Re: 'happy' internet dialler / browser hi-jack

From: H Leboeuf (NoAddress_at_generation.invalid)
Date: 07/20/04 

Date: Tue, 20 Jul 2004 09:15:33 -0400

You may then have been hit by this virus or some variant.
http://www.sophos.com/virusinfo/analyses/trojtofgerb.html

Important: "So how did I get infected in the first place?"
http://forums.net-integration.net/index.php?showtopic=3051 

-- 
Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===
"moliolioi" <moliolioi@uboot.com> wrote in message
news:221d04c1.0407200055.50e10a8@posting.google.com...
> Thank you so much for your attention to this.
>
> I noticed that when closing system.exe the dialing attempts stopped. I
> looked in MS CONFIG and saw that the system.exe that was running was
> c:\system.exe. I removed it from the start-up section and then deleted
> from the disk drive in safe mode.
>
> I was then able to remove the shortcuts permanently.
>
> I do hope this helps someone else.
>
> Shane.
>
>
> "Lust Detector" <stealth@null.net> wrote in message
news:<cdh17o$acb$1@phys-news1.kolumbus.fi>...
> > For example process "C:\system.exe" is virus or spyware.
> >
> >
> > "moliolioi" <moliolioi@uboot.com> wrote in message
> > news:221d04c1.0407190456.75e1f5aa@posting.google.com...
> > > Dear IE6 group,
> > >
> > > My colleague has been away in Malaysia and his browser has been
> > > hijacked somehow while on a hotels Broadband network connection. The
> > > symptoms are as follows:
> > >
> > > A desktop icon called "click me" which re-appears after a re-boot if
> > > you delete it from your recycle bin. This replaces the IE icon and the
> > > home page is greyed out at: http://66.98.199.15/cikis.aspx?did=11148.
> > >
> > > A dial up networking connection called happy is present which also
> > > re-appears on re-boot. I have run ad-aware with the latest update from
> > > the 17th July (19th today) and it did find other spyware on the PC but
> > > didn't completely clear it.
> > >
> > > I ran hi-jack this and kept the report which I have included here in
> > > this post.
> > >
> > > If someone could find the time to have a quick look at the report log
> > > I would be very grateful to you. I can't seem to find anything here
> > > perhaps one of you can.
> > >
> > > I found this thread which mentions it but there is no conclusion that
> > > I can find there:
> >
http://www.webuser.co.uk/cgi-bin/forums/printthread.pl?Cat=&Board=security&main=77237&type=post
> > >
> > > Logfile of HijackThis v1.97.7
> > > Scan saved at 09:47:01, on 7/19/2004
> > > Platform: Windows XP SP1 (WinNT 5.01.2600)
> > > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
> > >
> > > Running processes:
> > > C:\WINXP\System32\smss.exe
> > > C:\WINXP\system32\winlogon.exe
> > > C:\WINXP\system32\services.exe
> > > C:\WINXP\system32\lsass.exe
> > > C:\WINXP\system32\svchost.exe
> > > C:\WINXP\System32\svchost.exe
> > > C:\WINXP\system32\spoolsv.exe
> > > C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
> > > C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
> > > C:\WINXP\System32\nvsvc32.exe
> > > C:\WINXP\system32\slserv.exe
> > > C:\WINXP\System32\svchost.exe
> > > C:\WINXP\Explorer.EXE
> > > C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
> > > C:\Program Files\Common Files\Real\Update_OB\realsched.exe
> > > C:\Program Files\Caere\OmniPagePro90\opware32.exe
> > > C:\Program Files\QuickTime\qttask.exe
> > > C:\PROGRA~1\WinFax\WFXSWTCH.exe
> > > C:\WINXP\System32\wfxsnt40.exe
> > > C:\WINXP\System32\wuamgrd.exe
> > > C:\WINXP\system32\ntvdm.exe
> > > C:\WINXP\System32\rmctrl.exe
> > > C:\system.exe
> > > C:\Program Files\Messenger\msmsgs.exe
> > > C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
> > > C:\Program Files\AlchemyUser\Phone Status\userapp.exe
> > > C:\Program Files\Palm\HOTSYNC.EXE
> > > C:\Program Files\HijackThis\HijackThis.exe
> > > C:\Program Files\Common Files\Real\Update_OB\realevent.exe
> > >
> > > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> > > Settings,ProxyServer = http://SERVER01:8080
> > > O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> > > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> > > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> > > C:\WINXP\System32\msdxm.ocx
> > > O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
> > > O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
> > > C:\WINXP\System32\NvCpl.dll,NvStartup
> > > O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
> > > O4 - HKLM\..\Run: [ICQ Net] C:\WINXP\winlogon.exe -stealth
> > > O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
> > > C:\WINXP\System32\spool\drivers\w32x86\3\hpztsb07.exe
> > > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
> > > Files\Real\Update_OB\realsched.exe" -osboot
> > > O4 - HKLM\..\Run: [OmniPage] C:\Program
> > > Files\Caere\OmniPagePro90\opware32.exe
> > > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
> > > Files\QuickTime\qttask.exe" -atboottime
> > > O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
> > > O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
> > > O4 - HKLM\..\Run: [Cryptographic Service] C:\WINXP\System32\jddsu.exe
> > > O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
> > > O4 - HKLM\..\Run: [RemoteControl] C:\WINXP\System32\rmctrl.exe
> > > O4 - HKLM\..\Run: [winupgrade] c:\system.exe
> > > O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
> > > O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
> > > /background
> > > O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
> > > O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
> > > O4 - Startup: PowerReg Scheduler.exe
> > > O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program
> > > Files\Common Files\DataViz\DvzIncMsgr.exe
> > > O4 - Global Startup: Firewall Client Connectivity Monitor.LNK =
> > > C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
> > > O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> > > Office 2000 Pro\Office\OSA9.EXE
> > > O4 - Global Startup: Phone Status.lnk = C:\Program
> > > Files\AlchemyUser\Phone Status\userapp.exe
> > > O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
> > > present
> > > O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel
> > > present
> > > O8 - Extra context menu item: E&xport to Microsoft Excel -
> > > res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
> > > O9 - Extra button: Related (HKLM)
> > > O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
> > > O9 - Extra button: Messenger (HKLM)
> > > O9 - Extra 'Tools' menuitem: Messenger (HKLM)
> > > O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office
> > > Template and Media Control) -
> > > http://office.microsoft.com/templates/ieawsdc.cab
> > > O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
> > > http://www.apple.com/qtactivex/qtplugin.cab
> > > O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> > > http://software-dl.real.com/06338cf6d0a12e7b2906/netzip/RdxIE601.cab
> > > O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
> > >
> >
http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
> > > O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
> > >
> >
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37963.1568981481
> > > O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
> > > Object) -
> >  http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
> > > O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
> > > Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
> > > O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hitech.local
> > > O17 - HKLM\Software\..\Telephony: DomainName = hitech.local
> > > O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hitech.local
> > > O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hitech.local