Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan and Malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 lucky71

lucky71

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 18 August 2004 - 07:57 PM

:thumbsup:


Hi Folks,

We need some help! My friend´s computer uses a Windows 98 version, Avast (antivirus), Spybot and AdAware.

Last Sunday, we started Avast scan and it found a Trojan "Win32:Dialui-B[TRJ]", but the scan did not accept our command to delete it.

Also, we started HijackThis scan and found:

Logfile of HijackThis v1.98.2
Scan saved at 18:22:13, on 18/08/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\UOL\ACELERADOR UOL\VCN.EXE
C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\ARQUIVOS DE PROGRAMAS\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPA.EXE
C:\ARQUIVOS DE PROGRAMAS\UOL\ACELERADOR UOL\ACUOLCLT.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\PIOLET\PIOLET.EXE
C:\ARQUIVOS DE PROGRAMAS\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\ARQUIVOS DE PROGRAMAS\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\ARQUIVOS DE PROGRAMAS\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\ARQUIVOS DE PROGRAMAS\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HICKJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://radaruol.uol.com.br/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.uol.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornecido por UOL
F1 - win.ini: run=hpfsched
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Arquivos de programas\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Detector de disco] C:\Arquivos de programas\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\ARQUIV~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [might] c:\windows\system\might.bat
O4 - HKLM\..\Run: [WinampAgent] "C:\ARQUIVOS DE PROGRAMAS\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [AceleradorUOL] "C:\ARQUIVOS DE PROGRAMAS\UOL\ACELERADOR UOL\ACUOLCLT.EXE"
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\SYSTEM\WINdirect.exe
O4 - HKLM\..\Run: [PIOLET] C:\ARQUIVOS DE PROGRAMAS\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [CreateCD] C:\ARQUIV~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Acelerador UOL] "C:\Arquivos de programas\UOL\Acelerador UOL\vcn.exe" -f "C:\Arquivos de programas\UOL\Acelerador UOL\acelerador.cfg" -Srun
O4 - HKLM\..\RunServices: [avast!] C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\SYSTEM\WINdirect.exe
O4 - Startup: Inicialização do Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
O4 - Startup: Localização acelerada da Microsoft.lnk = C:\Arquivos de programas\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.uol.com.br/
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
O18 - Filter: text/html - {1F08F220-D403-11D8-AB62-0008540E2FFE} - C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.15.DAT

May you help us? Thank you in advance.
lucky71

BC AdBot (Login to Remove)

 


#2 The Bear

The Bear

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 AM

Posted 19 August 2004 - 04:58 AM

that is an auto dialer Win32:Dialui


Win patrol has a nice manual removal

The changes you make are in the registory I strongly suggest you make a back up first

Don't worry about the ending letter (in your case "B") you need to look for the Win32:Dialui

and if your running xp or me turn off system restore before you remove the files (trojan)
Computer help forums are full of those that go around the internet
clicking Willy Nilly and installing or downloading everything in site

#3 lucky71

lucky71
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 19 August 2004 - 08:19 AM

Ok, Bear, I will try to solve following your steps and tell you the results later.
Thank you again.
lucky71

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:04 AM

Posted 23 August 2004 - 06:33 PM

There are some other items that should be addressed as well.. Plesae post a new log when you can




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users