Jump to content


Photo

~ Trojan Horse Dialer ~ Please Help!!


  • This topic is locked This topic is locked
3 replies to this topic

#1 goldeelocks

goldeelocks

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 24 July 2004 - 08:23 AM

Good Morning Everyone ...

Upon waking up this morning I found that AVG found a trojan horse dialer during its overnight scan. It will not heal the file, nor will it move it to the virus vault. I have updated and run the following ... AVG, Housecall, CWShredder, Spybot S&D and also Adaware. The only program finding this trojan is AVG. This is what it tells me : TROJAN HORSE DIALER .10.W was found in : C:\WINDOWS\MEMALLOC.EXE

I am attaching my HJT log in hopes that someone could help me!
Thanks in advance for any help!
~DEE~


Logfile of HijackThis v1.97.7
Scan saved at 9:10:15 AM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [mjqzwf] C:\WINDOWS\mjqzwf.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8065.3889236111
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.bright...bin/actxcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73DCD1E6-C241-4EF4-BE34-AFD8EEBF6858}: NameServer = 12.146.70.247 12.146.70.245

#2 goldeelocks

goldeelocks

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 24 July 2004 - 09:24 AM

Hello Again ...

I think I may have fixed this problem ... so far so good!! I didn't realize (or just wasn't thinking), that there were other users logged on the computer ... meaning that with XP you have to make sure that all other users are logged off. One of the other users must have had this process running, therefore AVG wouldn't heal it, nor would it move it to the vault! Once I logged everyone else off, AVG healed the file!!! Just to be sure I then deleted everyones cookies & temp files, turned off system restore and rebooted .... Seems to be fine now!!
Thanks ... ~Dee~

#3 goldeelocks

goldeelocks

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 July 2004 - 11:30 PM

Hi Again ...

Like it could be that easy ... LOL!! Here I am 2 days later with the same problem!! It seems that the pesky dialer didn't go away. AVG healed it the other day and everything seemed fine. Tonight while changing some of the settings on my inet disable program a warning from AVG resident shield came up saying to run a scan because of the dialer!!
I have been running this inet disable program for over a year with no problems, so I doubt that it has anything to do with the program, but it must be affecting a file that I need to run it. Just so you know what I am talking about, inet disable is a program made by DeRamp Software that disables access to the internet during certain times .... more or less makes sure that my teenagers get off of the internet at 11pm!! For some reason now that I have this dialer issue, I can't run the task moniter for inet, therefore it won't turn the internet on or off like it should.
Please help!! I am sleeping with the keyboard under my pillow ... LOL!!
My HJT log is attached.

Thanks for any help that you can give me!!
~Dee~

Logfile of HijackThis v1.97.7
Scan saved at 12:13:25 AM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [mjqzwf] C:\WINDOWS\mjqzwf.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8065.3889236111
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.bright...bin/actxcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73DCD1E6-C241-4EF4-BE34-AFD8EEBF6858}: NameServer = 12.146.70.247 12.146.70.245

#4 crazyazn

crazyazn

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 08:26 AM

Hi,

I had a similar problem last week.

After you have used all cleaners,sweepers e.t.c you might want to
check your C Drive - Program files - Folders called -Dialers or Instant access. If you find any unfamiliar folders have a peek in there. I found a couple of dialers in unfamiliar folders.
Delete any files you find there.

Also check your Add/Remove program for any unknown exe file and unstall it.

Edited by crazyazn, 27 July 2004 - 08:27 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button