Results 1 to 6 of 6
  1. #1
    Member CosmoGo's Avatar
    Join Date
    Sep 2004
    Posts
    5
    Points
    0

    Default Hijack?: S-Redirect, wmplayer.exe, and a Web Dialer thing?

    I'm certain I was hijacked sometime in the past 36 hours. I had the whole s-redirect homepage\favorites problem but I may have taken care of that by reading through some of the other postings (haven't seen the redirect in about 12 hours now! yay!). However, whenever I try to run a file that needs Windows Media Player I'm getting a "Windows can't find" the thing message (wmplayer.exe). I also have an occasional unexpected dialogue-box visit from some kind of a "Web Dialer" that wants me to agree to disconnect from the internet and make an international phone call (something about needing to be over 18 (21 in some countries) yadda yadda yadda... ) it can't be good (I attached a screenshot). Then there is also the surprise command\dos window that pops-up trying to run a file from my local\temp directory (the name of the file changes each time and is usually some random form of letters .exe). I get a 16-bit MS-Dos Subsystem error with that happens with a "NTVDM CPU has encountered an illegal instruction. CS:0db3 IP:013f OP:63 65 3d 22 41 Choose 'Close' to terminate the application" message.

    I did recently remove two reg entries that referenced C:\WINDOWS\system32\64nt64s-sy.exe and another that referenced C:\WINDOWS\PE32hhsysy.exe (the looked bad, but wasn't sure).

    Some freaky crap going on..... in case it helps.. here is my hijackthis log...

    hope this is enough to go on!

    =================================

    Logfile of HijackThis v1.98.2
    Scan saved at 12:47:15 AM, on 9/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\nslsvice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\LDClient\LOCALSCH.EXE
    C:\WINDOWS\system32\cba\pds.exe
    C:\LDClient\tmcsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Notes\ntmulti.exe
    C:\Program Files\NavNT\rtvscan.exe
    c:\windows\suss.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\LDClient\wuser32.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
    C:\WINDOWS\ntsys-.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
    C:\Notes\NLNOTES.EXE
    C:\Notes\ntaskldr.EXE
    C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\JR\Videos\temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JR is Browsing
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.171.30.200:84
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [LDInvScan] c:\LDClient\LDISCN32.EXE /NTT=COLLDCORE01:5007 /S="COLLDCORE01" /I=c:\LDClient\ldappl.ini /NOUI
    O4 - HKLM\..\Run: [AMCLIENT] c:\LDCLient\AMCLIENT.EXE /TCS /S
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Handy Backup 3.9] C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe -logon
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
    O4 - HKCU\..\Run: [ntsys-] C:\WINDOWS\ntsys-.exe
    O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.checkfree.com
    O17 - HKLM\Software\..\Telephony: DomainName = corp.checkfree.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D29E8714-809B-44B4-A402-8F9FB98C3914}: Domain = corp.checkfree.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.checkfree.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.checkfree.com,ckfr.com,checkfreeinvsvcs.com,cis.checkfree.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.checkfree.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.checkfree.com,ckfr.com,checkfreeinvsvcs.com,cis.checkfree.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.checkfree.com,ckfr.com,checkfreeinvsvcs.com,cis.checkfree.com

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    So you removed these two run keys ...

    C:\WINDOWS\system32\64nt64s-sy.exe
    C:\WINDOWS\PE32hhsysy.exe

    This comes with them :-

    O4 - HKCU\..\Run: [ntsys-] C:\WINDOWS\ntsys-.exe

    Fix it as well and see if it makes a difference...

    It's past 2am here ... too late to look any deeper tonight.

    Let us know if fixing that cures any of your problems.

    There's no reference to a webdialler in your log ... we need a name, either of the file or the program ... it's probably running from a folder in program files .... you may have to check all the folders you dont recognise, and see what is in them, or post a list of the ones you are not sure of

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member CosmoGo's Avatar
    Join Date
    Sep 2004
    Posts
    5
    Points
    0

    Default Thanks I'll give it a go

    Really appreciate the response... if you get some other ideas, let me know.

    Strangely enough, I went back into hijackthis and now that 04 entry you mention is no longer there. Par for the course I guess.

    I'll see if I can't find a file or folder name for that webdialer, haven't been able to track it down yet.

  4. #4
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    RE :- webdialler
    There definately should be a folder called "webdialler" in c:\program files\ ...if you find it, delete it if you can, if not then post a list of the files in it.

    Re :- Windows Media Player
    Uninstall and then reinstall the windows media player

    Re :- Then there is also the surprise command\dos window that pops-up trying to run a file from my local\temp directory
    Empty your temp folders.

    Re :- 16-bit MS-Dos Subsystem error
    http://www.webuser.co.uk/cgi-bin/for...b=5&o=14&part=

    Please post back and let us know...

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  5. #5
    Member CosmoGo's Avatar
    Join Date
    Sep 2004
    Posts
    5
    Points
    0

    Default Perhaps Fixed?

    Well, I haven't seen the odd things happening for at least a day now since giving it a go with your instructions. I never did find a Webdialer directory, but its not popping up anymore...

    ..I'll give it another 3 days before I feel like I'm in the clear.. but for now... all seems much much better.

    Your help is much appreciated. Is there a way to repay you?

  6. #6
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    If you wish there is always the option of making a donation to the site by using the "Donate" button at the bottom of this page. Any/ all monies donated, go to keeping this site "Ad Free", pay for server time,etc.

    We are all volunteers here. Another good way to "pay us back" is by coming back, not just when you have a problem, but maybe you can answer someone else's question when they have a problem.

    Happy surfing

    Cheers