Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > sex-true trojan

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

sex-true trojan

Reply to Message Icon

Name: bc364
Date: January 1, 2004 at 15:40:17 Pacific
OS: Windows 98 Gold
CPU/Ram: 128
Comment:

Ok, I've gone nuts. I've tried all of the suggestions to clear this virus (pretty sure I followed all of the out lined steps). I've run ad-aware, spybot, hijack this, and cwshredder, and the blasted thing keeps coming back. Can't afford many more grey hairs. If someone can suggest something it would be great (other than tossing the computer please - it's the kid's). Here's the most recent HT Log:

Logfile of HijackThis v1.96.2
Scan saved at 5:28:41 PM, on 1/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.exe
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.exe
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.exe
C:\WINDOWS\SYSTEM\PTUDFAPP.exe
C:\WINDOWS\SYSTEM\MSWHEEL.exe
C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.exe
C:\WINDOWS\LOADQM.exe
C:\WINDOWS\SYSTEM\MSREXE.exe
C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.exe
C:\PROGRAM FILES\CALLWAVE\IAM.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.98.142.163/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://66.98.142.163
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.98.142.163/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sex-true.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.98.142.163/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://66.98.142.163/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.98.142.163/search.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.santel.net/searchlinks.html"); (C:\Program Files\Netscape\Communicator\Santel Internet\prefs.js)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~5\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~5\point32.exe
O4 - HKLM\..\Run: [Oil Change] C:\PROGRA~1\MCAFEE\OILCHA~1\OCTray32.exe Start
O4 - HKLM\..\Run: [PtUDFApp] C:\WINDOWS\SYSTEM\PtUDFApp.exe /T
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.exe
O4 - HKLM\..\Run: [Norton FastLoadFS] C:\Program Files\Norton Utilities\NSS\FASTLOAD.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\SUITE8\PROGRAMS\QFSCHD80.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.exe
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ESPN BottomLine] C:\PROGRAM FILES\ESPN\BOTTOMLINE\BLINE.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - User Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - User Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - User Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.exe
O4 - User Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - User Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - User Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37891.8056018519
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab




Sponsored Link
Ads by Google

Response Number 1
Name: sxshep
Date: January 1, 2004 at 18:06:49 Pacific
Reply:

bc,

It would seem that you have a slight case of
Backdoor.Jeem, your log:

C:\WINDOWS\SYSTEM\MSREXE.exe

see

http://www.liutilities.com/products/wintaskspro/processlibrary/msrexe/

And

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.jeem.html

You can also run a free online scan here:

http://housecall.trendmicro.com/

hth

Shep




0

Response Number 2
Name: bc364
Date: January 3, 2004 at 17:48:51 Pacific
Reply:

Thanks a ton Shep. Finally got it all taken care of the way it looks. Here's my log to double check.

Logfile of HijackThis v1.96.2
Scan saved at 7:47:59 PM, on 1/3/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.exe
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.exe
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.exe
C:\WINDOWS\SYSTEM\PTUDFAPP.exe
C:\WINDOWS\SYSTEM\MSWHEEL.exe
C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.exe
C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 98\QSHELF98.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.exe
C:\PROGRAM FILES\CALLWAVE\IAM.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://santel.net/searchlinks.html
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.santel.net/searchlinks.html"); (C:\Program Files\Netscape\Communicator\Santel Internet\prefs.js)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~5\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~5\point32.exe
O4 - HKLM\..\Run: [Oil Change] C:\PROGRA~1\MCAFEE\OILCHA~1\OCTray32.exe Start
O4 - HKLM\..\Run: [PtUDFApp] C:\WINDOWS\SYSTEM\PtUDFApp.exe /T
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.exe
O4 - HKLM\..\Run: [Norton FastLoadFS] C:\Program Files\Norton Utilities\NSS\FASTLOAD.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\SUITE8\PROGRAMS\QFSCHD80.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - User Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - User Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - User Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.exe
O4 - User Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - User Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - User Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37891.8056018519
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud13.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab



0

Response Number 3
Name: sxshep
Date: January 3, 2004 at 18:04:27 Pacific
Reply:

bc,

Looks good, this orphan can be fixed with HJT.

O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

Looks like you ran CWS since last post, sex-true.com is gone.

One other thing, you should install HJT in a file or folder (desktop etc.), otherwise it
will not keep backups if you screw up.
Give this a read:

HiJack This

Glad things are better, gotta stop those gray hairs!! LOL

Shep


0

Sponsored Link
Ads by Google
Reply to Message Icon

Related Posts

See More



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: sex-true trojan
Trojan and OPASERV Virus www.computing.net/answers/security/trojan-and-opaserv-virus/7722.html

Hijackthis Log file...Please help www.computing.net/answers/security/hijackthis-log-fileplease-help/8610.html

free trojan remover? www.computing.net/answers/security/free-trojan-remover/4848.html