Stubborn Dialer (Hijack This logs included)

  1. 26-07-2004  #1
    PolishMilk
    PolishMilk is offline Newbie

    Stubborn Dialer (Hijack This logs included)

    Hello,

    I've been infected with some kind of dialer or virus. When I connect to the internet after a minute or so a window pops up (that looks more like a program window than an internet explorer window) then disappears after about a second. It installs icons on the desktop and start menu, changes my internet startup page to www.pureseeker.com and installs a dialer in my dialup networking folder. It then disconnects me from my normal isp and connects to its own number, presumably at premium rates. When I delete all of these things it just happens again after about half an hour.

    I have already run Ad-Aware and Spybot which picked up a few things but don't seem to have had any effect on this problem. I have absolutely no idea what to do next, so I'm posting this. Any help would be very appreciated. The Hijack This logs are below. Thanks.


    Logfile of HijackThis v1.98.0
    Scan saved at 14:22:48, on 26/07/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\APVXDWIN.EXE
    C:\WINDOWS\NAVCHK.EXE
    C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
    C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHERO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM ANTIVIRUS 2004\WEBPROXY.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKSLAPI.EXE
    C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
    C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
    C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACK THIS\HIJACK THIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.yahoo.com/
    O2 - BHO: GeekSuperheroBHO Class - {1FEA39D6-46B3-4F66-BC38-4839CFE198EA} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\navchk.exe /i
    O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROSLAPDOWN.DLL
    O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/temp...control012.cab
    O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\PROGRA~1\COMMON~1\MICROS~1\REFERE~1\MSREF.DLL
    O18 - Filter: text/html - {99FEA1B2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\GEEK SUPERHERO\GEEKSUPERHEROBUGSWAT.DLL
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

  3. 26-07-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    There is nothing I can see in there that looks bad. This is something I've never heard before. What we have to look at here is getting you some permanent protection. Have you enabled the Spybot S&D Teatimer?
  4. 27-07-2004  #3
    PolishMilk
    PolishMilk is offline Newbie
    Thanks for the help, I thought I had enabled the teatimer but it seems I didn't. I just enabled it and tested it out. Thankfully it stops the program doing anything like connecting to its phone number or changing my home page, so at least I'm not wasting any more money on its connection. Unfortunately the program still pops up, so its knocking about somewhere on the computer. Is there any way to get rid of it completely?
  5. 27-07-2004  #4
    PolishMilk
    PolishMilk is offline Newbie
    Well, it seems I was being optimistic earlier when I said teatimer was stopping the thingy from working. I dont know why it stopped it then, but it's happened twice since and the only thing teatimer can stop is the browser's homepage being changed. Any advice would be very welcome! Thanks.
  6. 28-07-2004  #5
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Could you try this. Go into Start> Settings> Control Panel. Double click Network Connections and delete all Dial Up Connections. Then setup your Dial Up account again.

    Then I suggest you download a Firewall and enable it. This might stop the dialer getting in. Sygate (Free Version) is a very good firewall.
+ Reply to Thread
« IM BAAAAACK lol | Another About:Blank victim »