Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Adult_chat.exe


  • This topic is locked This topic is locked
4 replies to this topic

#1 Newhook

Newhook

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 07 May 2005 - 09:30 AM

Hello,

I have been trying in vain to remove adult_chat.exe for the past 4 days.

Here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:42 AM, on 07/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seaknife.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\msnmsgrs.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115161699171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


I have run Spybot, Adaware and Microsoft Antispy ware, which will pick it up and remove it. Then when i get online again it comes right back.

Help me please!!!

Thanks

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 07 May 2005 - 07:12 PM

Hello Newhook, I wish to be candid with you and I am sure your are aware of the fact that your security is critical, for some reason you have no Service Pack for your Operating System and you have downloaded none of the critical security patches for your browser. The way things are now it is no longer a question of if you will get infected but rather when. It is a waste of your and my time to clean malware off of this computer as it is coming back. You must go to Windows Updates and correct this issue or if you can not because the Software is not valid or for some other reason then you need to take steps to correct this also.
This is the best advice I can give you.

1) Spykiller is rouge spyware, see this: http://www.spywarewarrior.com/rogue_anti-spyware.htm
BestPopUpKiller is a rouge product see the above link and this one: http://castlecops.com/startuplist-5311.html

2) Beta Microsoft AntiSpyware must be turned off, it will stop our HJT fix.
To disable the program, follow the instructions below:
A.) Right click on the Microsoft Antispyware tray icon (a little red and yellow circle looking thing)
B.) Click on Security Agents Status (Enabled)
C.) Click on Disable Real-time Protection.

3) SpybotSD TeaTimer must be turned of, it will block the HJT fix:
Disable TeaTimer
Run Spybot-S&D
Go to the Mode menu, and make sure Advanced Mode is selected
On the left hand side, choose Tools -> Resident
Uncheck Resident TeaTimer and OK any prompts
Restart your computer.

4) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\msnmsgrs.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\SpyKiller\ >>> folder

C:\Program Files\BestPopUpKiller\ >>> folder

Let's check for trojans in case any are hiding, run this free online scan, scan the whole system and set it to clean or fix anything it locates. Let me know what it finds and the exact name and location of anything it locates but can't remove. You may be asked to install an ActiveX, please do so as this program is safe and it can not run without it.
http://www.windowsecurity.com/trojanscan/

Run CCleaner then restart the computer and post a new log in this same thread along with any feedback you have. Let us know how you are running.

Thanks...pskelley
HJT Team

PURGE SYSTEM RESTORE
When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instruction:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 Newhook

Newhook
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 08 May 2005 - 01:57 PM

Thank you very much for your reply. You are a lifesaver!

I followed your instructions and it appears to have worked. Here is my new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:18:26 PM, on 08/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115161699171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe



Regarding my updating Windows Xp for security patches etc, How do i do this? I went to my tools menu, then clicked Windows Update and downloaded and installed what was there. Right now there is an icon in my toolbar on the right hand side by the clock saying "downloading updates: 28%". Is there anything else i need to do to keep my windows up to date?

Again, thank you, i'm sure you must lose your patience sometimes when computer illiterates like myself run into problems like this.

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 08 May 2005 - 02:36 PM

Hello Newhook, Let me make suggestions about the Windows Updates first, then I will look at the log. If you have a valid registered copy of Windows Xp then you really need to contact Microsoft if you are having problems, these updates are part of your Operating System purchase. It just so happens I have a toll free number that might not be exactly what you want, but plea your case and ask for either the correct number or for them to transfer you. This number deals with SP2 issues and perhaps having a clean machine (make sure you tell the technician that) they will assist with that download. The only other thing I can offer is a troubleshooting website:
The number in US/Canada is 888-SP2-HELP

SP2 CD
http://www.microsoft.com/windowsxp/downloa...us/default.mspx
What you should know
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx

http://v4.windowsupdate.microsoft.com/troubleshoot/

This is a very serious issues, I suggest you follow up asap.

I can say that no malware is appearing in your log at this time.

Regarding my updating Windows Xp for security patches etc, How do i do this? I went to my tools menu, then clicked Windows Update and downloaded and installed what was there. Right now there is an icon in my toolbar on the right hand side by the clock saying "downloading updates: 28%". Is there anything else i need to do to keep my windows up to date?


If it finishes installing just look at other logs with SP1 or two on them and look at the browser line. When you are up to date, and this process should be set to happen automatically, Windows Updates will tell you that you have all necessary updates for your computer.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Good luck, if I can assist more this thread will be open for a couple of days.
Thanks...pskelley
HJT Team

Edited by pskelley, 08 May 2005 - 02:41 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 12 May 2005 - 07:09 PM

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request. If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users