Serious PC issue

[Phog]

Im pretty stuck here at the moment. For a while now, i have had a link in my start menu called NextWish.org that randomly appeared. I never clicked it until yesterday evening while i was doing the usual decluttering of the system. It brought me to a cannot be displayed page on IE so i thought nothing of it and deleted it. Upon trying to do anything on the net it didnt work at all. I was connected but nothing was working. I scanned with NIS2004 (up-to-date) and a file called nethv32.dll was found. I google'd this and found that it was a premium rate dialler I also found that that it could be easily removed with Hijack-this, which i obvioulsy did asap. After a restart, the problem was still there, with or without this file. So here is the HJT log after the file was removed.
Logfile of HijackThis v1.97.7
Scan saved at 22:12:39, on 22/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\program files\powerstrip\pstrip.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Phog\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Configuration Loader] schost.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...StatsClient.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars...erxsigned41.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tec.../ActiveData.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar...ireShowdown.cab

After asking after this log, i was advised to get rid of the following:

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars...erxsigned41.cab
O4 - HKLM\..\Run: [Configuration Loader] schost.exe

Again after getting rid of these, still no joy. Any ideas would help. Im running XP Pro SP1
Thanks
Soz for the long post, hopefully the hijack this will help u, its an old version of the prog but thats all i had access to at the time.

[smilodon]

There's a distinct possibility thet your host file has been modified by the dialer. You may well have removed the dialer but if it's blocked all web sites in the hosts file then you won't see anythig at all. It does this so as to get you to disconnect and reconnect. This gives it a chance to dial up it's own number and rob you blind on the phone calls.

To clean up the host file (if that is what your problem is) do the following

Go to C:\WINDOWS\system32\drivers\etc and open the hosts file in notepad.

It should say:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#   102.54.94.97   rhino.acme.com     # source server
#    38.25.63.10   x.acme.com       # x client host

127.0.0.1    localhost

 You're specifically looking for an entry like '127.0.0.1       *.* '

If in doubt make a backup copy of the hosts file and edit the file as above. make sure it doesn't get saved with a file extension. It should just be hosts not hosts.txt or it won't work. Hope this helps

[Phog]

so is there the possibility that i have a huge phone bill coming my way? If so, my parents are not going to be in the least bit pleased I removed the file within 45 mins of it being there. What does it mean by premium rate?

[TeaLeaf]

Originally posted by Phog@Aug 24 2004, 12:00 PM
What does it mean by premium rate?

Usually something in the order of £1-3 per minute.  

TL.

[smilodon]

The idea of a dialer is to get you to dial up their phone number in order to look at porn (usually). Many Internet users don't realise that they are not dialing their own ISP but the dialer company. The dialer company uses premium rate numbers that cost £1.00 - £2.00 a minute. You get stung with a huge phone bill. If you are broadband and don't have a 56K modem connected to your phone line then the dialer can't dial anything and you're safe. If you do have a dial up modem and it's plugged into your phone line then it might have tried to dial out. You can often tell as the only web site you can get access to is the dialers and that's usually full of porn. I don't think that this happened from your description. Check the hosts file and see what it says.

[Phog]

luckily at the time i was on broadband, and as soon as i got home (on dial-up) the file was alreayd removed. In my hosts file, there was lots of antivirus sites, like sophos etc. i couldnt find norton though there, or symantec. When i was online for aminute though here, i still couldnt access that site.
and i dont go on porn sites :whistle:  :narnar:

[smilodon]

Originally posted by Phog@Aug 24 2004, 12:13 PM
In my hosts file, there was lots of antivirus sites, like sophos etc. i couldnt find norton though there, or symantec.

Bingo. The dialer/trojan has overwritten your hosts file which is proeventing you from getting access to the web. Many virus's/trojans add blocks to anti-virus sites so as to stop you going there for help about getting rid of them.

If you repair your hosts file as I suggested you'll get back on the net. A damn good check with the anti-virus should get rid of any rubbish still floating about.

[Phog]

next problem has arisen.
i seems to have deleted my Freeserver dial-up dialler. (if that makes sense)
When i go through Create a new connection, i then go to manually, and i can only select Create a broadband connection where the connection is always active. The dial-up choice is greyed out so it cannot be selected.
 When it try reinstalling the Freeserve software again, it keeps searching for mey modem. (i have an ISDN PCI card) which works fine and all the drivers are installed. I have even reinstalled them all and it still doesnt detect it. Is this something else the ****er has left behind? Cos its really annoying me now

[smilodon]

Not my area of expertise but I'd uninstall the ISDN PCI modem from 'device manager' and reinstall it again. Then reinstall the freeserve dialer.

You might want to wait till someone who knows more about this posts though?

[TeaLeaf]

I'd agree with Smilo (and I'm an ex-ISDN user).  I'd also recommend using something liek the ZoneAlarm firewall which keep s a fairly good record of what tries to get out from your PC to the internet.

TL.

[Phog]

I just tried the reinstall of the drivers but with no luck im afraid
Whos the resident internet guru?
Ive searched with Adaware, Spybot, Norton, CWShredder, Spyhunter and only adaware came up with a Alexa reg key which it deleted for me. Not sure what that is but ive heard quite alot about it.
When it searches for the modem it fails and tells me to select the modem from a list. It only has modems that go from 8 bps to 56bps. I think i got some software from BT when they installed the homehighway box, whether this will help at all i dont know but i thinkits for use with USB. Ill give it a go anyway.
Ill download ZoneAlarm in the near future. Ta for the advice so far guys, much appreiciated

[smilodon]

I'd suggest that all you have left is the damage done by the dialer. The dialer itself seems to be gone. If  Adaware, Spybot etc etc didn't find anything and Norton says you are clear then I think you're OK

If you can ID exactly what model the modem is then it's a fair bet that the drivers will be on the internet somewhere for download

[Browne]

Nextwish.org is a Counterstrike site for mods, scripts, etc. I've used it meself a few time without problem. I don't know how that helps you however, just for info I suppose

[Phog]

Ok, that would explain why i would of had that on my system and its probably juts a co-incidential thing that i happened to open it as some script kiddy h4x0r killed me. :ph34r:
In the end i couldnt be bothered and did a full format. Even if i did get the net working, it was like running a 2 MHz machine on 4 bytes of RAM
I like a fresh start anyway, i actually have some room on my ickle HDD.
Thnx for the help anyway, and ill deffo remember that hosts file for future reference. Im just hoping that the phone bill will be normal so i can upgrade this virus prone beast  :narnar:

[Gh0st Face Killah]

There was a thread refering to hosts files a while ago started by Smilo (I think) I would search for it but haven't time atm.