Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

69sexsearch.com Infection


  • Please log in to reply
1 reply to this topic

#1 JasperLeyten

JasperLeyten

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 01 January 2005 - 08:23 PM

Hello, I've got a serious problem with my computer. When i start up IE it always starts at realsearch.cc and when i close IE about 20 to 60 popups come upm with 69sexsearch.com I've tried to delete it with Hijackthis. But it didn't really work. I seem to got rid of realsearch.cc but the 69sexsearch.com keeps coming back. I run 2 online scans and delete the files infected.

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/co...n_principal.htm

Now here is mij Hijackthis log.

Logfile of HijackThis v1.98.2
Scan saved at 2:22:30, on 2-1-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\auwsel.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\temp\salm.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jasper\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{E4D8DA67-D57B-42B3-A15F-36CB3D317C42} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O2 - BHO: Richfind - {3FABCF49-2085-4CC4-A36F-3020A4E4C927} - C:\WINDOWS\System32\Q20756055.dll (file missing)
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Richfind - {CB07DB30-2F41-4D07-B0DC-F7342A604061} - C:\WINDOWS\System32\Q20756055.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [CD1A54CB] C:\WINDOWS\system32\idisamooms.exe
O4 - HKLM\..\Run: [A334D086] C:\WINDOWS\system32\auwsel.exe
O4 - HKLM\..\Run: [FFD79083] C:\WINDOWS\system32\cnoiew.exe
O4 - HKLM\..\Run: [ED8E4956] C:\WINDOWS\system32\ATHboxsrv.exe
O4 - HKLM\..\Run: [96FC664B] C:\WINDOWS\system32\rsefil.exe
O4 - HKLM\..\Run: [91589ECE] C:\WINDOWS\system32\lbcadltui.exe
O4 - HKLM\..\Run: [C93DBF46] C:\WINDOWS\system32\fil3anmi.exe
O4 - HKLM\..\Run: [FBA1067B] C:\WINDOWS\system32\esnpmap.exe
O4 - HKLM\..\Run: [D8CF6656] C:\WINDOWS\system32\vpviewcmpr.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [ahul] C:\WINDOWS\ahul.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [CD1A54CB] C:\WINDOWS\system32\idisamooms.exe
O4 - HKCU\..\Run: [A334D086] C:\WINDOWS\system32\auwsel.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [FFD79083] C:\WINDOWS\system32\cnoiew.exe
O4 - HKCU\..\Run: [ED8E4956] C:\WINDOWS\system32\ATHboxsrv.exe
O4 - HKCU\..\Run: [96FC664B] C:\WINDOWS\system32\rsefil.exe
O4 - HKCU\..\Run: [91589ECE] C:\WINDOWS\system32\lbcadltui.exe
O4 - HKCU\..\Run: [C93DBF46] C:\WINDOWS\system32\fil3anmi.exe
O4 - HKCU\..\Run: [FBA1067B] C:\WINDOWS\system32\esnpmap.exe
O4 - HKCU\..\Run: [D8CF6656] C:\WINDOWS\system32\vpviewcmpr.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Richfind - {CB07DB30-2F41-4D07-B0DC-F7342A604061} - C:\WINDOWS\System32\Q20756055.dll (file missing)
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_gln3.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c11.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://bitdefender.secyber.net/BITDEFENDER...bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

I hope someone can help me with this. Thx allready

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:10:35 AM

Posted 02 January 2005 - 09:13 AM

Hi :thumbsup:

You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.


When choosing anti-spyware protection, you should rely on products with deserved reputations and proven track records:
Security iGuard is a rogue anti-spy software.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
You can use these free programs: Ad-Aware SE, Spybot Search & Destroy + SpywareBlaster.
Please uninstall Security iGuard from Add\Remove Programs.

Please uninstall from Add\Remove Programs, if present:
ShopAtHome

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R3 - URLSearchHook: (no name) - _{E4D8DA67-D57B-42B3-A15F-36CB3D317C42} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O2 - BHO: Richfind - {3FABCF49-2085-4CC4-A36F-3020A4E4C927} - C:\WINDOWS\System32\Q20756055.dll (file missing)
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINDOWS\webdir.dll
O3 - Toolbar: Richfind - {CB07DB30-2F41-4D07-B0DC-F7342A604061} - C:\WINDOWS\System32\Q20756055.dll (file missing)

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [CD1A54CB] C:\WINDOWS\system32\idisamooms.exe
O4 - HKLM\..\Run: [A334D086] C:\WINDOWS\system32\auwsel.exe
O4 - HKLM\..\Run: [FFD79083] C:\WINDOWS\system32\cnoiew.exe
O4 - HKLM\..\Run: [ED8E4956] C:\WINDOWS\system32\ATHboxsrv.exe
O4 - HKLM\..\Run: [96FC664B] C:\WINDOWS\system32\rsefil.exe
O4 - HKLM\..\Run: [91589ECE] C:\WINDOWS\system32\lbcadltui.exe
O4 - HKLM\..\Run: [C93DBF46] C:\WINDOWS\system32\fil3anmi.exe
O4 - HKLM\..\Run: [FBA1067B] C:\WINDOWS\system32\esnpmap.exe
O4 - HKLM\..\Run: [D8CF6656] C:\WINDOWS\system32\vpviewcmpr.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [ahul] C:\WINDOWS\ahul.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKCU\..\Run: [CD1A54CB] C:\WINDOWS\system32\idisamooms.exe
O4 - HKCU\..\Run: [A334D086] C:\WINDOWS\system32\auwsel.exe
O4 - HKCU\..\Run: [FFD79083] C:\WINDOWS\system32\cnoiew.exe
O4 - HKCU\..\Run: [ED8E4956] C:\WINDOWS\system32\ATHboxsrv.exe
O4 - HKCU\..\Run: [96FC664B] C:\WINDOWS\system32\rsefil.exe
O4 - HKCU\..\Run: [91589ECE] C:\WINDOWS\system32\lbcadltui.exe
O4 - HKCU\..\Run: [C93DBF46] C:\WINDOWS\system32\fil3anmi.exe
O4 - HKCU\..\Run: [FBA1067B] C:\WINDOWS\system32\esnpmap.exe
O4 - HKCU\..\Run: [D8CF6656] C:\WINDOWS\system32\vpviewcmpr.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O9 - Extra button: Richfind - {CB07DB30-2F41-4D07-B0DC-F7342A604061} - C:\WINDOWS\System32\Q20756055.dll (file missing)

O15 - Trusted Zone: http://*.69sexsearch.com

O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_gln3.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c11.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\System32\Q20756055.dll <-- this file
C:\WINDOWS\webdir.dll <-- this file
C:\WINDOWS\LMU.exe <-- this file
C:\WINDOWS\system32\idisamooms.exe <-- this file
C:\WINDOWS\system32\auwsel.exe <-- this file
C:\WINDOWS\system32\cnoiew.exe <-- this file
C:\WINDOWS\system32\ATHboxsrv.exe <-- this file
C:\WINDOWS\system32\rsefil.exe <-- this file
C:\WINDOWS\system32\lbcadltui.exe <-- this file
C:\WINDOWS\system32\fil3anmi.exe <-- this file
C:\WINDOWS\system32\esnpmap.exe <-- this file
C:\WINDOWS\system32\vpviewcmpr.exe <-- this file
c:\temp\salm.exe <-- this file
C:\WINDOWS\ahul.exe <-- this file
C:\WINDOWS\System32\SahAgent.exe <-- this file


Delete these folders:
C:\Program files\SEARCH~1\ <-- this folder. foldername starts with SEARCH
C:\Program Files\Security iGuard\ <-- this folder
C:\WINDOWS\System32\P2P Networking\ <-- this folder
C:\Program Files\Admilli Service\ <-- this folder
C:\Program Files\Common Files\GMT\ <-- this folder


Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users