XXXserver/dialer...Help Please

Discussion in 'adware, spyware & hijack cleaning' started by BHB, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. BHB

    BHB Registered Member

    Jul 12, 2004
    My PC has been hijacked by a nasty premium rate dialler that kicks you offline, hijacks the web brower to, turns off the modem speaker, places a nasty .exe on the desktop and service tray and starts to dial into a porn-site. Uninstalling the .exe works for a period then it re-appears. The dialler appears as XXXserver. The dialer purports to come from a company in Columbus Ohio,
    Could someone please have a look at the Hijack This log below and advise how I can remove this nasty piece of work.
    Huge thanks in advance.

    Logfile of HijackThis v1.97.7
    Scan saved at 17:20:40, on 10/07/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=;ftp=
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [MSOfficeCfg] C:\WINDOWS\ssv32r.exe /i
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
  2. snapdragin

    snapdragin Administrator

    Feb 16, 2002
    Southern Ont., Canada
    Hi BHB, sorry for the late reply, but we've been swamped.

    Please zip up a copy of these files and submit them for analysis to the following email addresses. Include a brief note and a link back to this thread in the email message:
    (and also a zipped copy to your antivirus vendor)

    (these files)

    The above files may be hidden. Make sure you have Hidden Files and Folders Viewable
    Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab.
    Under the "Hidden files and folders" heading, select Show hidden files and folders.
    UN-check the "Hide protected operating system files (recommended)" option.
    Then click Yes.


    Next, disconnect from the internet.

    Open TaskManager (Ctrl-Alt-Del) to end the running processes for these:


    Create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis.exe into it's own folder. Hijackthis creates backups in the folder it is ran from, so it is good to have them all contained in their own folder so they are easily found if you need to restore from them.

    In HijackThis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [MSOfficeCfg] C:\WINDOWS\ssv32r.exe /i
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PowerReg Scheduler.exe

    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete the following listed in bold:

    While still in safe mode, empty your Temp folders' contents:

    C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself).

    C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself).

    Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

    Empty the Recycle Bin

    Reboot your computer normally.

    Before you do anything else on line, go to Microsoft's Update Site download and install ALL the Security Patches and Critical Updates listed for XP and IE6 installed. Right now you are very behind in your updates, which makes you vulnerable to many dangerous viruses and exploits.

    Do a FULL system scan at one of these on-line scan sites: Free Services

    Download the most recent version of Ad-Aware6 build 6.181, and that you have brought it up-todate by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file. Do a scan and fix what it finds. Reboot when finished. Follow these instructions for setting up Ad-Aware for a full scan: How To Perform a "Full Scan" with Ad-Aware6.

    Then Download the most recent version of Spybot Search&Destroy v1.3, install, and bring it up-to-date by pressing the "Search for Updates" button, and download all updates. Once it is up-to-date, click on the "Check for Problems" button. When the scan is finished, select what is found in Red and choose "Fix selected problems" button. Reboot after the scan.

    Post a new hijackthis log here in your next reply so we can clean up what's left.



    You should save these instructions to a .txt file, or print them out since you will be doing some parts disconnected from the internet)
Thread Status:
Not open for further replies.