1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Rogue program dialing internet... [HJT Log]

Discussion in 'Malware and Virus Removal Archive' started by jglaing, 2005/10/16.

  1. 2005/10/16
    jglaing

    jglaing Inactive Thread Starter

    Joined:
    2005/10/16
    Messages:
    2
    Likes Received:
    0
    About every 30 minutes, home computer dials the internet (use Earthlink dial-up), but doesn't connect.

    I have run spybot 2x, ad-aware 1x, using PC-illin firewall (tried switching to ZoneAlarm...both on high settings), tried cleaning registry (SystemSuite and System Mechanic), but can't figure out what is dialing out.

    Anyway, here is the log from hijackthis...

    Logfile of HijackThis v1.99.1
    Scan saved at 11:04:31 AM, on 10/16/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\WINDOWS\surfmonkey\SMProxy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\VCOM\PowerDesk\PDExplo.exe
    C:\DOCUME~1\Daddy\LOCALS~1\Temp\~~PDTEMP\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
    O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
    O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
    O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
    O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe "
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe "
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Finance MarketTracker - http://finance.yahoo.com/jmt/mt.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06f2f1fb97290c39ab23/netzip/RdxIE601.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124358123828
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    Also, here is part of the modem log...

    10-16-2005 14:34:23.338 - Opening Modem
    10-16-2005 14:34:23.338 - 115200,8,N,1, ctsfl=1, rtsctl=2
    10-16-2005 14:34:23.338 - Initializing modem.
    10-16-2005 14:34:23.354 - Send: AT<cr>
    10-16-2005 14:34:23.354 - TSP(0000): Making Call
    10-16-2005 14:34:23.354 - Recv: AT<cr>
    10-16-2005 14:34:23.354 - Command Echo
    10-16-2005 14:34:23.354 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.354 - Interpreted response: OK
    10-16-2005 14:34:23.369 - Send: AT &F E0 V1 &D2 &C1 S95=47 S0=0<cr>
    10-16-2005 14:34:23.369 - Recv: AT &F E0 V1 &D2 &C1 S95=47 S0=0<cr>
    10-16-2005 14:34:23.369 - Command Echo
    10-16-2005 14:34:23.385 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.385 - Interpreted response: OK
    10-16-2005 14:34:23.401 - Send: ATS7=60S30=26L0M1\N3%C3&K3B0N1\J1X4<cr>
    10-16-2005 14:34:23.401 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.401 - Interpreted response: OK
    10-16-2005 14:34:23.401 - Waiting for a call.
    10-16-2005 14:34:23.416 - Send: at+vcid=1<cr>
    10-16-2005 14:34:23.432 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.432 - Interpreted response: OK
    10-16-2005 14:34:23.448 - Send: ATS0=0<cr>
    10-16-2005 14:34:23.448 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.448 - Interpreted response: OK
    10-16-2005 14:34:23.448 - 115200,8,N,1, ctsfl=1, rtsctl=2
    10-16-2005 14:34:23.448 - Initializing modem.
    10-16-2005 14:34:23.463 - Send: AT<cr>
    10-16-2005 14:34:23.463 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.463 - Interpreted response: OK
    10-16-2005 14:34:23.479 - Send: AT &F E0 V1 &D2 &C1 S95=47 S0=0<cr>
    10-16-2005 14:34:23.494 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.494 - Interpreted response: OK
    10-16-2005 14:34:23.510 - Send: ATS7=60S30=0L0M1\N3%C3&K3B0N1\J1X4<cr>
    10-16-2005 14:34:23.510 - Recv: <cr><lf>OK<cr><lf>
    10-16-2005 14:34:23.510 - Interpreted response: OK
    10-16-2005 14:34:23.510 - Dialing.
    10-16-2005 14:34:23.510 - TSP Completing Async Operation(0x0001013e) Status 0x00000000
    10-16-2005 14:34:23.510 - TSP(0000): LINEEVENT: LINECALLSTATE_DIALING
    10-16-2005 14:34:23.510 - TSP(0000): LINEEVENT: LINECALLSTATE_PROCEEDING
    10-16-2005 14:34:23.526 - Send: ATDT#######<cr>

    The culprit seems to be TSP(0000), but don't know what it is or what it does.

    Thanks for any help! This has been most annoying.

    Joseph
     
    jglaing,
    #1
  2. 2005/10/17
    oshwyn5

    oshwyn5 Inactive

    Joined:
    2005/08/25
    Messages:
    736
    Likes Received:
    0
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

    http://www.spywareremove.com/remove90C9629ECD3211D3BBFB00105A1F0D68.html
    http://www.sophos.com/virusinfo/analyses/dialdyfucaa.html


    So run hijackthis with all windows closed, choose scan only and check this and click fix
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab

    I suspect you only have this one entry, but suggest you check for and remove if found the following registry entries.
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\180ax
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ixizgfcp
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msbb
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\saie

    Then do a file search for the following and if found deregister them with the regsrv32 /u command
    msbbhook.dll
    ncmyb.dll
    nem216.dll
    nem218.dll
    saiehook.dll
    myDll.dll
    (Go to start / run and type regsvr32 /u msbbhook.dll and hit enter for example)

    Likewise, use taskmanager to check for the following processes and kill them if found
    End Processes (may or may not exist):
    180ax.exe
    actalert.exe
    msbb.exe
    optimize.exe
    saie.exe
    isetup.exe
    DyFuCa Active Alert
    DyFuCA

    Delete folders if found
    Remove Directories:
    programfilesdir+\180solutions\
    programfilesdir+\internet optimizer\
     
    oshwyn5,
    #2


  3. to hide this advert.

  4. 2005/10/19
    jglaing

    jglaing Inactive Thread Starter

    Joined:
    2005/10/16
    Messages:
    2
    Likes Received:
    0
    oshwyn5...question about DyFuCA

    oshwyn5,

    I followed above steps but still have the problem.

    Downloaded quite a few spyware packages to see what they would detect. SpyHunter was the only one that detected the DyFuCA. The others said that they would remove it, but none except SpyHunter detected it.

    a2 (squared) noted that a dialer was attempting to make a connection (rasautou.exe), which I assume is connected with DyFuCA, but couldn't delete it (kept returning).

    The isetup.exe file is hiding, but I can't see it even though SpyHunter says that is located in Windows\Downloaded Files.

    It appears that I may not have the expertise to get rid of this. However, before I plunk down the money for SpyHunter, what is your experience with it vs. other spyware programs? Currently using both SpyBot and Ad-Aware, neither of which detects DyFuCA.

    Thanks and any advice is appreciated!

    Joseph
     
    jglaing,
    #3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...