Help Needed, Please, XXX dialler

Discussion in 'adware, spyware & hijack cleaning' started by Paul & Hazel, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. Paul & Hazel

    Paul & Hazel Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    1
    Hi, Can someone help please, we are infected with the XXX dialler and can't get rid of it. We've tried Spy Sweeper, Adaware, and Spyware Blaster. They mostly say that thev've found items but when we try to remove them, back they come. A friend suggested this forum so we have produced a logfile from HijackThis.

    Thanks in anticipation, and why do people make software that's designed to steal from others?

    Logfile of HijackThis v1.98.0
    Scan saved at 22:27:07, on 18/07/040.







    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\ACCESSORIES\HARDWARE\GENIUS MOUSE\GMNET.EXE
    C:\WINDOWS\GENIUSKB.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SHMAN.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ROADANGELUSB\ROADANGELUSB.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\ANALSEX.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://www.findthesite.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.findthesite.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://login.passport.net/uilogin.srf?id=2
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://login.passport.net/uilogin.srf?id=2
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.findthesite.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
    Internet Explorer provided by Virgin Net
    F1 - win.ini: run=c:\windows\SYSTEM\cmmpu.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -
    {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Mini Jeeves - {4E7D0B40-F575-4A29-9710-4675EAF4686A} -
    C:\WINDOWS\SYSTEM\MINIJVAB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [NetMouse]
    c:\PROGRA~1\ACCESS~1\HARDWARE\GENIUS~1\gmnet.exe
    O4 - HKLM\..\Run: [CHotKey] GeniusKB.exe
    O4 - HKLM\..\Run: [ETraffic] C:\Program Files\topMoxie\JavaRun.exe /cp:p
    "C:\Program Files\topMoxie" com.ETraffic.ETProxy.ETMain
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony
    Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [autoclk] autoclk.exe
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    -atboottime
    O4 - HKLM\..\Run: [NAVCheck] C:\WINDOWS\shman.exe /i
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe]
    C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy
    Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE"
    /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT
    ACTIVESYNC\WCESCOMM.EXE"
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk =
    C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st
    800-840\dslmon.exe
    O4 - Startup: RoadAngel USB.lnk = C:\Program
    Files\RoadAngelUSB\RoadAngelUSB.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: Create Mobile Favorite -
    {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT
    ACTIVESYNC\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
    {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT
    ACTIVESYNC\INETREPL.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {7183CF29-F63C-11D2-923F-00600854D4DF} (IEUpdateOSR2 Control) -
    http://autoreg.virginnet.co.uk/ChangeNo.cab
    O16 - DPF: {7916D7B2-B203-11D3-A66C-0090272507F5} (Stream1 Class) -
    http://www.avatarme.com/download/Astra.cab
    O16 - DPF: {036A4A9F-A8DB-11D3-915F-0050044B7D06} (ViewerCtl Class) -
    http://www.avatarme.com/Games/four/Four.cab
    O16 - DPF: {68ABE1C5-C503-11D3-9D41-0050044B7C92} (AvatarViewer Class) -
    http://www.avatarme.com/Apps/viewer/Viewer.cab
    O16 - DPF: {4C2C81B4-91DA-494D-8DBF-A7846BA07073} (Mini Jeeves Installer
    Control) - http://www.ask.co.uk/toolbar/download/MiniJv-inst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) -
    http://www2.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -
    http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Your log seems clean, can you describe the popups. Do they only come up when you are browsing sites ? this is sometimes the case
    Please send this file to submit@diamondcs.com.au for analysis just in case

    shman.exe

    It will be in the Windows or Windows\System folder

    You also have this running which must be a dialer so please send that too
    C:\WINDOWS\ANALSEX.EXE

    You should delete these files to the recycle bin immediately, can you then post a new log ? We also recommend you run CWShredder from here
    http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip
     
    Last edited: Jul 26, 2004
Thread Status:
Not open for further replies.