Dialler problem - help needed

Discussion in 'adware, spyware & hijack cleaning' started by matt living, Jun 14, 2004.

Thread Status:
Not open for further replies.
  1. matt living

    matt living Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Can anybody helo with an XXX programme that has wormed its way onto my computer - thehijack log is as follows :

    Logfile of HijackThis v1.97.7
    Scan saved at 2:50 pm, on 14/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP1 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\ccsrvc.exe
    C:\PROGRA~1\CARBON~1\shellker.exe
    c:\centenn.ial\audit\cagent32.exe
    c:\centenn.ial\audit\xferwan.exe
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\Promon.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINNT\deamon.exe
    C:\WINNT\HotXXX.exe
    C:\docume~1\dhumph~1\applic~1\winnet.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Amey plc
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amey-proxy.amey.co.uk:80
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [httpd] C:\WINNT\deamon.exe /i
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n
    O4 - HKCU\..\Run: [System Update4] c:\docume~1\dhumph~1\applic~1\winnet.exe
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amey.co.uk


    Many thanks for any help that can be given
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    hi matt living,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [httpd] C:\WINNT\deamon.exe /i
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n
    O4 - HKCU\..\Run: [System Update4] c:\docume~1\dhumph~1\applic~1\winnet.exe

    Then reboot into safe mode and delete:
    C:\WINNT\deamon.exe
    C:\WINNT\HotXXX.exe

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. matt living

    matt living Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Thanks for that - I couldn't though reboot in safe mode as my normal password wasn't accepted ! so had to do it in normal mode - anyway have run a new log for your perusal

    Logfile of HijackThis v1.97.7
    Scan saved at 11:29 am, on 16/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP1 (5.51.3020.2100)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\ccsrvc.exe
    C:\PROGRA~1\CARBON~1\shellker.exe
    c:\centenn.ial\audit\cagent32.exe
    c:\centenn.ial\audit\xferwan.exe
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\Promon.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    C:\WINNT\explorer.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Amey plc
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = amey-proxy.amey.co.uk:80
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {A341E1B6-6A49-4F6B-9995-E6ACD60B658A} - C:\WINNT\system32\ibfam.dll (file missing)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amey.co.uk
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = amey.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amey.co.uk


    Thanks for your help
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    That is very strange. I have seen it before though.

    Can you surf to: http://www.kaspersky.com/scanforvirus
    Have these files checked and let me know:
    c:\centenn.ial\audit\cagent32.exe
    c:\centenn.ial\audit\xferwan.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\DHUMPH~1\LOCALS~1\Temp\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {A341E1B6-6A49-4F6B-9995-E6ACD60B658A} - C:\WINNT\system32\ibfam.dll (file missing)

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.