Jump to content


Photo

sexxx.exe/www.palozzacasino.com + smartsearch


  • Please log in to reply
4 replies to this topic

#1 tritonbill

tritonbill

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 June 2004 - 08:28 PM

Every time i open IE i get about:blank as my home page, which brings up some search engine. I have run Norton Anti-Virus 2004, Ad-Aware 6 with most current updates, as well as spy bot search and destroy also with current updates.

There is also an icon on my desktop with the description of SEX. If I delete the icon it comes back on next boot. My browser also wants toredirect to www.palazzocasino.com or sometimes smartsearch search engine.

here is my log from hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 9:16:04 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\usrgrcoi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
C:\WINDOWS\System32\wapitr.exe
C:\WINDOWS\System32\wiakmgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\PC 1\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PC1~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PC1~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PC1~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\PC1~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\PC1~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\PC1~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {4F8A1DB4-6B44-4BF0-AAD8-3053A67D3566} - C:\WINDOWS\System32\kafmkk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [sFFi36Q] usrgrcoi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\PC 1\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\PC 1\Client\HelpExp.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [dowsRWc9e] wiakmgr.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7982.2199768519
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.budd...llInstaller.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}


Thanks for your help in advance,
bill

#2 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 19 June 2004 - 08:25 PM

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

Then these 2 programs .
Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Setup Ad-Aware .
After installing AAW, and before running the program, update reference files by using the bottom right button in the program, labeled "Check for Updates."

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed

Download SPYBOT

After installing Spybot S&D, update it by using the "Update" button on the left panel of the program. Search for updates and download anything it finds

How to setup Ad-Aware and Spy-Bot S&D Check my signature for details

And after that, please do the following:

reboot computer and post a new log

#3 tritonbill

tritonbill

    Member

  • New Member
  • Pip
  • 2 posts

Posted 20 June 2004 - 09:57 AM

Here is my new log. When I start Internet Explorer the about:blank still came up and forwarded me to Smartsearch search engine.

I got rid of the sexxx.exe by going to safe mode and removing from windows directory.

How do I get rid of these last spywares? I did as you said ,ran cwshredder, adaware and spybot and here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 10:52:36 AM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\qprathlp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
C:\WINDOWS\System32\wapitr.exe
C:\WINDOWS\System32\rdcphbk.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\PC 1\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [sFFi36Q] qprathlp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\PC 1\HXIUL.EXE
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [dowsRWc9e] rdcphbk.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7982.2199768519
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}

#4 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 20 June 2004 - 03:26 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [sFFi36Q] qprathlp.exe


O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe

O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapitr.exe

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\PC 1\HXIUL.EXE

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

O4 - HKCU\..\Run: [dowsRWc9e] rdcphbk.exe

O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-00104B107C96}


Now reboot into safe mode and delete the following files and folders if found .

qprathlp.exe........ delete file


C:\Program Files\Common Files\PSD Tools ... delete folder

C:\WINDOWS\System32\wapitr.exe....... delete file

C:\Program Files\Alset\ . delete folder

C:\WINDOWS\System32\msmc.exe ....... delete file

rdcphbk.exe ....... delete file


to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

#5 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 25 June 2004 - 02:52 PM

Thanks for not coming back .All the time i put into you log ,Wasted !!:)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button