Something trying to dial out

On an XP home machine, at startup and then every couple of minutes, the dial-up prompt appears. Also when IE is opened, a couple of pop-ups appear too.

The ads were far worse than they are now, but I have run Adaware, spybot, CWshredder, emptied all temp internet folders and uninstalled a few programmes I did not recognise (the machine doesnt belong to me) Things have improved a little but the dial-up still appears.

The machine also takes longer to boot up than it should with the amount of things that are loading.

Below is a Hijackthis log. Would be grateful for any suggestions.

Logfile of HijackThis v1.97.7
Scan saved at 13:16:29, on 04/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\tsapldlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\ceel.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\WINDOWS\System32\wnsintsu.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\bdsgk.exe
C:\WINDOWS\System32\Tvw4As6.exe
C:\WINDOWS\System32\Aym5uFK.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\System32\wiaacmgr.exe
C:\WINDOWS\System32\svchost.exe
E:\spybot\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manx.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gnH3AT] C:\docume~1\owner\locals~1\temp\gnH3AT.exe
O4 - HKLM\..\Run: [TJzz] C:\docume~1\owner\locals~1\temp\TJzz.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [3W36NKJ4T46P@A] C:\WINDOWS\System32\Syf9524W.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [4FEf3Fe] C:\WINDOWS\System32\tsapldlg.exe
O4 - HKLM\..\Run: [bdsgk] C:\WINDOWS\System32\bdsgk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [Satu] C:\Documents and Settings\Owner\Application Data\ceel.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Owner\Local Settings\Temp\ms1.tmp "
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ADVFN - http://www.advfn.com/cmn/stream/ducab.cab
O16 - DPF: Host On-Demand 4.0 - file://D:\Hod403\hodbase.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {99F9EF50-DEA2-4042-AF00-B1750610EA0F} (NetManage IE Frame) - https://www.ecom.honda-eu.com/w2hlegacy/express/hostexpress.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Thanks

 

I'm sure you'll get some real expert looks later but I spot quite a few things running from \system32 that look strange and that is often an indication that a virus dropped them on you.

C:\WINDOWS\System32\bdsgk.exe
C:\WINDOWS\System32\Tvw4As6.exe
C:\WINDOWS\System32\Aym5uFK.exe

Same thoughts about the stuff running from Temp

O4 - HKLM\..\Run: [gnH3AT] C:\docume~1\owner\locals~1\temp\gnH3AT.exe
O4 - HKLM\..\Run: [TJzz] C:\docume~1\owner\locals~1\temp\TJzz.exe

A good virus scan from an online scanner is in order here I think. If the machine is badly infected any onboard AV may not be reliable.

 

Hello Grunty,

O4 - HKLM\..\Run: [gnH3AT] C:\docume~1\owner\locals~1\temp\gnH3AT.exe
O4 - HKLM\..\Run: [TJzz] C:\docume~1\owner\locals~1\temp\TJzz.exe

Stuff like this should be cleared out when the Browser disconnects - clear the TIF folder and go into the Internet options > advanced tab and scroll down to "Empty Temporary Internet Folder when Browser is closed" ticking the box for it to clear out automatically on disconnect. It also saves disk space. Also clear the temp under \local\ - Should be part of a cyclic housekeeping routine.

Regards - Charles

 

O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
you havent let spybot restart with the PC after cleaning up to finish, or you just set it to runonce at startup ?

Peper trojan aka SandBoxer
Download this uninstall tool for peper infections
here
Or Here
Double click on uninst.exe, Make sure you let it have internet access through any firewalls and such.
Let it run and terminate.

Then run it again.

And Reboot


Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even Folders) that show in the taskbar. Then Hit fix selected
=========
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O4 - HKLM\..\Run: [gnH3AT] C:\docume~1\owner\locals~1\temp\gnH3AT.exe
O4 - HKLM\..\Run: [TJzz] C:\docume~1\owner\locals~1\temp\TJzz.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [4FEf3Fe] C:\WINDOWS\System32\tsapldlg.exe
O4 - HKLM\..\Run: [bdsgk] C:\WINDOWS\System32\bdsgk.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [Satu] C:\Documents and Settings\Owner\Application Data\ceel.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Owner\Local Settings\Temp\ms1.tmp "
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
[chm expliot get updated to protect agaist this ^^]
=============
24 items
Reboot find and delete (ONLY THESE EXACT) files and folder's,
Be very carefull if your unsure leave them be.
You might have to have windows show hidden file's and folder's in order to see them.
How to Show hidden files and folders.
c:\Recycled\1.exe<< and any other exe's in there
C:\WINDOWS\System32\wnsintsu.exe
C:\WINDOWS\System32\msgked.exe
C:\WINDOWS\System32\bdsgk.exe
C:\WINDOWS\System32\tsapldlg.exe
C:\Program Files\Common Files\Dpi
C:\WINDOWS\system32\pcs
C:\Program Files\AutoUpdate
C:\WINDOWS\alchem.exe
C:\PROGRAM FILES\INCREDIFIND
C:\PROGRAM FILES\Lycos

Important Next delete the contents of all your temp folders, as in.
C:\documents and settings\(all your pc users)\local settings\temp
and the contents of the C:\windows\temp folder
Clear IE's cache via control panel internet options [delete files] button and mark the popup to also delete offline content


surf for a few hours then make and post a fresh log

O16 - DPF: Host On-Demand 4.0 - file://D:\Hod403\hodbase.cab
this is odd can you provide more information ?