"Teen Seks Movie" problem

This dialer-type infection of sorts has been troubling me when I leave my XP Pro account untouched for say 5-10 minutes. I come back and I have this installed on my computer. If I’m online at the time I get also get disconnected (dial-up). I have no idea how to permanently remove it from my computer. I've performed full Adaware scans (with latest reference file), Spybot scans, and used various other cleaners. I’ve also run full virus scans with Norton and PC-Cillin - both have found nothing. Another thing to note is that it only occurs when I'm logged in; my sister's account is fine.

The following files are littered throughout my hard drive and have to be deleted manually:
‘runit.exe’ – placed directly in C:\
‘Teen Seks Movie’ – Desktop shortcut to C:\runit
‘Teen Seks Movie’ – Program menu shortcut to C:\runit
‘Teen Seks Movie’ – IE Favourites shortcut to C:\runit
‘startit.exe’ – placed directly in Programs/Startup menu
and a dial-up network connection titled ‘Video’ but void of any information (such as an actual number to dial).

Here is my Hijack log:
Logfile of HijackThis v1.97.7
Scan saved at 1:07:58 PM, on 24/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Navnt\POProxy.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.iprimus.com.au/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: OpenMG Jukebox Startup.lnk = C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .ica: C:\Program Files\Internet Explorer\PLUGINS\npican.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37653.1380092593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FF45E95-91C5-4579-BEA9-3B37E12BC055}: NameServer = 203.134.24.70 203.134.26.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FF45E95-91C5-4579-BEA9-3B37E12BC055}: NameServer = 203.134.24.70 203.134.26.70

Can anyone help? I'm almost at the point of formatting just to get rid of the thing. Thanks.

 

Hi Amnesiac,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O16 - DPF: Win32 Classes -

Then reboot and install SP1 for IE 6 and all the security patches you are missing.

In case it returns, post a new log before removing it.
In that case we will have a better chance of studying it.

Regards,

Pieter

 

I have seen cases where one account is infected and displays no symptoms but installs its nasties on all other accounts.

A good HOSTS file and IE-SPYAD prevents many of the nasty sites from installing their stuff.
http://webpages.charter.net/hpguru/hosts/hosts.html
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

 

I removed both items identified by Pieter. I have installed SP1 for IE6 and every security patch available. I have updated my Norton definitions (again finding nothing) and my AdAware reference file (finding and removing another batch of various junk registry keys/values and cookies). Yet the problem still remains.

This log was recorded after the problem occured again this afternoon, prior to deleting the installed files:

Logfile of HijackThis v1.97.7
Scan saved at 4:53:46 PM, on 4/01/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Navnt\POProxy.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.iprimus.com.au/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: startit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: OpenMG Jukebox Startup.lnk = C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .ica: C:\Program Files\Internet Explorer\PLUGINS\npican.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37653.1380092593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FF45E95-91C5-4579-BEA9-3B37E12BC055}: NameServer = 203.134.24.70 203.134.26.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FF45E95-91C5-4579-BEA9-3B37E12BC055}: NameServer = 203.134.24.70 203.134.26.70

Note that the only additional item is the "startit.exe" file that is installed along with the other files which I normally delete anyway.

 

Hi Amnesiac,

Going on this information:
http://securityresponse.symantec.com/avcenter/venc/data/dialer.heysan.html

Have HijackThis fix:
O4 - Startup: startit.exe

Then reboot into safe mode and delete:

C:\Runit.exe
C:\WINDOWS\Mile.scr
C:\WINDOWS\system32\Runit.exe
C:\WINDOWS\Start menu\Programs\Startup\Startit.exe
C:\WINDOWS\system32\Dlloc.exe

Then change the screensaver to the one you want.

Regards,

Pieter

 

Amnesiac, you need to install Windows XP Service Pack 1 and ALL Critcal Updates as well.

Read the link below to have a safer Internet experience in 2004.
I recommend IE-SPYAD and SpywareBlaster available in this link.

 

It's finally all clear. I didn't think to check the screensaver (I usually have none) but there it was, 'mile' set at 5 minute intervals.

Thanks for all your help.

 

Glad we were able to help.

Pieter