>>> My Kingdom for help with this bloody TIBS41 dialer/malware! <<<

Unknown · September 2004

Greetings ladies and gentlemen,

As I am a complete tech moron, I have been sent here, where I am told numerous masters of computer knowledge may be able to offer me some assistance.

I am having a problem with a TIBS41 (and sometimes just a 'New Dialup Connection') dialer that keeps riding over my dial-up connection and generally pissing me off greatly. :banghead: Anyone who could help me with this devious Malware would be appreciated. Both Ad-Aware and Spybot find it and claim to get rid of it, but lo and behold the bastard alwasy seems to regenerate itself.

A free donkey (or other farm wildlife of your choosing) to the man or woman who can help be beat this problem.

HijackThis log attached below;

Cheers DoTBoY

Logfile of HijackThis v1.98.2
Scan saved at 12:41:41 PM, on 28/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\SAMSUN~1\SAMSUN~1\3.0\LWB3DAPP.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\xyhngvlq.exe
C:\WINDOWS\System32\twink64.exe
C:\Vet\VetTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\Program Files\StickyNote\StickyNote.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Angela\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pc-club.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-club.com.au
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: npwmsjrm - {BBF1E3DD-A79D-3312-392C-455FE5C16E83} - C:\WINDOWS\System32\npwmsjrm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\PROGRA~1\SAMSUN~1\SAMSUN~1\3.0\LWB3DAPP.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE

wildthing423 · September 2004

DoTBoY
hey there ..welcome. with an extreme effort not to appear stupid, which is difficult for me, where is the rest of your log. IT appears incomplete. It is my pleasure to assist you but, things do not look kosher with the log.

wildthing423

dOtbOy · October 2004

alright let me try once more then.............

Logfile of HijackThis v1.98.2
Scan saved at 11:42:29 AM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\SAMSUN~1\SAMSUN~1\3.0\LWB3DAPP.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\xyhngvlq.exe
C:\WINDOWS\System32\twink64.exe
C:\Vet\VetTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\Program Files\StickyNote\StickyNote.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Vet\VetMsg.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Documents and Settings\Angela\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pc-club.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-club.com.au
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: npwmsjrm - {BBF1E3DD-A79D-3312-392C-455FE5C16E83} - C:\WINDOWS\System32\npwmsjrm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\PROGRA~1\SAMSUN~1\SAMSUN~1\3.0\LWB3DAPP.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jxcwkdhats] C:\WINDOWS\System32\xyhngvlq.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [cdrom city] C:\PROGRA~1\drvpeaklove\defaultcamp.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKLM\..\RunServices: [ZipGenius Clean] "C:\WINDOWS\zg.exe" -cleantemp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Samsung Internet Keyboard.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-club.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDE1485-62BD-4D49-92FE-68BC326CF1EC}: NameServer = 203.24.73.220 192.65.91.129

>>> My Kingdom for help with this bloody TIBS41 dialer/malware! <<<

Comments