Jump to content


Photo

dials another number


  • This topic is locked This topic is locked
2 replies to this topic

#1 caemar

caemar

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 11 July 2004 - 02:22 AM

hello, I did read the FAQ but still not sure what to do.
When I go online my computer dials up my usual number to go on line but a few minutes later something else dials and a little counter appears in the upper left hand corner of my screen ... i have no idea what it is but am worried it might be something you pay for by the minute...so i disconnect....can anyone tell me what what might be the matter? or know what it is?

Logfile of HijackThis v1.98.0
Scan saved at 08:07:37, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\fuinvi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Solitudes\scheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\CAROLE~1\LOCALS~1\Temp\Rar$EX00.270\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve...rch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.purplehealth.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dplfkyqbthci] C:\WINDOWS\System32\fuinvi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O4 - Startup: Solitudes Stress Relief Exercises.LNK = C:\Program Files\Solitudes\scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs5.chat.sc5....m/c174/chat.cab
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activewor...ldsDownload.cab
O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1025964.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{65910ACE-3B51-4014-A038-D82789205712}: NameServer = 195.92.195.95 195.92.195.94

thank you for your time and trouble and sorry if i have posted this in wrong place.
caemar

Edited by caemar, 11 July 2004 - 02:23 AM.


#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 11 July 2004 - 10:25 AM

First please move HijackThis.exe to a permanent folder such as C:\HJT\ and run it from there.

You are infected with twaintec. :alarm:
Go to Control Panel "Add/Remove Programs" and Uninstall "Twain-Tech" if it is listed. Reboot the computer to SAFE mode - How do I boot into "Safe" mode?.
To permanently disable the software click "Start" and then "Run" and paste the following command which unregisters the software: regsvr32 c:\windows\twaintec.dll "
Delete twaintech.dll and twaintec.ini if found. If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.

Run an online virus scan, http://www.pandasoft...n_principal.htm and/or http://housecall.trendmicro.com/

After that please scan again with HijackThis..

Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.
(Some of these may no longer be present)

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll <-twaintec transponder

O4 - HKLM\..\Run: [dplfkyqbthci] C:\WINDOWS\System32\fuinvi.exe<-unknown - don't fix if you know what it is
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe<-does the dialup

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1025964.exe

After fix and reboot, delete these files:
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\fuinvi.exe (unless you know what it is)

Then post another log.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 caemar

caemar

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 February 2005 - 05:30 PM

First please move HijackThis.exe to a permanent folder such as C:\HJT\ and run it from there.

You are infected with twaintec.  :alarm:
Go to Control Panel "Add/Remove Programs" and Uninstall "Twain-Tech" if it is listed.  Reboot the computer to SAFE mode -  How do I boot into "Safe" mode?
To permanently disable the software click "Start" and then "Run" and paste the following command which unregisters the software: regsvr32 c:\windows\twaintec.dll "
Delete twaintech.dll and twaintec.ini if found. If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.

Run an online virus scan, http://www.pandasoft...n_principal.htm and/or http://housecall.trendmicro.com/

After that please scan again with HijackThis..

Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.
(Some of these may no longer be present)

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll <-twaintec transponder

O4 - HKLM\..\Run: [dplfkyqbthci] C:\WINDOWS\System32\fuinvi.exe<-unknown - don't fix if you know what it is
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe<-does the dialup

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1025964.exe

After fix and reboot, delete these files:
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\fuinvi.exe (unless you know what it is)

Then post another log.

View Post






:blush2:
so sorry not to have replied and thank you for your help. I was in the middle of a move from UK to Canada and never actually fixed this but it hasn't happened since I have been here and I guess I just fofgot about it with so many other things happening. thank you again for taking the time to reply. I did use a trojan hunter thing and perhaps that fixed it?
caemar




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button