Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - 69SexSearch hijack


  • Please log in to reply
3 replies to this topic

#1 Wonton

Wonton

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 08 January 2005 - 11:33 AM

Hey guys, I've run both Adaware and Search & Destroy on my computer, reboot, and this is my most recent HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 11:27:32 AM, on 1/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\pcupase.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alan VanToai\Desktop\HijackThis199Final[www.click-now.net]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AAD20AF6] C:\WINDOWS\system32\pcupase.exe
O4 - HKLM\..\Run: [4F61CFCE] C:\WINDOWS\system32\ctrwa.exe
O4 - HKLM\..\Run: [4F86EFD6] C:\WINDOWS\system32\THPwsMDM.exe
O4 - HKLM\..\Run: [AB9EBADE] C:\WINDOWS\system32\acctiv.exe
O4 - HKLM\..\Run: [FA7651C6] C:\WINDOWS\system32\bkprxts.exe
O4 - HKLM\..\Run: [479A94DE] C:\WINDOWS\system32\fgmgnetc.exe
O4 - HKLM\..\Run: [8A378863] C:\WINDOWS\system32\aclatmf.exe
O4 - HKLM\..\Run: [FB9557F3] C:\WINDOWS\system32\idislbca.exe
O4 - HKLM\..\Run: [8B83B8F6] C:\WINDOWS\system32\slrdsom.exe
O4 - HKLM\..\Run: [ADA79646] C:\WINDOWS\system32\dielerr.exe
O4 - HKLM\..\Run: [CB13B18B] C:\WINDOWS\system32\aaapeclbc.exe
O4 - HKLM\..\Run: [8CA7CC63] C:\WINDOWS\system32\adsmfdwav.exe
O4 - HKLM\..\Run: [BAC6C466] C:\WINDOWS\system32\4satsrv.exe
O4 - HKLM\..\Run: [90C08306] C:\WINDOWS\system32\lrsvlus.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [AAD20AF6] C:\WINDOWS\system32\pcupase.exe
O4 - HKCU\..\Run: [4F61CFCE] C:\WINDOWS\system32\ctrwa.exe
O4 - HKCU\..\Run: [4F86EFD6] C:\WINDOWS\system32\THPwsMDM.exe
O4 - HKCU\..\Run: [AB9EBADE] C:\WINDOWS\system32\acctiv.exe
O4 - HKCU\..\Run: [FA7651C6] C:\WINDOWS\system32\bkprxts.exe
O4 - HKCU\..\Run: [479A94DE] C:\WINDOWS\system32\fgmgnetc.exe
O4 - HKCU\..\Run: [8A378863] C:\WINDOWS\system32\aclatmf.exe
O4 - HKCU\..\Run: [FB9557F3] C:\WINDOWS\system32\idislbca.exe
O4 - HKCU\..\Run: [8B83B8F6] C:\WINDOWS\system32\slrdsom.exe
O4 - HKCU\..\Run: [ADA79646] C:\WINDOWS\system32\dielerr.exe
O4 - HKCU\..\Run: [CB13B18B] C:\WINDOWS\system32\aaapeclbc.exe
O4 - HKCU\..\Run: [8CA7CC63] C:\WINDOWS\system32\adsmfdwav.exe
O4 - HKCU\..\Run: [BAC6C466] C:\WINDOWS\system32\4satsrv.exe
O4 - HKCU\..\Run: [90C08306] C:\WINDOWS\system32\lrsvlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O15 - Trusted Zone: http://*.69sexsearch.com

Every time I leave my computer for more than 5 minutes I get heaps of 69SexSearch popups and they're getting out of hand... Any help is appreciated!

Thanks in advance!
-Alan

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:55 AM

Posted 08 January 2005 - 10:35 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AAD20AF6] C:\WINDOWS\system32\pcupase.exe
O4 - HKLM\..\Run: [4F61CFCE] C:\WINDOWS\system32\ctrwa.exe
O4 - HKLM\..\Run: [4F86EFD6] C:\WINDOWS\system32\THPwsMDM.exe
O4 - HKLM\..\Run: [AB9EBADE] C:\WINDOWS\system32\acctiv.exe
O4 - HKLM\..\Run: [FA7651C6] C:\WINDOWS\system32\bkprxts.exe
O4 - HKLM\..\Run: [479A94DE] C:\WINDOWS\system32\fgmgnetc.exe
O4 - HKLM\..\Run: [8A378863] C:\WINDOWS\system32\aclatmf.exe
O4 - HKLM\..\Run: [FB9557F3] C:\WINDOWS\system32\idislbca.exe
O4 - HKLM\..\Run: [8B83B8F6] C:\WINDOWS\system32\slrdsom.exe
O4 - HKLM\..\Run: [ADA79646] C:\WINDOWS\system32\dielerr.exe
O4 - HKLM\..\Run: [CB13B18B] C:\WINDOWS\system32\aaapeclbc.exe
O4 - HKLM\..\Run: [8CA7CC63] C:\WINDOWS\system32\adsmfdwav.exe
O4 - HKLM\..\Run: [BAC6C466] C:\WINDOWS\system32\4satsrv.exe
O4 - HKLM\..\Run: [90C08306] C:\WINDOWS\system32\lrsvlus.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [AAD20AF6] C:\WINDOWS\system32\pcupase.exe
O4 - HKCU\..\Run: [4F61CFCE] C:\WINDOWS\system32\ctrwa.exe
O4 - HKCU\..\Run: [4F86EFD6] C:\WINDOWS\system32\THPwsMDM.exe
O4 - HKCU\..\Run: [AB9EBADE] C:\WINDOWS\system32\acctiv.exe
O4 - HKCU\..\Run: [FA7651C6] C:\WINDOWS\system32\bkprxts.exe
O4 - HKCU\..\Run: [479A94DE] C:\WINDOWS\system32\fgmgnetc.exe
O4 - HKCU\..\Run: [8A378863] C:\WINDOWS\system32\aclatmf.exe
O4 - HKCU\..\Run: [FB9557F3] C:\WINDOWS\system32\idislbca.exe
O4 - HKCU\..\Run: [8B83B8F6] C:\WINDOWS\system32\slrdsom.exe
O4 - HKCU\..\Run: [ADA79646] C:\WINDOWS\system32\dielerr.exe
O4 - HKCU\..\Run: [CB13B18B] C:\WINDOWS\system32\aaapeclbc.exe
O4 - HKCU\..\Run: [8CA7CC63] C:\WINDOWS\system32\adsmfdwav.exe
O4 - HKCU\..\Run: [BAC6C466] C:\WINDOWS\system32\4satsrv.exe
O4 - HKCU\..\Run: [90C08306] C:\WINDOWS\system32\lrsvlus.exe
O15 - Trusted Zone: http://*.69sexsearch.com

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\pcupase.exe
C:\WINDOWS\system32\ctrwa.exe
C:\WINDOWS\system32\THPwsMDM.exe
C:\WINDOWS\system32\acctiv.exe
C:\WINDOWS\system32\bkprxts.exe
C:\WINDOWS\system32\fgmgnetc.exe
C:\WINDOWS\system32\aclatmf.exe
C:\WINDOWS\system32\idislbca.exe
C:\WINDOWS\system32\slrdsom.exe
C:\WINDOWS\system32\dielerr.exe
C:\WINDOWS\system32\aaapeclbc.exe
C:\WINDOWS\system32\adsmfdwav.exe
C:\WINDOWS\system32\4satsrv.exe
C:\WINDOWS\system32\lrsvlus.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\wuclient.exe
C:\WINDOWS\system32\pcupase.exe
C:\WINDOWS\system32\ctrwa.exe
C:\WINDOWS\system32\THPwsMDM.exe
C:\WINDOWS\system32\acctiv.exe
C:\WINDOWS\system32\bkprxts.exe
C:\WINDOWS\system32\fgmgnetc.exe
C:\WINDOWS\system32\aclatmf.exe
C:\WINDOWS\system32\idislbca.exe
C:\WINDOWS\system32\slrdsom.exe
C:\WINDOWS\system32\dielerr.exe
C:\WINDOWS\system32\aaapeclbc.exe
C:\WINDOWS\system32\adsmfdwav.exe
C:\WINDOWS\system32\4satsrv.exe
C:\WINDOWS\system32\lrsvlus.exe

Reboot your computer to go back to normal mode and post a new log.

#3 Wonton

Wonton
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 11 January 2005 - 07:43 PM

alright I did that! Thanks!

new log:

Logfile of HijackThis v1.99.0
Scan saved at 7:42:22 PM, on 1/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\ivemsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Alan VanToai\Desktop\HijackThis199Final[www.click-now.net]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [A4411363] C:\WINDOWS\system32\6todmpbidi.exe
O4 - HKLM\..\Run: [8A00C776] C:\WINDOWS\system32\autilepelp.exe
O4 - HKLM\..\Run: [8A6D84EB] C:\WINDOWS\system32\treinatpbk.exe
O4 - HKLM\..\Run: [A6228DD6] C:\WINDOWS\system32\ivemsv.exe
O4 - HKLM\..\Run: [FE8D19EB] C:\WINDOWS\system32\polquetrm.exe
O4 - HKLM\..\Run: [EDA622EE] C:\WINDOWS\system32\edrxyses.exe
O4 - HKLM\..\Run: [DBB8AA03] C:\WINDOWS\system32\rxytmfvwav.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A4411363] C:\WINDOWS\system32\6todmpbidi.exe
O4 - HKCU\..\Run: [8A00C776] C:\WINDOWS\system32\autilepelp.exe
O4 - HKCU\..\Run: [8A6D84EB] C:\WINDOWS\system32\treinatpbk.exe
O4 - HKCU\..\Run: [A6228DD6] C:\WINDOWS\system32\ivemsv.exe
O4 - HKCU\..\Run: [FE8D19EB] C:\WINDOWS\system32\polquetrm.exe
O4 - HKCU\..\Run: [EDA622EE] C:\WINDOWS\system32\edrxyses.exe
O4 - HKCU\..\Run: [DBB8AA03] C:\WINDOWS\system32\rxytmfvwav.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll

Clean?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:55 AM

Posted 11 January 2005 - 10:02 PM

Fix these entries:

O4 - HKLM\..\Run: [A4411363] C:\WINDOWS\system32\6todmpbidi.exe
O4 - HKLM\..\Run: [8A00C776] C:\WINDOWS\system32\autilepelp.exe
O4 - HKLM\..\Run: [8A6D84EB] C:\WINDOWS\system32\treinatpbk.exe
O4 - HKLM\..\Run: [A6228DD6] C:\WINDOWS\system32\ivemsv.exe
O4 - HKLM\..\Run: [FE8D19EB] C:\WINDOWS\system32\polquetrm.exe
O4 - HKLM\..\Run: [EDA622EE] C:\WINDOWS\system32\edrxyses.exe
O4 - HKLM\..\Run: [DBB8AA03] C:\WINDOWS\system32\rxytmfvwav.exe
O4 - HKCU\..\Run: [A4411363] C:\WINDOWS\system32\6todmpbidi.exe
O4 - HKCU\..\Run: [8A00C776] C:\WINDOWS\system32\autilepelp.exe
O4 - HKCU\..\Run: [8A6D84EB] C:\WINDOWS\system32\treinatpbk.exe
O4 - HKCU\..\Run: [A6228DD6] C:\WINDOWS\system32\ivemsv.exe
O4 - HKCU\..\Run: [FE8D19EB] C:\WINDOWS\system32\polquetrm.exe
O4 - HKCU\..\Run: [EDA622EE] C:\WINDOWS\system32\edrxyses.exe
O4 - HKCU\..\Run: [DBB8AA03] C:\WINDOWS\system32\rxytmfvwav.exe

Reboot into safe mode and delete all the files above, reboot back to normal mode and post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users