• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
goldeelocks

~ Trojan Horse Dialer ~ Please Help!!

4 posts in this topic

Good Morning Everyone ...

 

Upon waking up this morning I found that AVG found a trojan horse dialer during its overnight scan. It will not heal the file, nor will it move it to the virus vault. I have updated and run the following ... AVG, Housecall, CWShredder, Spybot S&D and also Adaware. The only program finding this trojan is AVG. This is what it tells me : TROJAN HORSE DIALER .10.W was found in : C:\WINDOWS\MEMALLOC.EXE

 

I am attaching my HJT log in hopes that someone could help me!

Thanks in advance for any help!

~DEE~

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:10:15 AM, on 7/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE

C:\Program Files\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"

O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [mjqzwf] C:\WINDOWS\mjqzwf.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8065.3889236111

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{73DCD1E6-C241-4EF4-BE34-AFD8EEBF6858}: NameServer = 12.146.70.247 12.146.70.245

Share this post


Link to post
Share on other sites

Hello Again ...

 

I think I may have fixed this problem ... so far so good!! I didn't realize (or just wasn't thinking), that there were other users logged on the computer ... meaning that with XP you have to make sure that all other users are logged off. One of the other users must have had this process running, therefore AVG wouldn't heal it, nor would it move it to the vault! Once I logged everyone else off, AVG healed the file!!! Just to be sure I then deleted everyones cookies & temp files, turned off system restore and rebooted .... Seems to be fine now!!

Thanks ... ~Dee~

Share this post


Link to post
Share on other sites

Hi Again ...

 

Like it could be that easy ... LOL!! Here I am 2 days later with the same problem!! It seems that the pesky dialer didn't go away. AVG healed it the other day and everything seemed fine. Tonight while changing some of the settings on my inet disable program a warning from AVG resident shield came up saying to run a scan because of the dialer!!

I have been running this inet disable program for over a year with no problems, so I doubt that it has anything to do with the program, but it must be affecting a file that I need to run it. Just so you know what I am talking about, inet disable is a program made by DeRamp Software that disables access to the internet during certain times .... more or less makes sure that my teenagers get off of the internet at 11pm!! For some reason now that I have this dialer issue, I can't run the task moniter for inet, therefore it won't turn the internet on or off like it should.

Please help!! I am sleeping with the keyboard under my pillow ... LOL!!

My HJT log is attached.

 

Thanks for any help that you can give me!!

~Dee~

 

Logfile of HijackThis v1.97.7

Scan saved at 12:13:25 AM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [mjqzwf] C:\WINDOWS\mjqzwf.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe

O4 - HKLM\..\Run: [MemAlloc] C:\WINDOWS\MemAlloc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /A "C:\WINDOWS\System32\E_S7.tmp"

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8065.3889236111

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{73DCD1E6-C241-4EF4-BE34-AFD8EEBF6858}: NameServer = 12.146.70.247 12.146.70.245

Share this post


Link to post
Share on other sites

Hi,

 

I had a similar problem last week.

 

After you have used all cleaners,sweepers e.t.c you might want to

check your C Drive - Program files - Folders called -Dialers or Instant access. If you find any unfamiliar folders have a peek in there. I found a couple of dialers in unfamiliar folders.

Delete any files you find there.

 

Also check your Add/Remove program for any unknown exe file and unstall it.

Edited by crazyazn

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0