cant remove all win32:dialer-1026 after boots time scan

[mauserme]

There is a Silly worm infection showing in the ComboFix log now.

Open OTMovit and move these files


C:\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
C:\Windows\System32\cologsver.exe 
C:\Windows\System32\google.dll
C:\Windows\System32\xbox.dll


As in the past, some may not be found but post the entire log.


Then back up your registry with ERUNT again.  Paste the following into a notepad file making sure there is no space above REGEDIT4

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b74252-6b65-11dc-a035-5050506f4531}]

Go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES.  Then in the FILE NAME box type fix.reg - this will create a fix.reg file on your desktop.

To use this file you will need to right click the icon and select merge, accept the warning if one appears.

Let me know if you had any problems with then and post a new ComboFix log.

[MeDIeVaL]

When the dialer infect, comodo firewall did'nt bumping the warning as new suspect entry. That web assist i hv fix it, i think it come back already. And that 1 O17 i dont know wat is that. fts.exe it show at C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe only.

Well the O2 BHO Web Assist doesn't appear in your latest log so hopefully that is gone.

The O17 entry normally would be associated with your ISP now if your ISP isn't in Malaysia then this is more likely to be malicious and possibly a wareout infection. What is your ISP ?

The question about fts.exe was not so much is it in another location, but did you install it (I can only assume it is something to do with your connection ?

This 017 thing is tmnet streamyx associated file. It appeared to be in that folder when user subscribe with streamyx services then installed it with "Self Installation Cd". The steamyx dialer itself seem fishy so I've never installed it in my pc. It best to manually set up your internet connection rather than using this automated connection. The connection speed will still be the same even you don't use that application.

[dewild1]

Ahhh crap, I had you logged in, saw many problems still active, then I was doing some things to improve his PPPOE connection, and then I lost connection.
 
It should have reconnected me if you ran the hep.exe..
Did you run that or the remhelp.exe?

Darn it, I set up the log in to my server so I have no contact info! So, if you for some reason can not connect, then the PPPOE connection you are using needs to have the MS client enabled on netbios. (Malaysia PPPOE is strange, installs a protocol)
do this

[dewild1]

I think I saw you in, as soon as i wrote the post above. Make sure you do the help.exe so it will keep reconnecting me if we loose connection.

[dewild1]

Ya, so Just click connect or do the help.exe so I can finish. BTW, PPPOE is DSL and it is not dial up.. You scared me before.

[dewild1]

I know, I know, my "saying" says "you can sleep when your dead" but it is 11:30pm and I am a morning person.  I am getting OLD OK

Log in tomorrow, I do not have any contact info for you because I set up his account to save you some steps, but I posted here and sent a personal message.... Goodnight

[MeDIeVaL]

If it was fat32 before you could try reformatting again with this option instead of ntfs.  Can you see what files are on it?

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

There is a vulnerability in WinPCap versions prior to 4.0.1.  I looks like you have Beta v0.  The vulnerability allows attackers to execute code  on your computer

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=550

Is WinPCap something you installed?  Do you need it?   I suggest you either remove it or update to the current version.

Once again, this also come from streamyx "Self Installation Cd". As I told before, the program itself seem fishy. Got lots of problem whilst installing them so I've remove it and manually set up my internet connection.

[MeDIeVaL]

Guys, can I suggest s'thing...? I can't find a'one asking calciver to "Turn off system restore". Why not try this once then do a boot scan once again. What I can see here is the infection recurring. I would like to suggest calciver to...

1) Turn off system restore
2) Show hidden files and folders
3) Uncheck "Hide extensions for known file types" box
4) Uncheck "Hide protecting operating system files" box
5) Schedule Boot-Time Scan

Do this 1st than give me the result... I'll assist you for the next step.

[calciver]

I know, I know, my "saying" says "you can sleep when your dead" but it is 11:30pm and I am a morning person.  I am getting OLD OK

Log in tomorrow, I do not have any contact info for you because I set up his account to save you some steps, but I posted here and sent a personal message.... Goodnight

Oh sorry guy, i have try to connect and i try connect u with the help.exe but cant online. This is my msn, blitzandaegis@yahoo.com. I think tomorrow i cant stay at home, i will go to school. Saturday, i will run the help.exe again

[calciver]

This is OTMoveit result:

File/Folder C:\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe not found.
File/Folder C:\Windows\System32\cologsver.exe not found.
File/Folder C:\Windows\System32\google.dll not found.
File/Folder C:\Windows\System32\xbox.dll not found.
 
Created on 10/03/2007 20:03:27


The fix registry had been merge in. I will post a combofix in the next post

[calciver]

combofix log

[mauserme]

Good - the registry key is gone.  Since the files weren't found I'm guessing some other cleaning has happened and got rid of everthing but that stray line.  Let's take another look in a couple days.

... I had you logged in, saw many problems still active ...

What did you see?

[mauserme]

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Also this 1, show be fix or not??

I just noticed I hadn't answered this question.  That's just a stray  line referring to a browser helper object for Windows Live Messenger.  You don't need to worry about it right now, but we'll probably fix it when we're ready to finish up.

[calciver]

Thx,  i will post another combo fix log and HJT log at saturday if i remember

[calciver]

HJT log and ComboFix log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:39 PM, on 10/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\Program Files\TM Net\Diagnostic Tool\tmnet connect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TM Net\tmnet streamyx dialer\fwportal.exe
C:\WINDOWS\System32\svchost.exe
C:\Setup\Antivirus\help.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [%FP%TM Net fts.exe] "C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC7128B-89DD-482E-9BAB-F1114D458B8F}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

--
End of file - 8554 bytes