[Solved]Here it is Snapdragin.

Discussion in 'adware, spyware & hijack cleaning' started by jaydee, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. jaydee

    jaydee Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    4
    Hi there,

    I stumbled across this brilliant forum site whilst looking for a remedy to the 'Sexyque' trojan. I found an archive here from Sept '03 to a guy with the same problem, I followed the instructions given to him (used hijackthis)and all seems ok so far........ but just in case I haven't cured it, is there anyone else who can help? Thanks
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  3. jaydee

    jaydee Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    4
    Here it is Snapdragin.

    Hi there,
    Thanks for the reply, I have followed the instructions you gave and here is the resultant log. Are there any more thing taht need fixing? can you help?

    Thankyou.........JD


    Logfile of HijackThis v1.97.7
    Scan saved at 11:35:34, on 20/07/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL (file missing)
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\POPUPCOP\popupcop.dll/imagenew
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/ddc/shockwave/blasterballwild/wtinst.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.1609143519
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.terra.es/personal9/eroplis/rd/chm/files.chm::/file.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Here it is Snapdragin.

    Hi jaydee,

    Your log doesn't look too bad at all really. There's just a few things left that need to be fixed yet.

    Please create a permanent folder on your C: drive (example: C:\HJT\ ) and put HijackThis.exe into the permanent folder. HijackThis must run from it's own folder and not the Desktop or Temp folders. It creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to restore it from the backups.

    In HijackThis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL (file missing)

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...wild/wtinst.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.exe
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.terra.es/personal9/eropl....chm::/file.exe


    Reboot your computer.

    You will have to re-install your Popupcop to get your Toolbar back since the popupcop.dll is missing, unless you had decided you didn't want the toolbar.

    Empty the contents of your Temp folder, and also your IE's Temporary Internet Files folder.

    You are also using an older, and vulnerable version of IE. It is strongly recommended you upgrade it to IE6 sp1. http://www.microsoft.com/windows/ie/default.mspx

    Also, please visit the Microsoft's Update Site and check for, and install all the Security Patches and Critical Updates listed for your operating system.

    I am not sure what steps you had taken prior to posting your log, but if you have not done so already, please do this now:

    Downlaod Ad-Aware6 build 6.181, install it, and bring it up-todate clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file. Follow these instructions for setting up Ad-Aware for a full scan:
    How To Perform a "Full Scan" with Ad-Aware6. Then do a scan and fix what it finds. Reboot when finished.

    or (and it doesn't hurt to have both these free programs)

    Download Spybot Search&Destroy v1.3, install it, and bring it up-to-date by pressing the "Search for Updates" button, and download all updates. Once it is up-to-date, click on the "Check for Problems" button. When the scan is finished, select what is found in Red and choose "Fix selected problems" button. Reboot after the scan.

    Once you are sure your system is clean, disable your System Restore and reboot your computer to clear the System Restore folder of any infected files that would have been backed up in it. System Restore Instructions for WinME.
    Once you have rebooted and cleared the folder, remember to turn System Restore back on again.

    Here are some steps you can follow to help tighten your security and prevent future infection:
    Why did I get infected in the first place?

    Let us know how everything is working.

    Regards,

    snap


    Jaydee, I have also merged your previous thread in the Test forum into this one so it is all in one place - snap
     
    Last edited: Jul 21, 2004
  5. jaydee

    jaydee Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    4
    Re: Here it is Snapdragin.

    Hi there Snap,

    Thanks for all your help, system seems to be running ok now. I appreciate your expertise so much. BRILLIANT!

    Jaydee
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: Here it is Snapdragin.

    Glad everything is running smoothly, Jaydee, and that we could be of some help. :)

    I'll mark this thread as solved then.

    Best regards,

    snap
     
Thread Status:
Not open for further replies.