1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this - purleaseeeee check

Discussion in 'Virus & Other Malware Removal' started by eatusfoetus, Jun 22, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. eatusfoetus

    eatusfoetus Thread Starter

    Joined:
    Nov 21, 2004
    Messages:
    105
    hey guys can someone tell me what nasties are lurking? my pc's been great for ages but last week something hit me and its made my last few days hell!

    thanks

    ef :rolleyes:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:20:13, on 22/06/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\System32\svhost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\System32\sex.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\MACKBOSS SELECKTA\Desktop\tempviruskillers\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlhome.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ntlhome.com/
    F1 - win.ini: run=C:\WINDOWS\System32\svhost.exe
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsqFD.dll
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
    O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpyKiller AutoUpdate] spykiller.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn1742.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = o1514.find-quick.com
     
  2. eatusfoetus

    eatusfoetus Thread Starter

    Joined:
    Nov 21, 2004
    Messages:
    105
    hey guys have done the whole spybot bit and avg etc.

    having problems removing sefe.exe, dload.exe and sex.exe

    keep reaapearing hmmmmmmmmm?
     
  3. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.



    IMPORTANT! Move Hijack this from the Temp or from the Desktop to it's own folder!

    Make a new folder in C:\ and call it Hijack this, and Save hijack this to
    this folder so that it runs properly and can make back ups. Click scan,
    then save the log and post it here so we can take a look at it for you.


    go to add/remove and remove spykiller it's a piece of junk. Delete it's folder from c:\program files.


    http://castlecops.com/s3473-Spykiller_exe.html



    Download DelDomains.inf from here:

    http://www.mvps.org/winhelp2002/DelDomains.inf

    Rightclick DelDomains.inf and choose install.



    go to this site and download these tools and once you get both
    adaware and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk entries".
    Click next to start the scan.Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.

    reboot again


    With CWshredder close all browsers and programmes and select the FIX button.



    All tools can be downloaded at the link below!


    . cwshredder
    . AdAware SE


    http://www.majorgeeks.com/downloads31.html



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.

    F1 - win.ini: run=C:\WINDOWS\System32\svhost.exe
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
    O4 - HKCU\..\Run: [SpyKiller AutoUpdate] spykiller.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe


    How to boot to safe mode

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


    How to show hidden files in Windows

    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=


    Because XP will not always show you hidden files and folders by default,
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden
    files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View
    tab and make sure that "Show hidden files and folders" is checked. Also
    uncheck "Hide protected operating system files" and "Hide extensions for
    known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    note: don't delete C:\WINDOWS\System32\svchost.exe which is also in ststem32 folder, the baddie doesn't have the C!

    C:\WINDOWS\System32\svhost.exe
    C:\WINDOWS\System32\sex.exe


    download ccleaner and run it.

    http://www.ccleaner.com/


    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/activescan/

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!


    post another log and the active scan log
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    whre does it say these files are sefe.exe, dload.exe ?
     
  5. eatusfoetus

    eatusfoetus Thread Starter

    Joined:
    Nov 21, 2004
    Messages:
    105
    hey khazars, when i run task manager there lsited in proccesses
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    post another log.

    they are listed in taskmanager as processes?
     
  7. eatusfoetus

    eatusfoetus Thread Starter

    Joined:
    Nov 21, 2004
    Messages:
    105
    :( :( hey still having big problems, tried the thigns you advised but the baddied keep reappearing even after i delete them????

    keep getting dicon from the ent too grrrrrrrrrrrrr


    help help help


    Logfile of HijackThis v1.97.7
    Scan saved at 14:34:46, on 24/06/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\System32\sex.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Documents and Settings\MACKBOSS SELECKTA\eare.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack this\hijack this\HijackThis.exe
    C:\Hijack this\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlhome.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ntlhome.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsq10E.dll
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
    O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
    O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.ntlhome.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn1742.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8EAE208-55FE-46CA-A029-9085D89F8BC4}: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = o1514.find-quick.com
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    where are these listed sefe.exe, dload.exe , are they in

    C:\Windows\system32

    or in

    C:\windows
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    You never posted the active scan log.

    you have a nasty porn dialer linked to this file dload.exe. you'll need to boot to safe mode and find and dlete thes e3 files if there manually.

    do a ctr/alt/del and in taskmanager stop these processes if running.


    sex.exe
    sefe.exe
    dload.exe
    prvdi.exe

    Download DelDomains.inf from here:

    http://www.mvps.org/winhelp2002/DelDomains.inf

    Rightclick DelDomains.inf and choose install.



    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php




    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsq10E.dll
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\sex.exe
    O4 - HKCU\.\Run: [Windows Service] C:\WINDOWS\System32\sex.exe



    Double-click on Killbox.exe to run it. Now put a tick by Delete on
    Reboot. In the "Full Path of File to Delete" box, copy and paste each
    of the following lines one at a time then click on the button that has
    the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file on next reboot. Click
    Yes. It will then ask if you want to reboot now. Click No. Continue
    with that same procedure until you have copied and pasted all of
    these in the "Paste Full Path of File to Delete" box.Then click yes
    to reboot after you entered the last one.



    Now reboot to safe mode find and delete these files and folders if there?



    How to boot to safe mode

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


    How to show hidden files in Windows

    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=


    Because XP will not always show you hidden files and folders by default,
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden
    files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View
    tab and make sure that "Show hidden files and folders" is checked. Also
    uncheck "Hide protected operating system files" and "Hide extensions for
    known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    sefe.exe
    dload.exe
    prvdi.exe


    C:\WINDOWS\System32\nsq10E.dll
    C:\WINDOWS\System32\sex.exe


    * Download the trial version of Ewido Security Suite here


    http://www.ewido.net/en/

    * Install ewido.
    * During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know
    how.


    How to boot to safe mode

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:




    * Now run Ewido:

    * Click on scanner
    * Put a check by the following before you scan:
    o Binder
    o Crypter
    o Archives
    * Click the Start Scan button to start the scan.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop


    run ccleaner again.
     
  10. eatusfoetus

    eatusfoetus Thread Starter

    Joined:
    Nov 21, 2004
    Messages:
    105
    hi

    sex.exe, sefe.exe and a few other baddies jsut keep on reaappearing.

    i did all u said, but on running Ewido scan it always stop at around 96.7% and says the programs cannot continue etc...

    also is microsoft antispyware good or bad?

    im getting dc'ed regularly usually when all these pop ups apepars from anti virus programs warning me of intrusions/attempts... so findign it very hard to dowload updates, usally gettign cut when im 3/4 thru the dl process

    any ideas?
     
  11. eatusfoetus

    eatusfoetus Thread Starter

    Joined:
    Nov 21, 2004
    Messages:
    105
    also having problems with something called 'begin2search'??
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    the version of hijack this you have is outdated, download a newer
    version from below.


    Download hijack this from the link below.Please do this. Click here:

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.






    update Microsoft's antispyware and run it. go to Microsoft's site and download the new beta version, uninstall the one you have if you haven't already installed the new version.

    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/activescan/

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!


    Run an online antivirus check from at least one and preferably 2 of the following sites....
    http://housecall.trendmicro.com/
    http://www.ravantivirus.com/scan/
    http://support.f-secure.com/enu/home/ols.shtml

    make sure autoclean is enabled on the scans

    If it says an files can't be cleaned, delete them

    post a new log from version 1.99.1 of hijack this and the active scan log
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/374086

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice