XXXserver/dialer...Help Please

My PC has been hijacked by a nasty premium rate dialler that kicks you offline, hijacks the web brower to Pureseeker.com, turns off the modem speaker, places a nasty .exe on the desktop and service tray and starts to dial into a porn-site. Uninstalling the .exe works for a period then it re-appears. The dialler appears as XXXserver. The dialer purports to come from a company in Columbus Ohio, netnti.com
Could someone please have a look at the Hijack This log below and advise how I can remove this nasty piece of work.
Huge thanks in advance.
Bob

Logfile of HijackThis v1.97.7
Scan saved at 17:20:40, on 10/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\ssv32r.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\sllights.exe
C:\WINDOWS\analsex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\BOBBAR~1\LOCALS~1\Temp\svchostr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pureseeker.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [MSOfficeCfg] C:\WINDOWS\ssv32r.exe /i
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi BHB, sorry for the late reply, but we've been swamped.

Please zip up a copy of these files and submit them for analysis to the following email addresses. Include a brief note and a link back to this thread in the email message:
submit@diamondcs.com.au
samples@nod32.com
(and also a zipped copy to your antivirus vendor)

(these files)
C:\WINDOWS\ssv32r.exe
C:\WINDOWS\analsex.exe
C:\DOCUME~1\BOBBAR~1\LOCALS~1\Temp\svchostr.exe

The above files may be hidden. Make sure you have Hidden Files and Folders Viewable
Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab.
Under the "Hidden files and folders" heading, select Show hidden files and folders.
UN-check the "Hide protected operating system files (recommended)" option.
Then click Yes.

--------

Next, disconnect from the internet.

Open TaskManager (Ctrl-Alt-Del) to end the running processes for these:

ssv32r.exe
analsex.exe
svchostr.exe

Create a permanent folder on your C: drive (example: C:\HJT\ ) and move HijackThis.exe into it's own folder. Hijackthis creates backups in the folder it is ran from, so it is good to have them all contained in their own folder so they are easily found if you need to restore from them.

In HijackThis, place a check beside the following items.
Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pureseeker.com
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MSOfficeCfg] C:\WINDOWS\ssv32r.exe /i
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe


Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

Find and delete the following listed in bold:
C:\WINDOWS\ssv32r.exe
C:\WINDOWS\analsex.exe
C:\DOCUME~1\BOBBAR~1\LOCALS~1\Temp\svchostr.exe

While still in safe mode, empty your Temp folders' contents:

C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself).

C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself).

Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

Empty the Recycle Bin

Reboot your computer normally.

Before you do anything else on line, go to Microsoft's Update Site download and install ALL the Security Patches and Critical Updates listed for XP and IE6 installed. Right now you are very behind in your updates, which makes you vulnerable to many dangerous viruses and exploits.

Do a FULL system scan at one of these on-line scan sites: Free Services

Download the most recent version of Ad-Aware6 build 6.181, and that you have brought it up-todate by clicking on the program's webupdate (the globe icon), then click the "connect" button to download the most recent Reference-file. Do a scan and fix what it finds. Reboot when finished. Follow these instructions for setting up Ad-Aware for a full scan: How To Perform a "Full Scan" with Ad-Aware6.

Then Download the most recent version of Spybot Search&Destroy v1.3, install, and bring it up-to-date by pressing the "Search for Updates" button, and download all updates. Once it is up-to-date, click on the "Check for Problems" button. When the scan is finished, select what is found in Red and choose "Fix selected problems" button. Reboot after the scan.

Post a new hijackthis log here in your next reply so we can clean up what's left.

Regards,

snap

You should save these instructions to a .txt file, or print them out since you will be doing some parts disconnected from the internet)