Trojan Horse Dialer

Discussion in 'adware, spyware & hijack cleaning' started by heap4cheap, May 31, 2004.

Thread Status:
Not open for further replies.
  1. heap4cheap

    heap4cheap Registered Member

    Joined:
    May 31, 2004
    Posts:
    3
    Hi,

    Followed instructions and ran Skybot S&D.

    I have attached the hijack log, as requested.

    Can you help?

    Thanks!
     

    Attached Files:

  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi heap4cheap,

    Have only HijackThis running and fix :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

    O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

    Then open notepad and copypaste the contents of the quotebox in it :

    Hit save as
    save as filename:
    spad.reg
    under the filename set to all types.
    save it to the desktop.

    Don't do anything yet, you should see a new file on your desktop now

    Now restart PC in Safe Mode: Here's How

    Do a search for and remove :

    c:/spad/ <- this folder
    HPCMDTY.DLL <- this dll (search via start -> search -> files/folders)
    c_10230.dll <- this dll (search via start -> search -> files/folders)

    Clean temp internet files

    Now doubleclick that spad.reg you created on your desktop and click yes when asked to merge it with the registry

    Restart again in normal mode

    Hope this helps

    Cheers,
     
  3. heap4cheap

    heap4cheap Registered Member

    Joined:
    May 31, 2004
    Posts:
    3
    Hi Unzy,

    Followed your instructions, however, could not find HPCMDTY.DLL

    Still got virus but not as many.

    New hijack log attached.

    Any ideas? Thanks again.

    heap4cheap
     

    Attached Files:

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi heap4cheap,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [wininetd] C:\WINDOWS\System32\wininetd.exe

    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe

    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\wininetd.exe

    Regards,

    Pieter
     
  5. heap4cheap

    heap4cheap Registered Member

    Joined:
    May 31, 2004
    Posts:
    3
    Dear Pieter,

    Followed your instructions.
    I could not delete C:\WINDOWS\System32\wininetd.exe (file not found).
    It would appear Trojan Horse likes my pc and does not want to leave just yet.
    I have attached new log for your information.
    Again grateful for your time and effort.
    Any suggestions?
    What about a virus removal tool?

    Thanks,

    heap4cheap
     

    Attached Files:

  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Isn't that supposed to be AVG's job. :D

    Can you let us know where and what is found to be a Trojan?
    Give us the full path and filename.
    Because there is nothing evil left in your log.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.