[solved]xxx dialler

Discussion in 'adware, spyware & hijack cleaning' started by Greymatter, Jul 13, 2004.

Thread Status:
Not open for further replies.
  1. Greymatter

    Greymatter Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    4
    Hi, has anyone come across a dialler that has a program replacing the 'host' file every few seconds?

    The desktop icons it creates are 'Andy1' and 'XXX'.
    Needless to say it alters the IE home page to a porn index page and dials a premium rate number - when it can.

    I have tried all the latest 'helpware' to no avail.

    I have seen many of these in my time but this is the worst so far.
    Replacing the 'host' file in safe mode is ok but whenever I do anything to it in normal mode the file is replace with a corrupt one - within seconds.

    I plan to replace the hard drive and reinstall to get back to work but will keep the current hard drive as I am keen to get this one solved and post the solution for others.

    Any feedback will be great.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: xxx dialler

    Hi there and welcome,
    What Pilli just said is of urgent importance to start with.
    In the meantime while waiting for expert help there, which virus scanner(s) are you using?
    You know you can lock your HOSTS file in the windows explorer, > Hosts > rightclick for properties, set on read only
    Hope that blocks it for a moment.

    Then, if you're not running TDS yet, get an evaluation copy of it at www.diamondcs.com.au install it, with every scanner diabled at that moment, especially resident protection so TDS can install properly; back on the download site get the latest radius.td3 update, save the file in the TDS-3 directory, now reboot your pc, make sure every other scanner is still all disabled, after TDS's initial startup scans go to TDS System Testing > Scan Control > check all the scan options there are, highest sensibility on the worm slider > save configuration; now choose the full system scan option
    close all unnecessary programs and browsers and have a coffee as it can take a while.
    Now at the end you should have some alerts in the bottom console.
    Rightclick on one of them and save to TEXT (Scandump.txt in the TDS directory)
    Copy and past that log in your next posting.

    In the meantime the HJT experts might be with you to look into your HJT log.
     
  4. Greymatter

    Greymatter Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    4
    Re: xxx dialler

    Tx Pilli. I have been using all the programs mentioned so will folow the guide.

    Tx also Jooske. Didn't know about Host fix - that will help a lot.
    Am using NAV, AVG and PANDA.
    Have used TDS this week but will do as you say and come back with results.

    I have now tracked part of the problem to a program 123921.exe that sits in folder prog files\websiteviewer and have found a program 'pestcontrol' that claims to clear it.

    Have also come across the free blocker program - http://www.javacoolsoftware.com/spywareblaster.html

    Do you know if it is any good?

    Off on hols for a few days (need a break from all this!!) so will post info next week.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: xxx dialler

    Hi Gretmatter,
    All of Javcool's tools are excellent ;) Spyware Guard is another good one from Javacool not to be missed.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: xxx dialler

    Make very sure especially AVG to be closed so it can't hide the nasties from view by other scanners (AVG habit)
    Open AVG GUI, uncheck all checks and the systray icon gets grey and you'll be able to scan properly.
    Would have loved to see your system clean soon, but ok, we'll wait patiently till you get back!

    Happy holidays!
     
  7. Greymatter

    Greymatter Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    4
    Re: xxx dialler

    OK, back from my hols!!

    Was advised to try Pest Patrol which found and removed 78 'pests' including the RAT 'WOOT'.
    Then ran SpyBot again in safe mode and found 2 more - they couldn't be removed, even after restart.
    They are the entries dialup01 and GoInDirect in HKEY_USERS\DEFAULT\RemoteAccess\Profile\.

    Current situation is that the dial ups are not taking place every few minutes but something is still replacing HOSTS as soon as I fix it (even in read only).

    This is the latest HijackThis log .... any ideas please?

    Logfile of HijackThis v1.97.7
    Scan saved at 15:04:43, on 20/07/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\wintime.exe
    C:\WINDOWS\system32\explorer.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\WINDOWS\system32\explorer.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\PestPatrol\PestPatrol.exe
    C:\$ $ VIRUS PROGS\Hack This - CARE\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AdobeA] C:\WINDOWS\hm\adobes.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [WinSetup] "C:\WINDOWS\System32\WinSetup.exe" -o
    O4 - HKLM\..\Run: [Microsoft Windows Kernel Functionalities] msrundll.exe
    O4 - HKLM\..\Run: [Microsoft Windows System Kernel Initializer] SysInt32.exe
    O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\cab\back32.exe C:\WINDOWS\system32\cab\service.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows Kernel Functionalities] msrundll.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System Kernel Initializer] SysInt32.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: xxx dialler

    Hi there again, hope you had a nice holiday!

    Could you locate the files on which was the alarm?
    With the risk of you getting disappointed, my un-experienced eyes see only these few things the HJT log;
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe


    If you don't use MSOffice all time i would get this from the autostart too, as it's a resources consumer but no error
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    I wonder about this one, if this is part of the infection:
    O4 - HKLM\..\Run: [WinSetup] "C:\WINDOWS\System32\WinSetup.exe" -o
    don't do nothing with it till there is confirmation; the only place where i see it mentioned in a HJT log is here http://216.239.59.104/search?q=cach...] "C:\WINDOWS\System32\WinSetup.exe" -o&hl=nl so i'm still not sure about your entry.




    Delete this one in safe mode:
    C:\WINDOWS\system32\wintime.exe



    Did you have any other scanners running while trying to clean with spybotS&D?
    Was it not possible to close running processes first and try to fix again or noting down exactly which files and delete them in safe mode?



    Would you mind with a fully updated TDS and all other scanners down to have a full system scan with that and rightclick on one of the alerts to post the scandump.txt in a next posting?
    And for sure Gavin is THE expert on AutoStartViewer logs (with all options checked) as it shows even more autostarts then HJT.
    There are so many diallers in the TDS detection list......

    And make sure all files are showing, in the folder options make sure all files and extensions are shown, and AVG is completely closed.
    Hope the other scanners don't have those hiding options included as well :) AVG is good in detecting, but is should not claim ownership by hiding files for every other scanner :)
     
    Last edited: Jul 25, 2004
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re: xxx dialler

    There are a number of things that need fixing/removing; I suggest you proceed as follows:

    Start your computer in Safe Mode (it may help if you print this out), and delete these files:

    C:\WINDOWS\system32\wintime.exe
    C:\WINDOWS\system32\explorer.exe

    Warning: the latter is the Explorer.exe file in your C:\Windows\System32 folder. The one in your C:\Windows folder should be left alone!

    If you still have the following files, delete those as well:

    C:\WINDOWS\hm\adobes.exe
    C:\WINDOWS\system32\cab\service.exe

    NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    Next, still in Safe Mode, run Hijack This, and have it fix these items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    O4 - HKLM\..\Run: [AdobeA] C:\WINDOWS\hm\adobes.exe
    O4 - HKLM\..\Run: [Microsoft Windows Kernel Functionalities] msrundll.exe
    O4 - HKLM\..\Run: [Microsoft Windows System Kernel Initializer] SysInt32.exe
    O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\cab\back32.exe C:\WINDOWS\system32\cab\service.exe
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows Kernel Functionalities] msrundll.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System Kernel Initializer] SysInt32.exe


    Now start your computer normally, and please post a fresh log.
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: xxx dialler

    It's not the habit to jump in when a real EXPERT is working on a HJT log, but i have a really burning question about that Winupdate.exe file (see O4 - HKLM\..\Run: [WinSetup] "C:\WINDOWS\System32\WinSetup.exe" -o)
    Since it's not in your running processes it might have gone in the meantime, but if not and you can locate it, can you please be so kind as to submit it to submit@diamondcs.com.au ? (Tony allowed me to ask for it :) )
     
  11. Greymatter

    Greymatter Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    4
    Re: xxx dialler

    Thanks for all the help. I applied Tony's changes, updated the Norton virus patterns etc and all seems to be OK now.
     
Thread Status:
Not open for further replies.