Unknown dialer InstantConnect

Hi all,
I've read other threads on similar issues. My problem seems like as AxFreePorn dialer, but AVG antispyware didn't recognise it completely.
I was aware for the "infection" when my ISP connection went down and some other process tried to dial a different number. Fortunately I blocked all high billed services on my line, then the dialer didn't get connected.
I've removed the remote access configuration (named InstantConnect), but not yet the root cause.
I did a scan with SpyBot S&D without any alert. Restarting the system after the infection I got an error from a IBM Thinkpad starting service "QCTRAY.EXE" being not able to find "QCON.DLL" and the installed Trend antivirus didn't start anymore.

In the meantime, following the instruction given by your great staff in other threads, I installed AVG antispyware and run it with HJT and FindAWF too.

Many thanks in advance for your help!

 

Hi FDS65
Welcome to windowsbbs
First let me tell you that I do not speak Italian

So you will need to help me out here. I need you to let me know if you know who or what these are, if you know them to be safe.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.corteconti.it:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;cdc*;intranet*;SI0*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 193.111.46.53 mercurio.convergere.com


AVG miss a lot of files, so we will have to do this manually.

Open Task manager to the Processes tab and if any of these exes has a running process, end process on them. Then, delete these files, within each file's location.

24076 31 Mar 2007 "C:\IBMTOOLS\utils\ibmprc.exe "
24076 31 Mar 2007 "C:\WINDOWS\system32\hkcmd.exe "
24076 31 Mar 2007 "C:\WINDOWS\system32\igfxtray.exe "
24076 31 Mar 2007 "C:\Programmi\IBM\Messages By IBM\ibmmessages.exe "
24076 31 Mar 2007 "C:\Programmi\IBM\Updater\ucstartup.exe "
24076 31 Mar 2007 "C:\Programmi\ThinkPad\ConnectUtilities\QCTRAY.EXE "
24076 31 Mar 2007 "C:\Programmi\ThinkPad\ConnectUtilities\QCWLICON.E XE "
24076 31 Mar 2007 "C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE "
24076 31 Mar 2007 "C:\Programmi\ThinkPad\Utilities\EzEjMnAp.Exe"
24076 31 Mar 2007 "C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe"
24076 31 Mar 2007 "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe "
24076 31 Mar 2007 "C:\Programmi\Trend Micro\OfficeScan Client\RAUAgent.exe "
24076 31 Mar 2007 "C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.e xe "

Open the bak folder within each file's location, then copy the original and paste it back into the directory you deleted the rogue from.

94208 10 Mar 2004 "C:\Programmi\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.e xe "
839771 8 Jan 2003 "C:\Programmi\Trend Micro\OfficeScan Client\bak\RAUAgent.exe "
458752 13 Jul 2004 "C:\Programmi\Trend Micro\OfficeScan Client\bak\pccntmon.exe "
897024 24 Oct 2003 "C:\Programmi\ThinkPad\Utilities\bak\TpKmapAp.exe"
208896 25 Dec 2003 "C:\Programmi\ThinkPad\Utilities\bak\EzEjMnAp.Exe"
20480 25 Dec 2003 "C:\Programmi\ThinkPad\Utilities\bak\BMMLREF.E XE "
49152 12 Mar 2004 "C:\Programmi\ThinkPad\ConnectUtilities\bak\QCWLIC ON.EXE "
663552 12 Mar 2004 "C:\Programmi\ThinkPad\ConnectUtilities\bak\QCTRAY .EXE "
36864 1 Oct 2003 "C:\Programmi\IBM\Updater\bak\ucstartup.exe "
581632 20 Jan 2004 "C:\Programmi\IBM\Messages By IBM\bak\ibmmessages.exe "
155648 16 Dec 2003 "C:\WINDOWS\system32\bak\igfxtray.exe "
118784 16 Dec 2003 "C:\WINDOWS\system32\bak\hkcmd.exe "
90112 19 Mar 2004 "C:\IBMTOOLS\utils\bak\ibmprc.exe "

If there is an InstantAccess icon on the desktop, delete it.
If there is an AxFreePorn dialup connection present, delete it.
If there is a "CONNECT" in your add/remove list delete it.

Download ATF Cleaner by Atribune and save it to your Desktop.

http://www.atribune.org/ccount/click.php?id=1

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything it can, check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program to clean out their temporary files as well.

When you have finished, click on the Exit button in the Main menu.

Reboot, then run FindAWF again and post the log.

Geri

 

Hi Geri,
thanks for your flash reply

About your question:

aren't to worry about. They are safe.

I followed your instructions and I guess it's all OK now. Isn't it?

Thank you again for your valuable help!

FdS

 

Hi FdS65

That looks good, That's what we wanted to see.

It looks like you deleted the BAK folders also? If not then it's a good idea to do so.

We have just a few more things to do, mostly maintenance and then our recommendations:

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
   
4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
   
   
5. IE-SpyAd - puts over 23,000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all,
   and MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.
   
   
6. Install WinPatrol to prevent unknown applications from being inserted to start up on your machine
   
   Now just because you have security apps installed, they are useless unless updated regularly.
   
   
7. Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.
   
   
8. ATF Cleaner by Atribune.
   This program is for XP and Windows 2000 only, Cleans out temporary files all the garbage you collect while surfing the web.
   
   
9. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
   
10. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    
11. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Surf Safely
Geri

 

Hi Geri,

Yes, I did it.

Thanks for your valuable suggestions to keep secure the system but, in this case, I was protected with the most updated WinXP patches and antivirus and anti-spyware software.

I guess that the malware did install with the latest zero-day "cursor animation" vulnerability. The threat hits Windows XP and Vista too.

Further informations on US-CERT and CVE database:
http://www.kb.cert.org/vuls/id/191609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038

I suggest to everyone to update ASAP their system with the realesed patch just published on Microsoft security bulletin MS07-017.

Best regards,
FdS