Win32:Dialer-BN[Tri] HELP

My laptop is sending lots of emails. Avast gives the message that a dialer is found Win32:Dialer-BN[Tri]
I tried with avast, adaware, spybot, sophos antirootkit and windows defender to remove is, but without any result.
Hijackthis gives the following log.
Can anybody help me?

Logfile of HijackThis v1.99.1
Scan saved at 22:59:37, on 21-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
D:\beheer\avast\aswUpdSv.exe
D:\beheer\avast\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\eManager\anbmServ.exe
D:\beheer\avast\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\toepassingen\ideazon fang\Zboard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Algemeen\LOCALS~1\Temp\RtkBtMnt.EXE
D:\toepassingen\adobe\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\beheer\norton ghost\GhostStartService.exe
D:\toepassingen\Kirby Alarm\kirbyalarm.exe
D:\beheer\avast\ashMaiSv.exe
D:\beheer\avast\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
D:\download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [LaunchAp] “C:\Program Files\Launch Manager\LaunchAp.exe”
O4 - HKLM..\Run: [PowerKey] “C:\Program Files\Launch Manager\PowerKey.exe”
O4 - HKLM..\Run: [LManager] “C:\Program Files\Launch Manager\HotkeyApp.exe”
O4 - HKLM..\Run: [CtrlVol] “C:\Program Files\Launch Manager\CtrlVol.exe”
O4 - HKLM..\Run: [LMgrOSD] “C:\Program Files\Launch Manager\OSDCtrl.exe”
O4 - HKLM..\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe”
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Arcade\PCMService.exe”
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM..\Run: [avast!] D:\beheer\avast\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Zboard] D:\toepassingen\ideazon fang\Zboard.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\toepassingen\quicktime\qttask.exe” -atboottime
O4 - HKLM..\Run: [setup] rundll32.exe “C:\WINDOWS\system32\qutlfadn.dll”,realset
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [Uniblue RegistryBooster2] D:\beheer\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Snelle start.lnk = D:\toepassingen\adobe\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\toepassingen\adobe\Reader\AdobeCollabSync.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = D:\toepassingen\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\TOEPAS~1\msoffice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\TOEPAS~1\msoffice\OFFICE11\REFIEBAR.DLL
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://169.254.136.244/xplugLite.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\beheer\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\beheer\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\beheer\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\beheer\avast\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\beheer\norton ghost\GhostStartService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I would have thought that a dialler wouldn’t be sending out email, so I would think that there is an undetected trojan spam bot on your system.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

What actions have you taken to try and resolve the problem (what action did you select when avast detected it) ?
Does avast still detect it ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. AVG anti-spyware (formerly Ewido) If using winXP. or a-Squared free if using win98/ME.

Please submit this file to Virus Total for analysis

C:\WINDOWS\system32\qutlfadn.dll

Thanks for your repley.
I run AVG, but no spyware or virus’s are found. I also run Adaware, spybot windows defender,…
When I look at avast-log I find “22-5-2007 19:23:31 SYSTEM 200 Sign of “Win32:Dialer-BN [Trj]” has been found in “http://gam[blam]eglobin.info/g.php?wmid=bg004[UPX]” file.
Whem I’m using Firefox somtimes I get spontaneous a new tab with the following adres: http://www.winant[blem]iviruspro.com/pages/newcontent/?mpt=1179864699&aid=ffnm_ik_wavff_kw2&
lid=avast%3E&affid=ffnm_67308_88D59188058B11DCBBAB003048895BFC_e0d20281+91923A0A9B5346AFA5AD43746CBE092B”
I also started “smartsnif” to see the traffic. There is traffic trough port 25.
The messagebody is:
[i][i]220 msg-mx9.usc.edu – Server ESMTP (SUN JES MTA 6.x)

HELO 212-182-171-71.dsl.ip.tiscali.nl

250 msg-mx9.usc.edu OK, [212.182.171.71].

MAIL From:gtaq@tec.uji.es

250 2.5.0 Address Ok.

RCPT TO:mleeds@usc.edu

250 2.1.5 mleeds@usc.edu OK.

DATA

354 Enter mail, end with a single “.”.

Received: from zri ([179.166.157.104])
by 212-182-171-71.dsl.ip.tiscali.nl (8.13.4/8.13.4) with SMTP id l4MK9XaD038124;
Tue, 22 May 2007 22:09:33 +0200
Message-ID: 002c01c79cac$c6014b30$689da6b3@zri
From: “Cyrus Calderon” gtaq@tec.uji.es
To: mleeds@usc.edu
Subject: During the North Market event, Ohio products with a festive flair will be celebrated.
Date: Tue, 22 May 2007 22:07:07 +0200
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=“iso-8859-1”;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-Antivirus: avast! (VPS 000742-1, 22-05-2007), Outbound message
X-Antivirus-Status: Clean

Uhranleger T3R Die Hast ist begonnen am Mittwoch 23. Mai

Firma: SkyFlyer
Symbol: T3R.F
Preis: 0.36
3-T Prognose: 0.98
WKN : A0LCMC
ISIN : US83082R1077

Kaufen, kaufen und kaufen! Heutzutage ist es eine schune Muglichkeit
viel Geld zu verdinen! Sehen Sie es am Mittwoch 23. Mai…

Esse…or RSS is going to work.

.

250 2.5.0 Ok.

QUIT

221 2.3.0 Bye received. Goodbye.

[/i][/i]

Please modify the following link to make it un-clickable because it links to live malware:

hxxp://gameglobin[dot]info/g[dot]php?wmid=bg004[UPX]

As mauserme noted, this file is very suspicious and needs to be investigated:

Please submit this file to Virus Total for analysis

C:\WINDOWS\system32\qutlfadn.dll

I submitted the file qutlfadn.dll to Virus Total. Several scanners found it suspicious.I renamed it. Now when the laptop starts up it can’t find the file. So something uses this file, but witch one?
I searched the link mentioned above, but can’t find it.
For some reason (I don’t remember why) I uninstalled Firefox 1.5 yesterdaynight and installed Firefox 2.0. Today seems the problem solved. ???
If this stay this way I let you know.
For the time being: thank for the advise.

You still need to modify that link to live malware to make it unclickable, please.

Run HijackThis! again and put a tick in the box next to this entry:

O4 - HKLM..\Run: [setup] rundll32.exe “C:\WINDOWS\system32\qutlfadn.dll”,realset

Then click the ‘fix’ button.

This will fix the problem of the computer not being able to find the file.

Hi paulusjaja,

Remove the live gamegoblin link to malware or make it non-clickable, because people may click it and get infected with virus Dialer.Silent as DrWeb’s link checker demonstrates:

File size: 9364 bytes

g.php?wmid=bg004 packed by UPX
In file >g.php?wmid=bg004 found virus Dialer.Silent

The manual removal info for this malware is to be found here: http://www.pestpatrol.com/zks/pestinfo/t/trojandownloader_win32_wintrim_bn.asp
Also download ATF cleaner from here: http://www.atribune.org/ccount/click.php?id=1
Tack all options and clean, make an attitude of doing this every time just before you
close down your computer.

polonus

Hi FreewheelinFrank,

I did what you suggested. This problem is solved. (C:\WINDOWS\system32\qutlfadn.dll)

Hi Polonus,
I can’t find the link to gamegoblin. So I can’t remove it
I looked at the link to pestpatrol. I don’t find the files e.i. which are mentioned. So I can’t remove anything. Downloaded pestpatrol an installed it. It found a few viruses. They are removed, but the same problem with hxxp://gameglobin[dot]info/g[dot]php?wmid=bg004[UPX] still exsists.
I haven’t installed ATF cleaner yet, but will soon do this.
When I run Pestpatrol it finds Nebuler S, Key: key_local_machine \software\microsoft\mssmgr
As this is put in quarantine, it comes back after a while and I get a message from Avast. (same as mentioned may 22)
Any suggestions?? >:( :cry:

Paul

Hi paulusjaja,

The webforum moderator did this for you and all of us here (thanks to him we are safe now).
So something secretly puts it back on, put a hijackthis log here (maybe in two separate postings, if one won’t take it, and we will have a look then).

polonus

What was detected. Can you post the malware name(s)?

Try running a thourough scan with the free version of SuperAntiSpyware, putting anything detected in quarantine. Then post the log.

http://www.superantispyware.com/

Hi Polonus,
this is the most recently hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 19:55:18, on 25-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
D:\beheer\avast\aswUpdSv.exe
D:\beheer\avast\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
D:\beheer\avast\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\toepassingen\ideazon fang\Zboard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\DOCUME~1\Algemeen\LOCALS~1\Temp\RtkBtMnt.EXE
D:\toepassingen\pestpatrol\caissdt.exe
C:\WINDOWS\system32\spoolsv.exe
D:\toepassingen\pestpatrol\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\toepassingen\Kirby Alarm\kirbyalarm.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\beheer\norton ghost\GhostStartService.exe
D:\beheer\avast\ashMaiSv.exe
D:\beheer\avast\ashWebSv.exe
D:\toepassingen\firefox\firefox.exe
D:\download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [LaunchAp] “C:\Program Files\Launch Manager\LaunchAp.exe”
O4 - HKLM..\Run: [PowerKey] “C:\Program Files\Launch Manager\PowerKey.exe”
O4 - HKLM..\Run: [LManager] “C:\Program Files\Launch Manager\HotkeyApp.exe”
O4 - HKLM..\Run: [CtrlVol] “C:\Program Files\Launch Manager\CtrlVol.exe”
O4 - HKLM..\Run: [LMgrOSD] “C:\Program Files\Launch Manager\OSDCtrl.exe”
O4 - HKLM..\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe”
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Arcade\PCMService.exe”
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM..\Run: [avast!] D:\beheer\avast\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Zboard] D:\toepassingen\ideazon fang\Zboard.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [QuickTime Task] “D:\toepassingen\quicktime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [CaISSDT] “D:\toepassingen\pestpatrol\caissdt.exe”
O4 - HKLM..\Run: [eTrustPPAP] “D:\toepassingen\pestpatrol\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [Uniblue RegistryBooster2] D:\beheer\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Kirby Alarm.lnk = D:\toepassingen\Kirby Alarm\kirbyalarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\TOEPAS~1\msoffice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\TOEPAS~1\msoffice\OFFICE11\REFIEBAR.DLL
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://169.254.136.244/xplugLite.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\beheer\avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\beheer\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\beheer\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\beheer\avast\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\beheer\norton ghost\GhostStartService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Are you still getting browser re-directs to the malware site, or new browser windows to the scam anti-virus site?

The only suspicious entry I can see is this one:

O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://169.254.136.244/xplugLite.cab

Some kind of browser monitor. Some anti-spyware sites are recommending removing it. Maybe somebody knows more about it?

The http://hijackthis.de/index.php on-line analysis flags that entry and mentions dialler in its information.

Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!

Although there is no such name in the activeX object name, bearing in mind the topic title it is worth further investigation. I also hate it when an IP address is given rather than a domain name, it makes me wonder what/if they are trying to hide.

A google search for gif89 lite class returns many hits, http://www.google.com/search?q=Gif89+Lite+Class, a lot as Frank says are for anti-spyware, analysis and forums, I would have expected to see a hit higher up for a legit application activeX control.

Ha die paulusjaja, hier de resultaten.

[Y] Logfile of HijackThis v1.99.1 - This should be the newest version.
[WINXP] Platform: Windows XP SP2 (WinNT 5.01.2600) -
[Y] MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) - This should be the newest version.
[Y] C:\WINDOWS\System32\smss.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\winlogon.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\services.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\lsass.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\Ati2evxx.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\svchost.exe - This entry was classified from our visitors as good.
[Y] C:\Program Files\Windows Defender\MsMpEng.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\System32\svchost.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\System32\wltrysvc.exe - Broadcom Corporation Wireless Network Tray Applet
[Y] C:\WINDOWS\System32\bcmwltry.exe - This entry was classified from our visitors as good.
[Y] D:\beheer\avast\aswUpdSv.exe - Good! According to our database this process runs normally in c:\programme\alwil software\avast4! Check if you know this process and arrange a viruscheck where required.
[AVSCAN] D:\beheer\avast\ashServ.exe - Good! According to our database this process runs normally in c:\programme\alwil software\avast4! Check if you know this process and arrange a viruscheck where required. Avast Antivirus-Scanner
[Y] C:\WINDOWS\system32\Ati2evxx.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\Explorer.EXE - This entry was classified from our visitors as good.
[Y] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe -
[Y] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe -
[Y] C:\WINDOWS\system32\WLTRAY.exe - This is a unknown process. This entry was classified from our visitors as good.
[Y] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe - ATI Desktop Control Panel from ATI Technologies

[Y] C:\WINDOWS\system32\rundll32.exe - RUNDLL32 is the Microsoft Windows program that loads DLLs into memory so that they can be used by specific programs or by Windows.
[Y] C:\Program Files\Launch Manager\LaunchAp.exe - Acer Launch Manager
[Y] C:\Program Files\Launch Manager\PowerKey.exe - Acer Powerkey
[Y] C:\Program Files\Launch Manager\HotkeyApp.exe - Acer Launch Manager
[Y] C:\Program Files\Launch Manager\OSDCtrl.exe - OSD (on-screen-display) utility - part of Acer Launch Manager
[Y] C:\Program Files\Launch Manager\Wbutton.exe - Wireless Button
[Y] C:\Program Files\Arcade\PCMService.exe - PowerCinema
[Y] C:\Acer\Empowering Technology\eRecovery\Monitor.exe - Acer eRecovery
[Y] D:\beheer\avast\ashDisp.exe -
[Y] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe - Java Runtime
[Y] C:\WINDOWS\SOUNDMAN.EXE - This entry was classified from our visitors as good.
[Y] D:\toepassingen\ideazon fang\Zboard.exe - Check of je dit herkent! According to our database this process runs normally in c:\programme\ideazon\zboard software\driver! Check if you know this process and arrange a viruscheck where required. zboard Gamer Keyboard
[Y] C:\Program Files\Windows Defender\MSASCui.exe - This entry was classified from our visitors as good.
[Y] C:\DOCUME~1\Algemeen\LOCALS~1\Temp\RtkBtMnt.EXE - Realtek HD Audio Data Rerouter
[FIREWALL] D:\toepassingen\pestpatrol\caissdt.exe - Check dit! According to our database this process runs normally in c:\programme\ca\etrust internet security suite! Check if you know this process and arrange a viruscheck where required. eTrust Internet Security (Antivirus, Antispam, Firewall)
[Y] C:\WINDOWS\system32\spoolsv.exe - This entry was classified from our visitors as good.
[Y] D:\toepassingen\pestpatrol\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe - Check de plaats! According to our database this process runs normally in c:\programme\ca\etrust pestpatrol! Check if you know this process and arrange a viruscheck where required. eTrust PestPatrol
[Y] C:\WINDOWS\system32\ctfmon.exe - This entry was classified from our visitors as good.
[Y] C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe - Bluetooth Software
[?] D:\toepassingen\Kirby Alarm\kirbyalarm.exe - This is a unknown process.
[Y] C:\Acer\eManager\anbmServ.exe - This entry was classified from our visitors as good.
[Y] C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe - Bluetooth Software
[Y] D:\beheer\norton ghost\GhostStartService.exe - Check de plaats! According to our database this process runs normally in c:\programme.norton ghost.! Check if you know this process and arrange a viruscheck where required. Part of Norton Ghost
[Y] D:\beheer\avast\ashMaiSv.exe - Avast! Virus Scanner - Mail scanner sevice
[Y] D:\beheer\avast\ashWebSv.exe - Avast Webscanner service
[Y] D:\toepassingen\firefox\firefox.exe - Internet Browser
[Y] D:\download\HijackThis.exe - Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
[Y] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/ - This page has been identified as safe.
[Y] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/ - This page has been identified as safe.
[Y] R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen - This page has been identified as safe.
[Y] O4 - HKLM..\Run: [preload] C:\Windows\RUNXMLPL.exe - Unknown application. This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe - Synaptics touchpad driver helper. Required for touchpad features to work
[Y] O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe -
[Y] O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY - Unknown application. This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe - Control panel for the ATI series of video cards allowing access to such features as display resolution, colour depth, etc. Available via Start → Settings → Control Panel → Display. Some users may need it if they have optimised their settings
[Y] O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent - This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [LaunchAp] “C:\Program Files\Launch Manager\LaunchAp.exe” - Part of Acer Launch Manager - programmable keys on such laptops as the TravelMate 610
[Y] O4 - HKLM..\Run: [PowerKey] “C:\Program Files\Launch Manager\PowerKey.exe” - Part of Acer Launch Manager - programmable keys on such laptops as the TravelMate 610
[Y] O4 - HKLM..\Run: [LManager] “C:\Program Files\Launch Manager\HotkeyApp.exe” - Acer Hotkey Launch-Manager
[Y] O4 - HKLM..\Run: [CtrlVol] “C:\Program Files\Launch Manager\CtrlVol.exe” -
[Y] O4 - HKLM..\Run: [LMgrOSD] “C:\Program Files\Launch Manager\OSDCtrl.exe” - Acer Hotkey Launch-Manager
[Y] O4 - HKLM..\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe” - Wireless Button
[Y] O4 - HKLM..\Run: [PCMService] “C:\Program Files\Arcade\PCMService.exe” - In a Dell\Media Experience sub-directory
[Y] O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe - This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [avast!] D:\beheer\avast\ashDisp.exe - Part of Avast! anti-virus software
[Y] O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” - Java von Sun
[Y] O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE - Not dangerous, but unnecessary. This entry was classified from our visitors as good.
[

[Y] O4 - HKLM..\Run: [Zboard] D:\toepassingen\ideazon fang\Zboard.exe - Zboard keyboard
[Y] O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe - Associated with "Nero Burning Rom" CD writing software. Checks for driver issues
[Y] O4 - HKLM..\Run: [QuickTime Task] “D:\toepassingen\quicktime\qttask.exe” -atboottime - Not dangerous, but unnecessary. QuickTime
[Y] O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide - This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [CaISSDT] “D:\toepassingen\pestpatrol\caissdt.exe” - eTrust Internet Security Suite
[Y] O4 - HKLM..\Run: [eTrustPPAP] “D:\toepassingen\pestpatrol\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe” - PestPatrol real-time protection.
[Y] O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k - Not dangerous, but unnecessary.
[Y] O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe - This entry was classified from our visitors as good.
[Y] O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 - AdobeUpdateManager
[Y] O4 - HKCU..\Run: [Uniblue RegistryBooster2] D:\beheer\RegistryBooster 2\RegistryBooster.exe /S - Registry Booster
[Y] O4 - Global Startup: BTTray.lnk = ? - The entry is unnecessary and can be fixed. This entry was classified from our visitors as good.
[?] O4 - Global Startup: Kirby Alarm.lnk = D:\toepassingen\Kirby Alarm\kirbyalarm.exe - Unknown application.
Ken je dit, anders verwijderen.
[Y] O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\TOEPAS~1\msoffice\OFFICE11\EXCEL.EXE/3000 - The entry E&xport to Microsoft Excel has been identified as safe.
[Y] O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm - The entry Verzenden naar &Bluetooth has been identified as safe.
[Y] O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll - The entry has been identified as safe.
[Y] O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll - The entry Sun Java Console has been identified as safe.
[Y] O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\TOEPAS~1\msoffice\OFFICE11\REFIEBAR.DLL - The entry Onderzoek has been identified as safe.
[?] O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://169.254.136.244/xplugLite.cab - Check if you know this site and fix it if you do not. Unknown
ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!

Deze Google Search redirect aanvinken en verwijderen
[Y] O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll - This entry was classified from our visitors as good.
[Y] O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe - This service (anbmServ.exe) was identified as a good one. This entry was classified from our visitors as good.
[Y] O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\beheer\avast\aswUpdSv.exe - This service (aswUpdSv.exe) was identified as a good one.
[Y] O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe - This service (Ati2evxx.exe) was identified as a good one. This entry was classified from our visitors as good.
[AVSCAN] O23 - Service: avast! Antivirus - ALWIL Software - D:\beheer\avast\ashServ.exe - This service (ashServ.exe) was identified as a good one.
[Y] O23 - Service: avast! Mail Scanner - Unknown owner - D:\beheer\avast\ashMaiSv.exe" /service (file missing) - This service (ashMaiSv.exe) was identified as a good one.
[Y] O23 - Service: avast! Web Scanner - Unknown owner - D:\beheer\avast\ashWebSv.exe" /service (file missing) - This service (ashWebSv.exe) was identified as a good one.
[Y] O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe - This service (btwdins.exe) was identified as a good one.
[Y] O23 - Service: GhostStartService - Symantec Corporation - D:\beheer\norton ghost\GhostStartService.exe - This service (GhostStartService.exe) was identified as a good one.
[Y] O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe - This service (wltrysvc.exe) was identified as a good one.

De cursieve kun je aanvinken, vergeet die twee andere niet te controleren of je ze je bekend voorkomen, anders laten staan.
Hijackthis draaien, de te verwijderen items aanvinken en enter ingeven.

groetjes,

polonus

[[[i]?] O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://169.254.136.244/xplugLite.cab - Check if you know this site and fix it if you do not. Unknown
Do you have a wireless web cam (possibly a security camera)?

Hi,

I have the same problem few days ago.
The only use of VUNDOFIX.EXE from atribune ( http://www.atribune.org ) work very good.

In addition i have use AVG Antispyware ( http://free.grisoft.com/doc/20/lng/us/tpl/v5 ), and all work now, probems was finished !

(sorry for my english…)

polonus and al others.

Thanks for your help and analysis. A few days ago I really got tired of it and put a image, dated 05-2006, back to the C-partition. My problem of the emails was solved.
Still, I was under attack from http://gameglobin.info. I then blocked the URL at my modem/router (along with the url that causes a popup from winantiviruspro). I also find out that there was a setting at the modem called “Bypass Triangle Route” that was enabled. (
Select this check box to have the ZyXEL Device firewall permit the use of triangle route topology on the network. See the appendix for more on triangle route topology.
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to a LAN computer without passing through the router.

I disabled it.

Now I didn’t get any warnings or problems for two day’s. My problems seems to be over.

Thanks a lot.