Dialler problem - help needed

Discussion in 'adware, spyware & hijack cleaning' started by matt living, Jun 14, 2004.

Thread Status:
Not open for further replies.
  1. matt living

    matt living Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Can anybody helo with an XXX programme that has wormed its way onto my computer - thehijack log is as follows :

    Logfile of HijackThis v1.97.7
    Scan saved at 2:50 pm, on 14/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP1 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\ccsrvc.exe
    C:\PROGRA~1\CARBON~1\shellker.exe
    c:\centenn.ial\audit\cagent32.exe
    c:\centenn.ial\audit\xferwan.exe
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\Promon.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINNT\deamon.exe
    C:\WINNT\HotXXX.exe
    C:\docume~1\dhumph~1\applic~1\winnet.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Amey plc
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amey-proxy.amey.co.uk:80
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [httpd] C:\WINNT\deamon.exe /i
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n
    O4 - HKCU\..\Run: [System Update4] c:\docume~1\dhumph~1\applic~1\winnet.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amey.co.uk


    Many thanks for any help that can be given
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    hi matt living,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [httpd] C:\WINNT\deamon.exe /i
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n
    O4 - HKCU\..\Run: [System Update4] c:\docume~1\dhumph~1\applic~1\winnet.exe

    Then reboot into safe mode and delete:
    C:\WINNT\deamon.exe
    C:\WINNT\HotXXX.exe

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. matt living

    matt living Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Thanks for that - I couldn't though reboot in safe mode as my normal password wasn't accepted ! so had to do it in normal mode - anyway have run a new log for your perusal

    Logfile of HijackThis v1.97.7
    Scan saved at 11:29 am, on 16/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP1 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\ccsrvc.exe
    C:\PROGRA~1\CARBON~1\shellker.exe
    c:\centenn.ial\audit\cagent32.exe
    c:\centenn.ial\audit\xferwan.exe
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\Promon.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    C:\WINNT\explorer.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Amey plc
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amey-proxy.amey.co.uk:80
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {A341E1B6-6A49-4F6B-9995-E6ACD60B658A} - C:\WINNT\system32\ibfam.dll (file missing)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amey.co.uk


    Thanks for your help
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That is very strange. I have seen it before though.

    Can you surf to: http://www.kaspersky.com/scanforvirus
    Have these files checked and let me know:
    c:\centenn.ial\audit\cagent32.exe
    c:\centenn.ial\audit\xferwan.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {A341E1B6-6A49-4F6B-9995-E6ACD60B658A} - C:\WINNT\system32\ibfam.dll (file missing)

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.