Jump to content

nightmare dialer

bubomb

By bubomb,
in Security Chat

 Share

Recommended Posts

bubomb Newbie

bubomb

Posted
Posted

please can anyone help - the most aggresive dialer I have ever seen is hijacking my pc. I know all the dialer tricks that fool you into installing it, but this one appears from nowhere, disconnects my ntl dial up, and the only way to stop it is to pull the plug. It happens no matter what I am looking. I've tried anti virus, spybot, ad-aware, deleted all reference from the the registry, but I cannot stop it. The dialer continues to self install itself roughly once every 2 days. I managed to get some details of it - it's called AdultX, connects to xxxserver and dials the number 5551212. I would be very grateful if anyone has some advice. I must be missing something in my system, maybe something in the windows folder or registry. I manually uninstall the dialer under my network connections and remove all visible trace of it, but still it reappears. I can't download anything for fear of this dialer appearing - any ideas?

p.s - it also changes my home page to www.123found.com

cheers

Link to comment
Share on other sites
bubomb Newbie

bubomb

Posted
  • Author
Posted

Logfile of HijackThis v1.97.6

Scan saved at 19:13:49, on 18/11/2003

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\SOINTGR.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Stuart Cameron\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.f250.mail.yahoo.com/ym/login?.ra...jqetfel&login=1

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{1176EF3B-D5EB-4908-B12E-49665C12FE9A}: NameServer = 194.168.4.100 194.168.8.100

O17 - HKLM\System\CS2\Services\Tcpip\..\{1176EF3B-D5EB-4908-B12E-49665C12FE9A}: NameServer = 194.168.4.100 194.168.8.100

There is no sign of it as far as I can tell. I have downloaded spyblaster, and it has no reference to the AdultX dialer. My homepage changes to www.123found.com, but I cannot find any information on this hijack address. It looks like I have managed to remove all trace of this dialer, but then it reappears out of nowhere.

There is definitely something still hidden in my pc. Any ideas?

Link to comment
Share on other sites
bubomb Newbie

bubomb

Posted
  • Author
Posted

Thanks Mark. I have tried all the good anti virus and trojan stuff. With a bit of luck that's the bugger gone, those links hopefully have fixed everything. If it comes back, I will post the hijachthis report. I'm off now to watch the Scotland U21 game. Thanks for the help everybody.

Link to comment
Share on other sites
Guest northamuk

Guest northamuk

Posted
Posted

If it dials 011 (an American dial-out prefix) you may not have a problem unless it is sophisticated enough toknow that it has to change the prefix to 00677 from the UK - naturally presupposing that you are NOT in the USA.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy

  I accept