[solved] SecThought.E removal... here is my log

Discussion in 'adware, spyware & hijack cleaning' started by candiheartz86, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Hi All,

    I am using Spybot S&D. I have Windows 2000. I keep getting popups from AVG 6.0 saying that I have the trojan SecThought.E. I have tried deleting the Temporary Internet Files but the popups haven't stopped. I am following the instructions on this site https://www.wilderssecurity.com/showthread.php?t=15913 . I ran Hyjack This and here is my log.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:04:05 PM, on 6/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARUpld32.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARMon32a.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Promon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\P2P Networking\P2P Networking.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\llhst3gd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dsl&cd=3.11&bm=ho_search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [llhst3gd] C:\WINNT\system32\llhst3gd.exe
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks for the help!
    Jen
     
  2. splintercell990

    splintercell990 Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    19
    Re: SecThought.E removal... here is my log

    Hello candiheartz86,

    Welcome to WildersSecurity forums :).

    You are running P2P networking. This is techincally not malware, but I strongly suggest you to remove it. If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'. P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

    You are running MyBar. This is not technically malware, but it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar. I recommend that you remove it. Here are the components to fix with HJT and you will need to remove the main program from Add/Remove Programs as well:

    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DL


    Next, with all other browsers closed, please fix the following items in HijackThis:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O4 - HKLM\..\Run: [llhst3gd] C:\WINNT\system32\llhst3gd.exe
    O9 - Extra button: Sidesearch (HKLM)
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


    Reboot, and in safe mode, please delete the following files/folders:

    C:\Program Files\Lycos<---folder
    C:\PROGRA~1\PERFEC~1<---folder
    C:\WINNT\system32\llhst3gd.exe<---file
    C:\Program Files\MyWay<---folder

    Reboot, and post a fresh HijackThis logfile in this thread :)
     
  3. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    Hi Again,
    I fixed the items in HijackThis but Im not sure how to reboot in safe mode. And should i disable Windows Me System Restore before I do?

    Jen
    :rolleyes:
     
  4. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    nevermind the part about safe mode :rolleyes:
     
  5. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    I did what you said. Here is my new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:09:46 PM, on 6/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARUpld32.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARMon32a.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Promon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\tdsbsrvn.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dsl&cd=3.11&bm=ho_search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online DSL
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tdsbsrvn] C:\WINNT\system32\tdsbsrvn.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    How does it look?

    Jen
     
  6. splintercell990

    splintercell990 Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    19
    Re: SecThought.E removal... here is my log

    Hmm..just a few more items left :)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    O4 - HKLM\..\Run: [tdsbsrvn] C:\WINNT\system32\tdsbsrvn.exe


    Reboot, and in safe mode, please delete the following file:

    C:\WINNT\system32\tdsbsrvn.exe<---file

    Reboot, and run an online virus scan from here, and let it fix whatever it finds. Once its done, please post a fresh HijackThis logfile in this thread.
     
  7. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    I scanned my computer with the BitDefender AntiVirus Scan and this is what it came up with:

    Master Boot Record 80 ok (DOS, WinNT4.0, Win95)
    Partition Boot 1 (primary) (active) ok (Windows NT 2000 FAT32)
    Boot Sector of Drive A: ok (Read Error)
    C:\WINNT\system32\mdlgsd.exe infected: Trojan.Revop.D
    C:\WINNT\system32\mdlgsd.exe unable to disinfect
    C:\WINNT\system32\ONauthW.exe infected: Trojan.Revop.D
    C:\WINNT\system32\ONauthW.exe unable to disinfect
    C:\WINNT\system32\oboex32R.exe infected: Trojan.Revop.D
    C:\WINNT\system32\oboex32R.exe unable to disinfect
    C:\WINNT\pup.exe infected: Trojan.Revop.D
    C:\WINNT\pup.exe unable to disinfect
    C:\WINNT\twaintec.dll infected: Trojan.Spy.BiSpy.C
    C:\WINNT\twaintec.dll unable to disinfect



    This is the fresh log:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:55:25 PM, on 6/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARUpld32.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARMon32a.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Promon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dsl&cd=3.11&bm=ho_search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attbi.com/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online DSL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    I appreciate your help more than you know
    Jen :rolleyes:
     
  8. splintercell990

    splintercell990 Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    19
    Hmm...from the scan, it seems you have multiple infections, including WinPup :(. Lets take them out, one by one:

    WinPup Removal:

    Please download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download and update it following the instructions here: http://tds.diamondcs.com.au/index.php?page=update Then click System Testing > Full System scan.

    Once you are done, please copy the contents of the quote box to a notepad file, and name it fix.reg, making sure that you set the box "save as type" to all files...then save it to the desktop. Locate fix.reg, double-click the file to merge it into the registry, saying yes to all the prompts:


    Reboot the computer to SAFE mode - How do I boot into "Safe" mode?, and delete pup.exe. When in Windows again, please follow the instructions below:

    Twain-Tech Removal:

    We also need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete: Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini. If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it. Once you finish this, you can re-enable System Restore.

    Finally, reboot one final time post a fresh HijackThis logfile in this thread :)
     
    Last edited: Jun 23, 2004
  9. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    I followed the instructions to Disable System Restore. I go into start, then settings, then control panel and into system, but there isnt a tab for Performance. I can go into Advanced and click on Performance Options but there is nothing there about File System or Troubleshooting.

    Is there another way to disable system restore?
     
  10. splintercell990

    splintercell990 Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    19
    Re: SecThought.E removal... here is my log

    Oops..I forgot that you were running Windows 2000, which does not have an option for System Restore :rolleyes:. Anyway, don't worry about it, please proceed with the rest of the instructions.
     
  11. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    I couldn't uninstall Twain-Tec because it wasnt listed under Add/Remove Programs. But I did delete the other files.

    Here is my new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:29:26 AM, on 6/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARUpld32.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARMon32a.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Promon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dsl&cd=3.11&bm=ho_search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attbi.com/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online DSL
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  12. splintercell990

    splintercell990 Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    19
    Re: SecThought.E removal... here is my log

    Okay, now this should end the infections :)

    With all other browsers closed, please fix the following item in HijackThis:

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com

    Reboot, and in safe mode, please delete the following files:

    C:\WINNT\system32\mdlgsd.exe<---file
    C:\WINNT\system32\ONauthW.exe<---file
    C:\WINNT\system32\oboex32R.exe<---file

    Reboot, and run another online virus scan from here, and let it fix whatever it finds. Once its done, please post a fresh HijackThis logfile in this thread.
     
  13. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    I scanned my computer and this is what it says:

    Memory ok
    Master Boot Record 80 ok (DOS, WinNT4.0, Win95)
    Partition Boot 1 (primary) (active) ok (Windows NT 2000 FAT32)
    Boot Sector of Drive A: ok (Read Error)
    C:\Recycled\Dc1.exe infected: Trojan.Revop.D
    C:\Recycled\Dc1.exe unable to disinfect
    C:\Recycled\Dc2.dll infected: Trojan.Spy.BiSpy.C
    C:\Recycled\Dc2.dll unable to disinfect
    C:\Recycled\Dc4.exe infected: Trojan.Revop.D
    C:\Recycled\Dc4.exe unable to disinfect
    C:\Recycled\Dc5.exe infected: Trojan.Revop.D
    C:\Recycled\Dc5.exe unable to disinfect
    C:\Recycled\Dc6.exe infected: Trojan.Revop.D
    C:\Recycled\Dc6.exe unable to disinfect

    Here is my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:01:45 PM, on 6/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARUpld32.exe
    C:\Program Files\VerizonOnlineDSL\Visual IP InSight\ARMon32a.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Promon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dsl&cd=3.11&bm=ho_search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.attbi.com/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online DSL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    :)
     
  14. splintercell990

    splintercell990 Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    19
    Re: SecThought.E removal... here is my log

    This infection is persistent...

    In safe mode, please delete the following files:

    C:\Recycled\Dc1.exe<---file
    C:\Recycled\Dc2.dll<---file
    C:\Recycled\Dc4.exe<---file
    C:\Recycled\Dc5.exe<---file
    C:\Recycled\Dc6.exe<---file

    Reboot, and run another online virus scan from here, and let it fix whatever it finds, and if it lists any other files, please delete them in SAFE mode as well, but tell me what you deleted :)
     
  15. candiheartz86

    candiheartz86 Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    9
    Re: SecThought.E removal... here is my log

    Yay! It didn't find anything! You are amazing, what would I have done without you? :D Thank you so much for your help.


    :)
     
  16. splintercell990

    splintercell990 Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    19
    Re: SecThought.E removal... here is my log

    Glad I could help candiheartz86 :)

    However, think protection- download and install:

    SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

    IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

    Both are very small free programs that you run once, and then just occasionally to check for updates.

    And also see
    So how did I get infected in the first place?

    Thanks for coming to Wilders :)
     
Thread Status:
Not open for further replies.