Jump to content


Photo

sex.exe program


  • Please log in to reply
1 reply to this topic

#1 rick mclane

rick mclane

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 30 July 2004 - 09:56 AM

I keep getting a message that sex.exe has stopped running, not that I have any idea what it is, and it causes my internet connection to stop. I have found and removed the program but it keeps coming back.

My host file is also being hit, but WinPatrol is allowing me to prevent it from being changed. I have read the wonderful Hijack This tutorial, but still can't figure out what to do.

Here is my HJT log. I appreciate any help I can get. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 10:52:17 AM, on 07/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
c:\winnt\system32\dllcache\identd.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\Program Files\Common Files\fh.exe
C:\WINNT\system32\os2\dll\srvany.exe
c:\winnt\system32\dllcache\srvany.exe
c:\winnt\system32\os2\dll\svchost.exe
C:\WINNT\Explorer.EXE
c:\winnt\system32\dllcache\tftpd.exe
C:\WINNT\system32\spool\drivers\w32x86\a1\FireDaemon.EXE
C:\WINNT\system32\spool\drivers\w32x86\a1\csrss.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Seagate Software\WCS\cacheserver.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Seagate Software\Enterprise\x86\inputfileserver.exe
C:\Program Files\Seagate Software\Enterprise\x86\outputfileserver.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Seagate Software\WCS\JobServer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Seagate Software\Crystal Reports\crw32.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Exact\Max\MFW2\SYSMAN.EXE
C:\EXACT\MAX\MFW2\BOM.EXE
C:\EXACT\MAX\MFW2\SOP.EXE
C:\EXACT\MAX\MFW2\INV.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://toewsq.t.muxa.cc/s.php?aid=227 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\pzdwq.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0FDF7935-9628-124E-D78C-8BAB2A5F6279} - (no file)
O2 - BHO: (no name) - {7A96536B-EBAB-470B-9793-03ED2B61685B} - C:\WINNT\system32\lcccc.dll (file missing)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\system32\jfi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoft...s/AvDetInst.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
O16 - DPF: {26774F3E-5F15-4883-8394-89146270A8C7} (SynergyOfficeAddin.Connect_Excel) - https://eportal.exac...OfficeAddin.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eportal.exac.../cab/msxml4.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7834.6481134259
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/s/load.exe
O16 - DPF: {BD324C84-E46E-11D3-83D0-00C04F4EB66B} (HTMLParser Class) - https://eportal.exac.../cab/ebcasp.cab
O16 - DPF: {D1FF08B1-AAC8-4FF4-A29B-7A4B4039AC15} (SynergyOfficeAddInPPT.ConnectPP) - https://eportal.exac...iceAddInPPT.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://exactsoftwar...bex/ieatgpc.cab
O16 - DPF: {E38D7E4D-BEBB-4A5D-B9CC-41EE128214FE} (Web Conferencing Pro Application Sharing Control) - http://exact.raindan...re_1,31,0,0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{536EAB8F-E0A2-4272-B6C6-449F483E7C24}: Domain = exactsoftware.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{536EAB8F-E0A2-4272-B6C6-449F483E7C24}: NameServer = 145.14.60.10 145.14.110.14 145.14.110.14 145.14.60.10

#2 rick mclane

rick mclane

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 30 July 2004 - 02:59 PM

Here is more information about my problem. Here is my Ad-Aware log. It keeps finding one object, I remove it, and it shows up again.

Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button