Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

trojan horsre and about blank homepage

Thread Solved

•

Join Date: Jul 2004

Posts: 3

Reputation: paublo is an unknown quantity at this point

Solved Threads: 0

paublo

Offline

Newbie Poster

trojan horsre and about blank homepage

Jul 13th, 2004

I have run avg antivirus and there is a trojan horse downloader purity.E in C/:doc. and settings/paul application data/ttdu.exe that avg can't remove

I could really use some advice on how to get rid of this

I have run cw shredder/adaware/spybot search and destroyand a few other prorams that said they would get rid of it but nothing

Hre is my hijack log PLEASE HELP

Logfile of HijackThis v1.98.0
Scan saved at 9:11:47 AM, on 13/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\essspk.exe
C:\Documents and Settings\paul\Application Data\ttdu.exe
C:\WINDOWS\System32\fvqg.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\paul\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DDD6520-BC6D-289A-D756-62557FA32739} - C:\WINDOWS\System32\keqxrja.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Smob] C:\Documents and Settings\paul\Application Data\ttdu.exe
O4 - HKCU\..\Run: [Fzhvywxp] C:\WINDOWS\System32\fvqg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/includ...ecuiTechIE.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx

•

Join Date: Jul 2004

Posts: 3

Reputation: paublo is an unknown quantity at this point

Solved Threads: 0

paublo

Offline

Newbie Poster

Re: trojan horsre and about blank homepage

Jul 13th, 2004

Logfile of HijackThis v1.98.0
Scan saved at 9:46:05 AM, on 13/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\essspk.exe
C:\Documents and Settings\paul\Application Data\ttdu.exe
C:\WINDOWS\System32\fvqg.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\paul\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DDD6520-BC6D-289A-D756-62557FA32739} - C:\WINDOWS\System32\keqxrja.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Smob] C:\Documents and Settings\paul\Application Data\ttdu.exe
O4 - HKCU\..\Run: [Fzhvywxp] C:\WINDOWS\System32\fvqg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/inclu...SecuiTechIE.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab28578.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx

i have a purity.e trojan

Should i fix these and will it solve my problem

C:\Documents and Settings\paul\Application Data\ttdu.exe
C:\WINDOWS\System32\fvqg.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
O4 - HKCU\..\Run: [Smob] C:\Documents and Settings\paul\Application Data\ttdu.exe
O4 - HKCU\..\Run: [Fzhvywxp] C:\WINDOWS\System32\fvqg.exe

O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx

•

Join Date: Feb 2004

Posts: 9,997

Reputation: crunchie is a splendid one to behold

Solved Threads: 756

crunchie

Offline

Spyware Killer

Re: trojan horsre and about blank homepage

Jul 14th, 2004

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop (in a folder on the desktop is fine) & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

O2 - BHO: (no name) - {6DDD6520-BC6D-289A-D756-62557FA32739} - C:\WINDOWS\System32\keqxrja.dll

O4 - HKCU\..\Run: [Smob] C:\Documents and Settings\paul\Application Data\ttdu.exe
O4 - HKCU\..\Run: [Fzhvywxp] C:\WINDOWS\System32\fvqg.exe

O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\Documents and Settings\paul\Application Data\ttdu.exe
C:\WINDOWS\System32\fvqg.exe

Reboot normally.

Try the PurityScan uninstaller.

Go here for an on-line scan & set it to autoclean for you.
Try this scan as well.

Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster