[solved]xxx dialler

[Greymatter]

Hi, has anyone come across a dialler that has a program replacing the 'host' file every few seconds?

The desktop icons it creates are 'Andy1' and 'XXX'.
Needless to say it alters the IE home page to a porn index page and dials a premium rate number - when it can.

I have tried all the latest 'helpware' to no avail.

I have seen many of these in my time but this is the worst so far.
Replacing the 'host' file in safe mode is ok but whenever I do anything to it in normal mode the file is replace with a corrupt one - within seconds.

I plan to replace the hard drive and reinstall to get back to work but will keep the current hard drive as I am keen to get this one solved and post the solution for others.

Any feedback will be great.

[Pilli]

Hi Greymatter, I think your best course of action is to go here: http://www.wilderssecurity.com/showthread.php?t=15913 and follow the instructions as some of this new spyware is very tricky to tie down.

HTH Pilli

[Jooske]

Hi there and welcome,
What Pilli just said is of urgent importance to start with.
In the meantime while waiting for expert help there, which virus scanner(s) are you using?
You know you can lock your HOSTS file in the windows explorer, > Hosts > rightclick for properties, set on read only
Hope that blocks it for a moment.

Then, if you're not running TDS yet, get an evaluation copy of it at www.diamondcs.com.au install it, with every scanner diabled at that moment, especially resident protection so TDS can install properly; back on the download site get the latest radius.td3 update, save the file in the TDS-3 directory, now reboot your pc, make sure every other scanner is still all disabled, after TDS's initial startup scans go to TDS System Testing > Scan Control > check all the scan options there are, highest sensibility on the worm slider > save configuration; now choose the full system scan option
close all unnecessary programs and browsers and have a coffee as it can take a while.
Now at the end you should have some alerts in the bottom console.
Rightclick on one of them and save to TEXT (Scandump.txt in the TDS directory)
Copy and past that log in your next posting.

In the meantime the HJT experts might be with you to look into your HJT log.

[Greymatter]

Tx Pilli. I have been using all the programs mentioned so will folow the guide.

Tx also Jooske. Didn't know about Host fix - that will help a lot.
Am using NAV, AVG and PANDA.
Have used TDS this week but will do as you say and come back with results.

I have now tracked part of the problem to a program 123921.exe that sits in folder prog files\websiteviewer and have found a program 'pestcontrol' that claims to clear it.

Have also come across the free blocker program - http://www.javacoolsoftware.com/spywareblaster.html

Do you know if it is any good?

Off on hols for a few days (need a break from all this!!) so will post info next week.

[Pilli]

Hi Gretmatter,

Quote:

Have also come across the free blocker program - http://www.javacoolsoftware.com/spywareblaster.html

All of Javcool's tools are excellent Spyware Guard is another good one from Javacool not to be missed.

[Jooske]

Make very sure especially AVG to be closed so it can't hide the nasties from view by other scanners (AVG habit)
Open AVG GUI, uncheck all checks and the systray icon gets grey and you'll be able to scan properly.
Would have loved to see your system clean soon, but ok, we'll wait patiently till you get back!

Happy holidays!

[Greymatter]

OK, back from my hols!!

Was advised to try Pest Patrol which found and removed 78 'pests' including the RAT 'WOOT'.
Then ran SpyBot again in safe mode and found 2 more - they couldn't be removed, even after restart.
They are the entries dialup01 and GoInDirect in HKEY_USERS\DEFAULT\RemoteAccess\Profile\.

Current situation is that the dial ups are not taking place every few minutes but something is still replacing HOSTS as soon as I fix it (even in read only).

This is the latest HijackThis log .... any ideas please?

Logfile of HijackThis v1.97.7
Scan saved at 15:04:43, on 20/07/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\WINDOWS\system32\explorer.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\PestPatrol\PestPatrol.exe
C:\$ $ VIRUS PROGS\Hack This - CARE\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdobeA] C:\WINDOWS\hm\adobes.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinSetup] "C:\WINDOWS\System32\WinSetup.exe" -o
O4 - HKLM\..\Run: [Microsoft Windows Kernel Functionalities] msrundll.exe
O4 - HKLM\..\Run: [Microsoft Windows System Kernel Initializer] SysInt32.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\cab\back32.exe C:\WINDOWS\system32\cab\service.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Kernel Functionalities] msrundll.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System Kernel Initializer] SysInt32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

[Jooske]

Hi there again, hope you had a nice holiday!

Could you locate the files on which was the alarm?
With the risk of you getting disappointed, my un-experienced eyes see only these few things the HJT log;
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe


If you don't use MSOffice all time i would get this from the autostart too, as it's a resources consumer but no error
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

I wonder about this one, if this is part of the infection:
O4 - HKLM\..\Run: [WinSetup] "C:\WINDOWS\System32\WinSetup.exe" -o
don't do nothing with it till there is confirmation; the only place where i see it mentioned in a HJT log is here http://216.239.59.104/search?q=cache...xe%22+-o&hl=nl so i'm still not sure about your entry.




Delete this one in safe mode:
C:\WINDOWS\system32\wintime.exe



Did you have any other scanners running while trying to clean with spybotS&D?
Was it not possible to close running processes first and try to fix again or noting down exactly which files and delete them in safe mode?



Would you mind with a fully updated TDS and all other scanners down to have a full system scan with that and rightclick on one of the alerts to post the scandump.txt in a next posting?
And for sure Gavin is THE expert on AutoStartViewer logs (with all options checked) as it shows even more autostarts then HJT.
There are so many diallers in the TDS detection list......

And make sure all files are showing, in the folder options make sure all files and extensions are shown, and AVG is completely closed.
Hope the other scanners don't have those hiding options included as well AVG is good in detecting, but is should not claim ownership by hiding files for every other scanner

[TonyKlein]

There are a number of things that need fixing/removing; I suggest you proceed as follows:

Start your computer in Safe Mode (it may help if you print this out), and delete these files:

C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\system32\explorer.exe

Warning: the latter is the Explorer.exe file in your C:\Windows\System32 folder. The one in your C:\Windows folder should be left alone!

If you still have the following files, delete those as well:

C:\WINDOWS\hm\adobes.exe
C:\WINDOWS\system32\cab\service.exe

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

Next, still in Safe Mode, run Hijack This, and have it fix these items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [AdobeA] C:\WINDOWS\hm\adobes.exe
O4 - HKLM\..\Run: [Microsoft Windows Kernel Functionalities] msrundll.exe
O4 - HKLM\..\Run: [Microsoft Windows System Kernel Initializer] SysInt32.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\cab\back32.exe C:\WINDOWS\system32\cab\service.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Kernel Functionalities] msrundll.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System Kernel Initializer] SysInt32.exe


Now start your computer normally, and please post a fresh log.

[Jooske]

It's not the habit to jump in when a real EXPERT is working on a HJT log, but i have a really burning question about that Winupdate.exe file (see O4 - HKLM\..\Run: [WinSetup] "C:\WINDOWS\System32\WinSetup.exe" -o)
Since it's not in your running processes it might have gone in the meantime, but if not and you can locate it, can you please be so kind as to submit it to submit@diamondcs.com.au ? (Tony allowed me to ask for it )

[Greymatter]

Thanks for all the help. I applied Tony's changes, updated the Norton virus patterns etc and all seems to be OK now.