Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan horse dialer.11.BU


  • Please log in to reply

#1
maruska

maruska

    Member

  • Member
  • PipPip
  • 10 posts
Hi. About a month ago i got a message popup saying that a trojan horse dialer.11.bu was on the system. I keep getting this popup every time i stop working (inactive). AVG detected it (the popup is AVG's), but could not deal with it (when i ran the scan no viruses are detected) . Ran adware, noadware, spyware doctor and some others, but nothing helped. The virus is still there.

I am attaching a log from a scan by HijackThis and would be very grateful for any help you could give me in gettting rid of the problem.

Logfile of HijackThis v1.97.7
Scan saved at 2:01:26 AM, on 12/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Antivirus\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\dslmon.exe
C:\Programs\winzip\WZQKPICK.EXE
C:\PROGRAMS\ANTIVI~1\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Programs\Trojan Remover\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Programs\Antivirus\avgcc32.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programs\Trojan Remover\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programs\winzip\WZQKPICK.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Programs\Avant\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Programs\Avant\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Programs\Avant\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Programs\Avant\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Programs\Avant\Search.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thanks, Maruska
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Click Here download the latest version of Hijack This (1.98.2). It's better able to catch the latest threats.

-=jonnyrotten=- biggrin.gif
  • 0

#3
maruska

maruska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
thnx for the link... (and fast reply of course thumbsup.gif )
here's a new log from the HijackThis 1.98.2. Donno what to delete( if anything
confused1.gif ). Can you help?

Logfile of HijackThis v1.98.2
Scan saved at 7:56:33 PM, on 12/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Antivirus\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRAMS\ANTIVI~1\avgserv.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\dslmon.exe
C:\Programs\winzip\WZQKPICK.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Programs\Antivirus\avgcc32.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programs\Trojan Remover\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programs\winzip\WZQKPICK.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Programs\Avant\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Programs\Avant\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Programs\Avant\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Programs\Avant\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Programs\Avant\Search.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E629DFD-D5F7-49F2-A4C1-1E1EDBE3F3A1}: NameServer = 212.116.161.37 212.117.129.5


Maruska
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok, your log logs clean, I think this will work. Go to control panel, performance and maintenance, system, click the "system restore" tab at the top. Check the box that says "turn off system restore" (note: you can only do this if you logged in with an account that has administrative priveledges) click ok and run Avg. Most likely it will be able to clean the trojan. If not then reboot into safe mode (press F8 right after the first screen you seen when you turn the pc on and you will get a list of options and choose "safe mode") and run Avg again. Next reboot normally and go back to system restore and uncheck the box. This will create a fresh new restore point. Let us know if Avg still detects the trojan.

Also it looks like you are running Avant and Avg, I highly suggest only running one anti virus program as more than one can cause conflict.

-=jonnyrotten=- biggrin.gif
  • 0

#5
maruska

maruska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok, did what you told me. AVG didn't find anything (neither in the regular, nor in the safe mode), but........... the popup disapeared!!!!! yeah.gif
Does this mean that the horse is gone ? confused1.gif
If so - thank you , thank you, thank you notworthy.gif
  • 0

#6
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Well, the trojan is supposedly gone by just turning off system restore and turning it back on. So I just thought I'd have you run your AVG while system restore was off just to be sure. I believe your trojan is gone! Yaaaaaay!

Congratulations! Your system is CLEAN thumbsup.gif

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox .
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. spoton.gif

-=jonnyrotten=- biggrin.gif
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP