: (no name) - {E5BEBE80-C7E1-9D19-DBAB-D6FD3A2D2C1D} - C:\WINDOWS\system32\efqgjbpf.dll

    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\overnet.exe -t
    O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
    O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O4 - HKLM\..\Run: [snmmqbmb] C:\WINDOWS\zghrtaew.exe
    O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
    O4 - HKLM\..\Run: [m] C:\WINDOWS\System32\iavtwt.exe
    O4 - HKLM\..\Run: C:\WINDOWS\System32\fqbgds.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [A7WWJ.exe] C:\windows\temp\A7WWJ.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
    O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
    O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
    O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
    O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvit.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/152804ff1c3527...ip/RdxIE601.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...?rand=200321913


    The entry in blue color is optional to fix. These are either typically infrequently used tasks that can be started manually if necessary or a resource hog which isn't necessary for the operation of your system.

    Reboot your machine and boot into safe mode by tapping F8 key(8-9 times) at bootup.

    This may happen that file is hidden so first unhide the files using following instructions...
    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

    Search and If present, delete all the following file(s) and folder(s) :

    C:\WINDOWS\system32\efqgjbpf.dll
    C:\Program Files\BearShare\ <---- Entire Folder
    C:\WINDOWS\av.exe
    C:\WINDOWS\zghrtaew.exe
    c:\program files\winfavorites\ <---- Entire Folder
    C:\WINDOWS\System32\iavtwt.exe
    C:\WINDOWS\System32\fqbgds.exe
    c:\WINDOWS\System32\zzb.exe
    C:\Program Files\TV Media\<---- Entire Folder
    C:\windows\temp\<---- Entire Folder contents
    C:\WINDOWS\System32\dp-k13w13.exe
    C:\WINDOWS\uptodate.exe
    MSConfig45.exe
    C:\Program Files\Ultimate Popup Killer\ <---- Entire Folder
    C:\Program Files\Common Files\PSD Tools\ <---- Entire Folder
    c:\WINDOWS\System32\zzb.exe

    Also in the safe mode, Go here and do an online virus scan:

    http://housecall.trendmicro.com/

    Be sure and put a check in the box by Auto Clean before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Empty recycle bin.

    When you've done all that, restart your machine, rescan your machine with hijackthis log and show us a fresh log with anti virus scan result.

    With Thanks !
    Newkid !
     
  3. Miskatonika

    Miskatonika Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    2
    Hello and Thank you!

    I did everything but here are a few things you should know:

    (1) I couldn't get online while in Safe Mode, so when I ran the online virus scan it was in regular mode.

    (2) I run and installed Pop Up Stopper because it actually works, so I'm not getting rid of it.

    ________________________________________________________________

    Logfile of HijackThis v1.97.7
    Scan saved at 2:23:22 PM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    G:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\WINDOWS\system32\ps2.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    G:\Program Files\iTunesHelper.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    G:\Program Files\HiJackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hotmail.com/
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.tjem.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "G:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [AVG_CC] G:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [iTunesHelper] G:\Program Files\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - Startup: Otaku Mascot.lnk = C:\Program Files\Accursed Toys\Otaku Mascot\Mascot.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.6323842593
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f2.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://webadmin.is.tcu.edu/av/Deploy/WebInst/webinst.cab
    O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{96E462B1-E299-4B17-8A1D-1B9EC5E04705}: NameServer = 151.164.17.201 151.164.20.201
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Mis..

    Good Job indeed. :) Most of them were gone.

    Please close down all the browser windows, other window instances and have hijackthis fix the following entries :

    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe


    Now, Boot into safe mode by tapping F8 key(8-9 times) at bootup.

    This may happen that file is hidden so first unhide the files using following instructions...
    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

    Search and If present, delete all the occurence of this file :
    MSConfig45.exe

    Reboot and boot into normal mode.

    Go to this page and follow the instructions as published there :

    http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=56539&VName=BKDR_SDBOT.OJ

    When you've done all, show us a fresh hijackthis log.

    I recommend you to un-install this because you have a popup stopper from Panicware as well. When one have two things which has the same funtions then in most of the cases it crossed each other as a result none of them worked.

    With Thanks !
    Newkid !
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.