I don't see alot of info on the E variant.. but I would hope it's simliar enough to the previous variants.. it's adware/spyware..
if you do a google search on "SecondThought" you'll come up with some info..
http://www.viruslist.com/eng/viruslist.html?id=815149
http://sarc.com/avcenter/venc/data/a...ndthought.htmlTrojan.Win32.SecondThought.c
Trojan.Win32.SecondThought.c has two component parts.
The first is written in Visual C++ and compressed using UPX. The compressed size is 24288 bytes, and the decompressed size - 48864 bytes.
Installation
When installing the Trojan downloads a file from http://www.2n****ought.com/files/loader.exe, saves it as stcloader.exe in the Windows system directory and registers the files as a key to enable auto-run in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Once installed, the Trojan launches stcloader.exe
The second component part (stcloader.exe) is written in Visual C++ and compressed using UPX. The compressed size is 27648 bytes, and the decompressed size is 66048 bytes.
Installation
Stcloader.exe secretly installs itself in Program Files and registers itself in the system registry.
Payload
Stcloader.exe creates Second Thought.lnk on the Desktop with a link to itself, and Eliminate Pop-Ups with a link to http://www.ki****op-ups.com/block.php?ref=desktop. This causes advertising to be shown while the Internet is being used. The program collects information on which sites and resources interest the user, and sends this information to the creator of the virus. It also adds a Search tool bar to the browser.
there's a thread at spywareinfo that someone has.. your e variant..Behavior
Adware.SecondThought is an adware program that downloads and displays advertisements.
Symptoms
The files are detected as Adware.SecondThought.
Transmission
This adware program must be manually installed.
File names: install011.exe
When Adware.SecondThought is executed, it performs the following actions:
Downloads the file, Stcloader.exe, from www.2nd-thought.com.
Creates the file, %System%\Stcloader.exe.
--------------------------------------------------------------------------------
Note: %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
--------------------------------------------------------------------------------
Adds the value:
"stcloader"="%System%\stcloader.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that Adware.SecondThought runs when you start Windows.
maybe you could look at that hijackthis log and run hijackthis for yourself
and compare..
for the most part 'tho.. if you run your anitvirus (is it AVG ?) and adaware and spybot (search and destroy) in safe mode.. you should be able to clean it out..
good luck
edit : oops I forgot to give you the link to the thread at SWI.. now that I've edited this post, the link will probably not be an active one so copy/paste into a new browser window..
http://www.spywareinfo.com/forums/in...howtopic=41906
Reply With Quote