Trojan Horse dialer can't be found or removed

Discussion in 'adware, spyware & hijack cleaning' started by sharnap, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. sharnap

    sharnap Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    1
    Hi please help
    I keep getting a message from the AVG virus checker telling me that I have a trojan horse dialer on my C drive. I run AVG but it finds nothing. I have carried out the Adware & Spybot S&D programs I removed evrything they found, I have now run the HijackThis progam this and this is what was found:-
    Logfile of HijackThis v1.97.7
    Scan saved at 21:15:10, on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\appmm.exe
    C:\WINDOWS\System32\tp4mon.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\PROGRA~1\LOCKSB~1\tons army size.exe
    C:\WINDOWS\System32\agnxot.exe
    C:\WINDOWS\syslb.exe
    C:\WINDOWS\system32\wintime.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Documents and Settings\IBM USER\Application Data\eiwm.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\Program Files\AOL 9.0\aoltray.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\AOL 9.0\waol.exe
    C:\Program Files\AOL 9.0\shellmon.exe
    C:\Program Files\Common Files\AOL\aoltpspd.exe
    C:\Documents and Settings\IBM USER\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vijoh.dll/sp.html#23851
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vijoh.dll/sp.html#23851
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vijoh.dll/sp.html#23851
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {C8ECB30D-4AAE-D344-BCA2-A97394FEB349} - C:\WINDOWS\sdkfs32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int339890.exe -auto
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [1 beep] C:\PROGRA~1\LOCKSB~1\tons army size.exe
    O4 - HKLM\..\Run: [vzgeuaa] C:\WINDOWS\System32\agnxot.exe
    O4 - HKLM\..\Run: [syslb.exe] C:\WINDOWS\syslb.exe
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Tsmm] C:\Documents and Settings\IBM USER\Application Data\eiwm.exe
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - HKLM\..\RunOnce: [appmm.exe] C:\WINDOWS\system32\appmm.exe
    O4 - HKLM\..\RunOnce: [ntqz.exe] C:\WINDOWS\system32\ntqz.exe
    O4 - HKLM\..\RunOnce: [d3qs.exe] C:\WINDOWS\d3qs.exe
    O4 - HKLM\..\RunOnce: [sysje.exe] C:\WINDOWS\sysje.exe
    O4 - HKLM\..\RunOnce: [atlxr.exe] C:\WINDOWS\atlxr.exe
    O4 - HKLM\..\RunOnce: [ipiu.exe] C:\WINDOWS\ipiu.exe
    O4 - HKLM\..\RunOnce: [crmx32.exe] C:\WINDOWS\system32\crmx32.exe
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\system32\winzz.exe
    O4 - HKLM\..\RunOnce: [winib.exe] C:\WINDOWS\system32\winib.exe
    O4 - HKLM\..\RunOnce: [d3fx32.exe] C:\WINDOWS\d3fx32.exe
    O4 - HKLM\..\RunOnce: [sdkmd32.exe] C:\WINDOWS\system32\sdkmd32.exe
    O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe
    O4 - HKLM\..\RunOnce: [systm.exe] C:\WINDOWS\systm.exe
    O4 - HKLM\..\RunOnce: [netwu32.exe] C:\WINDOWS\netwu32.exe
    O4 - HKLM\..\RunOnce: [appxg32.exe] C:\WINDOWS\system32\appxg32.exe
    O4 - HKLM\..\RunOnce: [appko.exe] C:\WINDOWS\system32\appko.exe
    O4 - HKLM\..\RunOnce: [apixz.exe] C:\WINDOWS\apixz.exe
    O4 - HKLM\..\RunOnce: [mfcqp.exe] C:\WINDOWS\system32\mfcqp.exe
    O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\system32\iefc.exe
    O4 - HKLM\..\RunOnce: [syszq32.exe] C:\WINDOWS\system32\syszq32.exe
    O4 - HKLM\..\RunOnce: [appmb.exe] C:\WINDOWS\system32\appmb.exe
    O4 - HKLM\..\RunOnce: [mfcqw.exe] C:\WINDOWS\mfcqw.exe
    O4 - HKLM\..\RunOnce: [crcx32.exe] C:\WINDOWS\system32\crcx32.exe
    O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025964.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F4660E5-E01F-4E2F-871D-7DFBBE5C8D35}: NameServer = 195.93.51.134
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1F4660E5-E01F-4E2F-871D-7DFBBE5C8D35}: NameServer = 195.93.51.134

    It keeps interupting my internet connection & signing me off, how do I stop this it is driving me mad. I have tried other methods that worked with other virus's like turning of system restore & removing all files in the temp folders but it wont work on this one. EVery time it does this it puts a shortcut on the desktop that takes you to the following website:-
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.casinopalazzo.com/index.php?sourceid=102838

    I have tried blocking this iste but it still comes up!!!!
    Thank you for your help, Sharna.
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    First, if you don't know how to boot into safe mode, go to this link and learn because I will ask you to do so later down this list for you to do:
    safe mode

    Next, print this so you can follow it with ease.

    Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".

    Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for these:
    syslb.exe
    agnxot.exe
    tons army size.exe
    appmm.exe
    wintime.exe
    If you find the files, click on them, and then click End Process => Exit the Task Manager.

    Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
    Scroll down and find the service called "Network Security Service".
    When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

    Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vijoh.dll/sp.html#23851
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchweb2.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vijoh.dll/sp.html#23851
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vijoh.dll/sp.html#23851
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchweb2.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz

    O2 - BHO: (no name) - {C8ECB30D-4AAE-D344-BCA2-A97394FEB349} - C:\WINDOWS\sdkfs32.dll

    O4 - HKLM\..\Run: [1 beep] C:\PROGRA~1\LOCKSB~1\tons army size.exe
    O4 - HKLM\..\Run: [vzgeuaa] C:\WINDOWS\System32\agnxot.exe
    O4 - HKLM\..\Run: [syslb.exe] C:\WINDOWS\syslb.exe
    O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
    O4 - HKLM\..\RunOnce: [appmm.exe] C:\WINDOWS\system32\appmm.exe
    O4 - HKLM\..\RunOnce: [ntqz.exe] C:\WINDOWS\system32\ntqz.exe
    O4 - HKLM\..\RunOnce: [d3qs.exe] C:\WINDOWS\d3qs.exe
    O4 - HKLM\..\RunOnce: [sysje.exe] C:\WINDOWS\sysje.exe
    O4 - HKLM\..\RunOnce: [atlxr.exe] C:\WINDOWS\atlxr.exe
    O4 - HKLM\..\RunOnce: [ipiu.exe] C:\WINDOWS\ipiu.exe
    O4 - HKLM\..\RunOnce: [crmx32.exe] C:\WINDOWS\system32\crmx32.exe
    O4 - HKLM\..\RunOnce: [winzz.exe] C:\WINDOWS\system32\winzz.exe
    O4 - HKLM\..\RunOnce: [winib.exe] C:\WINDOWS\system32\winib.exe
    O4 - HKLM\..\RunOnce: [d3fx32.exe] C:\WINDOWS\d3fx32.exe
    O4 - HKLM\..\RunOnce: [sdkmd32.exe] C:\WINDOWS\system32\sdkmd32.exe
    O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\system32\crwq.exe
    O4 - HKLM\..\RunOnce: [systm.exe] C:\WINDOWS\systm.exe
    O4 - HKLM\..\RunOnce: [netwu32.exe] C:\WINDOWS\netwu32.exe
    O4 - HKLM\..\RunOnce: [appxg32.exe] C:\WINDOWS\system32\appxg32.exe
    O4 - HKLM\..\RunOnce: [appko.exe] C:\WINDOWS\system32\appko.exe
    O4 - HKLM\..\RunOnce: [apixz.exe] C:\WINDOWS\apixz.exe
    O4 - HKLM\..\RunOnce: [mfcqp.exe] C:\WINDOWS\system32\mfcqp.exe
    O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\system32\iefc.exe
    O4 - HKLM\..\RunOnce: [syszq32.exe] C:\WINDOWS\system32\syszq32.exe
    O4 - HKLM\..\RunOnce: [appmb.exe] C:\WINDOWS\system32\appmb.exe
    O4 - HKLM\..\RunOnce: [mfcqw.exe] C:\WINDOWS\mfcqw.exe
    O4 - HKLM\..\RunOnce: [crcx32.exe] C:\WINDOWS\system32\crcx32.exe

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
    O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025964.exe


    Reboot into Safe Mode and delete the following files:
    C:\WINDOWS\system32\vijoh.dll
    C:\WINDOWS\sdkfs32.dll
    C:\PROGRA~1\LOCKSB~1\tons army size.exe
    C:\WINDOWS\System32\agnxot.exe
    C:\WINDOWS\syslb.exe
    C:\WINDOWS\system32\wintime.exe
    C:\WINDOWS\system32\appmm.exe
    C:\WINDOWS\system32\ntqz.exe
    C:\WINDOWS\d3qs.exe
    C:\WINDOWS\sysje.exe
    C:\WINDOWS\atlxr.exe
    C:\WINDOWS\ipiu.exe
    C:\WINDOWS\system32\crmx32.exe
    C:\WINDOWS\system32\winzz.exe
    C:\WINDOWS\system32\winib.exe
    C:\WINDOWS\d3fx32.exe
    C:\WINDOWS\system32\sdkmd32.exe
    C:\WINDOWS\system32\crwq.exe
    C:\WINDOWS\systm.exe
    C:\WINDOWS\netwu32.exe
    C:\WINDOWS\system32\appxg32.exe
    C:\WINDOWS\system32\appko.exe
    C:\WINDOWS\apixz.exe
    C:\WINDOWS\system32\mfcqp.exe
    C:\WINDOWS\system32\iefc.exe
    C:\WINDOWS\system32\syszq32.exe
    C:\WINDOWS\system32\appmb.exe
    C:\WINDOWS\mfcqw.exe
    C:\WINDOWS\system32\crcx32.exe


    Reboot in Normal Mode.
    Download this file: https://www.wilderssecurity.com/attachment.php?attachmentid=137634 and rename it to cwsuninst.reg

    Doubleclick it and confirm you want to merge it with the registry.
    Run HijackThis again and post a new log.
     
Thread Status:
Not open for further replies.