Unknown Dialer Virus - Help Please..
Discussion
I'm hoping some of you can help me..
I have a Dialer virus on my Win2000 machine which arrived by email yesterday I think.. it adds a dial-up connection to my Network and Dialup connections called "Video" and adds shortcuts called "teen seks movie" to my desktop, favourites, and programs menu's. This shortcut points to a file called runit.exe created in my C:/ directory.
Despite deleting all of these, they return whenever I re-boot my machine, and also there is a process running somewhere that attempts to initiate the "video" dialup connection every 5 seconds or so.
I have Norton AV Corporate ver.7.51.847 with the latest Virus File Version installed( 51101w - 01/11/03) and Adaware-6.0 however these detect no problems at all with my machine. I have scanned all drives twice in the last 24 hours but no virus is found (yet I know its there somewhere)
I dread to think what the phonebill is going to look like as I caught it dialing out twice yesterday.. any ideas anyone..?
Many thanks
Matt.
I have a Dialer virus on my Win2000 machine which arrived by email yesterday I think.. it adds a dial-up connection to my Network and Dialup connections called "Video" and adds shortcuts called "teen seks movie" to my desktop, favourites, and programs menu's. This shortcut points to a file called runit.exe created in my C:/ directory.
Despite deleting all of these, they return whenever I re-boot my machine, and also there is a process running somewhere that attempts to initiate the "video" dialup connection every 5 seconds or so.
I have Norton AV Corporate ver.7.51.847 with the latest Virus File Version installed( 51101w - 01/11/03) and Adaware-6.0 however these detect no problems at all with my machine. I have scanned all drives twice in the last 24 hours but no virus is found (yet I know its there somewhere)
I dread to think what the phonebill is going to look like as I caught it dialing out twice yesterday.. any ideas anyone..?
Many thanks
Matt.
T4R said:
Try AdAware download HiJackThis and delete any keys pertaining to the dialer.
Which ones are they then...?
Logfile of HijackThis v1.97.3
Scan saved at 10:58:41, on 04/11/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:WINNTSystem32ati2evxx.exe
C:Program FilesNavNTdefwatch.exe
C:WINNTSystem32svchost.exe
C:WINNTsystem32hidserv.exe
C:mysql inmysqld-nt.exe
C:Program FilesNavNT tvscan.exe
C:WINNTsystem32 egsvc.exe
C:WINNTsystem32MSTask.exe
C:WINNTSystem32WBEMWinMgmt.exe
C:WINNTSystem32mspmspsv.exe
C:WINNTSystem32inetsrvinetinfo.exe
C:WINNTSystem32MsgSys.EXE
C:WINNTExplorer.EXE
C:WINNTSystem32ICONSPY.EXE
C:WINNTSystem32Atiptaxx.exe
C:Program FilesApointApoint.exe
C:Program FilesSonyHotKey UtilityHKserv.exe
C:WINNTSystem32PRPCUI.exe
C:WINNTloadqm.exe
C:Program FilesNavNTvptray.exe
C:Program FilesApointApntex.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesWinampWinampa.exe
C:WINNTSystem32internat.exe
C:PROGRA~1SonyJOGDIA~1JogServ2.exe
C:Program FilesBatteryScopeBatmgr.exe
C:Program FilesPowerPanelProgramPcfMgr.exe
C:Program FilesAlchemyUserPhone Statususerapp.exe
C:Program FilesVodafoneVodafoneMobileConnectVodafoneMobileConnect.exe
C:WINNTSystem32dlloc.exe
C:Program FilesOutlook Expressmsimn.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:PROGRA~1ULTIMA~1uzip.exe
C:DOCUME~1MATTLOCALS~1TEMPHIJACKTHIS.EXE
C:Program FilesMicrosoft OfficeOfficeWINPROJ.EXE
C:Program FilesMicrosoft OfficeOfficeWINWORD.EXE
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://cube2.isg.de/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:Documents and SettingsMATTApplication DataMozillaProfilesdefault1rsj92f5.sltprefs.js)
O1 - Hosts: 217.11.192.83 www.comdirect.co.uk
O1 - Hosts: 217.11.192.99 focus.comdirect.co.uk
O1 - Hosts: 217.11.192.174 marketzoom.comdirect.fr
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTSystem32msdxm.ocx
O3 - Toolbar: (no name) - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - (no file)
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM..Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM..Run: [Apoint] C:Program FilesApointApoint.exe
O4 - HKLM..Run: [HKSERV.EXE] C:Program FilesSonyHotKey UtilityHKserv.exe
O4 - HKLM..Run: [JOGSERV2.EXE] C:Program FilesSonyJog Dial UtilityJogServ2.exe
O4 - HKLM..Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM..Run: [LoadQM] loadqm.exe
O4 - HKLM..Run: [vptray] C:Program FilesNavNTvptray.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [WinampAgent] "C:Program FilesWinampWinampa.exe"
O4 - HKLM..Run: [MessengerPlus2] "C:Program FilesMessenger Plus! 2MsgPlus.exe"
O4 - HKCU..Run: [internat.exe] internat.exe
O4 - Startup: startit.exe
O4 - Startup: WinMySQLadmin.lnk = C:mysql inwinmysqladmin.exe
O4 - Global Startup: BatteryScope.lnk = C:Program FilesBatteryScopeBatmgr.exe
O4 - Global Startup: PowerPanel.lnk = C:Program FilesPowerPanelProgramPcfMgr.exe
O4 - Global Startup: Phone Status.lnk = C:Program FilesAlchemyUserPhone Statususerapp.exe
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O4 - Global Startup: VodafoneMobileConnect.lnk = C:Program FilesVodafoneVodafoneMobileConnectVodafoneMobileConnect.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLMSystemCCSServicesTcpip..{6EFED25C-FAF6-4C07-BC36-92BE3DDCA916}: NameServer = 195.188.250.38,193.38.157.4
O17 - HKLMSystemCS1ServicesTcpipParameters: SearchList = is-uk.com
O17 - HKLMSystemCS2ServicesTcpipParameters: SearchList = is-uk.com
O17 - HKLMSystemCCSServicesTcpipParameters: SearchList = is-uk.com
Thanks for the Help chaps... I killed off that startit thing with HiJackThis, and also Adaware finally found this:
Vendor:Lop.com
Category:Malware
Object Type:File
Size:98534 Bytes
Location:c:documents and settingsmattlocal settings emp em1d1.exe
Last Activity:04-11-2003
Risk LevelLow
Comment:
Description:Malware, browser and system hijacker, installs expensive porn dialers, cloaks your registry, application data folder and favorites.Uses random filenames and GUIDS to hide from detection.New versions also known as "WindowActive"
Which it also killed off..
Finally all sorted. No thanks to Norton AV..
I should just install and run PistonHead.exe on a regular basis instead perhaps 
Cheers
Matt.
Vendor:Lop.com
Category:Malware
Object Type:File
Size:98534 Bytes
Location:c:documents and settingsmattlocal settings emp em1d1.exe
Last Activity:04-11-2003
Risk LevelLow
Comment:
Description:Malware, browser and system hijacker, installs expensive porn dialers, cloaks your registry, application data folder and favorites.Uses random filenames and GUIDS to hide from detection.New versions also known as "WindowActive"
Which it also killed off..
Finally all sorted. No thanks to Norton AV..
I should just install and run PistonHead.exe on a regular basis instead perhaps Cheers
Matt.
A hint I saw recently to stop pr0n diallers from working is as follows (I've not tried it, as my internet gateway runs linux and I'm on broadband)
take off the first few digits of your internet access phone number e.g. 0845
put these digits in as the code to dial to get an external line
now when you connect to the internet it will do 0845 xxxxxxx, but a pr0n dialler will do 0845 0898 xyzxyz which won't work.
As I said, I've not tried it, but it sounds plausible.
take off the first few digits of your internet access phone number e.g. 0845
put these digits in as the code to dial to get an external line
now when you connect to the internet it will do 0845 xxxxxxx, but a pr0n dialler will do 0845 0898 xyzxyz which won't work.
As I said, I've not tried it, but it sounds plausible.
How do you catch viruses like these? Surely they have to be "installed" and therefore will run some sort of install programme that will ask you to install?
Or am I talking out of my posteria again?!
Dialler's don't worry me too much, as I don't have a phone line connected to my PC anymore..... but (even with a *hopefully* well protected PC) how easy can I catch any of these nasties?
Or am I talking out of my posteria again?!
Dialler's don't worry me too much, as I don't have a phone line connected to my PC anymore..... but (even with a *hopefully* well protected PC) how easy can I catch any of these nasties?
meeja said:
How do you catch viruses like these? Surely they have to be "installed" and therefore will run some sort of install programme that will ask you to install?
Or am I talking out of my posteria again?!
I think you are right about it being installed however I didn't get an install warning at all, and nothing showed up in the Add/Remove Programs list either, I think this is partly why Norton couldn't find it though as technically it was a program, not a virus.... AdAware 6.0 picked it up eventually once I'd installed yesterdays latest definition file.
Cheers,
Matt.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff