My laptop is sending lots of emails. Avast gives the message that a dialer is found Win32:Dialer-BN[Tri]
I tried with avast, adaware, spybot, sophos antirootkit and windows defender to remove is, but without any result.
Hijackthis gives the following log.
Can anybody help me?
Logfile of HijackThis v1.99.1
Scan saved at 22:59:37, on 21-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I would have thought that a dialler wouldn’t be sending out email, so I would think that there is an undetected trojan spam bot on your system.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
What actions have you taken to try and resolve the problem (what action did you select when avast detected it) ?
Does avast still detect it ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
Thanks for your repley.
I run AVG, but no spyware or virus’s are found. I also run Adaware, spybot windows defender,…
When I look at avast-log I find “22-5-2007 19:23:31 SYSTEM 200 Sign of “Win32:Dialer-BN [Trj]” has been found in “http://gam[blam]eglobin.info/g.php?wmid=bg004[UPX]” file.
Whem I’m using Firefox somtimes I get spontaneous a new tab with the following adres: http://www.winant[blem]iviruspro.com/pages/newcontent/?mpt=1179864699&aid=ffnm_ik_wavff_kw2&
lid=avast%3E&affid=ffnm_67308_88D59188058B11DCBBAB003048895BFC_e0d20281+91923A0A9B5346AFA5AD43746CBE092B”
I also started “smartsnif” to see the traffic. There is traffic trough port 25.
The messagebody is:
[i][i]220 msg-mx9.usc.edu – Server ESMTP (SUN JES MTA 6.x)
Received: from zri ([179.166.157.104])
by 212-182-171-71.dsl.ip.tiscali.nl (8.13.4/8.13.4) with SMTP id l4MK9XaD038124;
Tue, 22 May 2007 22:09:33 +0200
Message-ID: 002c01c79cac$c6014b30$689da6b3@zri
From: “Cyrus Calderon” gtaq@tec.uji.es
To: mleeds@usc.edu
Subject: During the North Market event, Ohio products with a festive flair will be celebrated.
Date: Tue, 22 May 2007 22:07:07 +0200
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset=“iso-8859-1”;
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-Antivirus: avast! (VPS 000742-1, 22-05-2007), Outbound message
X-Antivirus-Status: Clean
Uhranleger T3R Die Hast ist begonnen am Mittwoch 23. Mai
I submitted the file qutlfadn.dll to Virus Total. Several scanners found it suspicious.I renamed it. Now when the laptop starts up it can’t find the file. So something uses this file, but witch one?
I searched the link mentioned above, but can’t find it.
For some reason (I don’t remember why) I uninstalled Firefox 1.5 yesterdaynight and installed Firefox 2.0. Today seems the problem solved. ???
If this stay this way I let you know.
For the time being: thank for the advise.
Remove the live gamegoblin link to malware or make it non-clickable, because people may click it and get infected with virus Dialer.Silent as DrWeb’s link checker demonstrates:
File size: 9364 bytes
g.php?wmid=bg004 packed by UPX
In file >g.php?wmid=bg004 found virus Dialer.Silent
I did what you suggested. This problem is solved. (C:\WINDOWS\system32\qutlfadn.dll)
Hi Polonus,
I can’t find the link to gamegoblin. So I can’t remove it
I looked at the link to pestpatrol. I don’t find the files e.i. which are mentioned. So I can’t remove anything. Downloaded pestpatrol an installed it. It found a few viruses. They are removed, but the same problem with hxxp://gameglobin[dot]info/g[dot]php?wmid=bg004[UPX] still exsists.
I haven’t installed ATF cleaner yet, but will soon do this.
When I run Pestpatrol it finds Nebuler S, Key: key_local_machine \software\microsoft\mssmgr
As this is put in quarantine, it comes back after a while and I get a message from Avast. (same as mentioned may 22)
Any suggestions?? >:(
The webforum moderator did this for you and all of us here (thanks to him we are safe now).
So something secretly puts it back on, put a hijackthis log here (maybe in two separate postings, if one won’t take it, and we will have a look then).
Hi Polonus,
this is the most recently hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 19:55:18, on 25-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
Although there is no such name in the activeX object name, bearing in mind the topic title it is worth further investigation. I also hate it when an IP address is given rather than a domain name, it makes me wonder what/if they are trying to hide.
A google search for gif89 lite class returns many hits, http://www.google.com/search?q=Gif89+Lite+Class, a lot as Frank says are for anti-spyware, analysis and forums, I would have expected to see a hit higher up for a legit application activeX control.
[Y] Logfile of HijackThis v1.99.1 - This should be the newest version.
[WINXP] Platform: Windows XP SP2 (WinNT 5.01.2600) -
[Y] MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) - This should be the newest version.
[Y] C:\WINDOWS\System32\smss.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\winlogon.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\services.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\lsass.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\Ati2evxx.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\system32\svchost.exe - This entry was classified from our visitors as good.
[Y] C:\Program Files\Windows Defender\MsMpEng.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\System32\svchost.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\System32\wltrysvc.exe - Broadcom Corporation Wireless Network Tray Applet
[Y] C:\WINDOWS\System32\bcmwltry.exe - This entry was classified from our visitors as good.
[Y] D:\beheer\avast\aswUpdSv.exe - Good! According to our database this process runs normally in c:\programme\alwil software\avast4! Check if you know this process and arrange a viruscheck where required.
[AVSCAN] D:\beheer\avast\ashServ.exe - Good! According to our database this process runs normally in c:\programme\alwil software\avast4! Check if you know this process and arrange a viruscheck where required. Avast Antivirus-Scanner
[Y] C:\WINDOWS\system32\Ati2evxx.exe - This entry was classified from our visitors as good.
[Y] C:\WINDOWS\Explorer.EXE - This entry was classified from our visitors as good.
[Y] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe -
[Y] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe -
[Y] C:\WINDOWS\system32\WLTRAY.exe - This is a unknown process. This entry was classified from our visitors as good.
[Y] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe - ATI Desktop Control Panel from ATI Technologies
[Y] C:\WINDOWS\system32\rundll32.exe - RUNDLL32 is the Microsoft Windows program that loads DLLs into memory so that they can be used by specific programs or by Windows.
[Y] C:\Program Files\Launch Manager\LaunchAp.exe - Acer Launch Manager
[Y] C:\Program Files\Launch Manager\PowerKey.exe - Acer Powerkey
[Y] C:\Program Files\Launch Manager\HotkeyApp.exe - Acer Launch Manager
[Y] C:\Program Files\Launch Manager\OSDCtrl.exe - OSD (on-screen-display) utility - part of Acer Launch Manager
[Y] C:\Program Files\Launch Manager\Wbutton.exe - Wireless Button
[Y] C:\Program Files\Arcade\PCMService.exe - PowerCinema
[Y] C:\Acer\Empowering Technology\eRecovery\Monitor.exe - Acer eRecovery
[Y] D:\beheer\avast\ashDisp.exe -
[Y] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe - Java Runtime
[Y] C:\WINDOWS\SOUNDMAN.EXE - This entry was classified from our visitors as good.
[Y] D:\toepassingen\ideazon fang\Zboard.exe - Check of je dit herkent! According to our database this process runs normally in c:\programme\ideazon\zboard software\driver! Check if you know this process and arrange a viruscheck where required. zboard Gamer Keyboard
[Y] C:\Program Files\Windows Defender\MSASCui.exe - This entry was classified from our visitors as good.
[Y] C:\DOCUME~1\Algemeen\LOCALS~1\Temp\RtkBtMnt.EXE - Realtek HD Audio Data Rerouter
[FIREWALL] D:\toepassingen\pestpatrol\caissdt.exe - Check dit! According to our database this process runs normally in c:\programme\ca\etrust internet security suite! Check if you know this process and arrange a viruscheck where required. eTrust Internet Security (Antivirus, Antispam, Firewall)
[Y] C:\WINDOWS\system32\spoolsv.exe - This entry was classified from our visitors as good.
[Y] D:\toepassingen\pestpatrol\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe - Check de plaats! According to our database this process runs normally in c:\programme\ca\etrust pestpatrol! Check if you know this process and arrange a viruscheck where required. eTrust PestPatrol
[Y] C:\WINDOWS\system32\ctfmon.exe - This entry was classified from our visitors as good.
[Y] C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe - Bluetooth Software
[?] D:\toepassingen\Kirby Alarm\kirbyalarm.exe - This is a unknown process.
[Y] C:\Acer\eManager\anbmServ.exe - This entry was classified from our visitors as good.
[Y] C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe - Bluetooth Software
[Y] D:\beheer\norton ghost\GhostStartService.exe - Check de plaats! According to our database this process runs normally in c:\programme.norton ghost.! Check if you know this process and arrange a viruscheck where required. Part of Norton Ghost
[Y] D:\beheer\avast\ashMaiSv.exe - Avast! Virus Scanner - Mail scanner sevice
[Y] D:\beheer\avast\ashWebSv.exe - Avast Webscanner service
[Y] D:\toepassingen\firefox\firefox.exe - Internet Browser
[Y] D:\download\HijackThis.exe - Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
[Y] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/ - This page has been identified as safe.
[Y] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/ - This page has been identified as safe.
[Y] R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen - This page has been identified as safe.
[Y] O4 - HKLM..\Run: [preload] C:\Windows\RUNXMLPL.exe - Unknown application. This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe - Synaptics touchpad driver helper. Required for touchpad features to work
[Y] O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe -
[Y] O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY - Unknown application. This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe - Control panel for the ATI series of video cards allowing access to such features as display resolution, colour depth, etc. Available via Start → Settings → Control Panel → Display. Some users may need it if they have optimised their settings
[Y] O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent - This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [LaunchAp] “C:\Program Files\Launch Manager\LaunchAp.exe” - Part of Acer Launch Manager - programmable keys on such laptops as the TravelMate 610
[Y] O4 - HKLM..\Run: [PowerKey] “C:\Program Files\Launch Manager\PowerKey.exe” - Part of Acer Launch Manager - programmable keys on such laptops as the TravelMate 610
[Y] O4 - HKLM..\Run: [LManager] “C:\Program Files\Launch Manager\HotkeyApp.exe” - Acer Hotkey Launch-Manager
[Y] O4 - HKLM..\Run: [CtrlVol] “C:\Program Files\Launch Manager\CtrlVol.exe” -
[Y] O4 - HKLM..\Run: [LMgrOSD] “C:\Program Files\Launch Manager\OSDCtrl.exe” - Acer Hotkey Launch-Manager
[Y] O4 - HKLM..\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe” - Wireless Button
[Y] O4 - HKLM..\Run: [PCMService] “C:\Program Files\Arcade\PCMService.exe” - In a Dell\Media Experience sub-directory
[Y] O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe - This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [avast!] D:\beheer\avast\ashDisp.exe - Part of Avast! anti-virus software
[Y] O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” - Java von Sun
[Y] O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE - Not dangerous, but unnecessary. This entry was classified from our visitors as good.
[
[Y] O4 - HKLM..\Run: [Zboard] D:\toepassingen\ideazon fang\Zboard.exe - Zboard keyboard
[Y] O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe - Associated with "Nero Burning Rom" CD writing software. Checks for driver issues
[Y] O4 - HKLM..\Run: [QuickTime Task] “D:\toepassingen\quicktime\qttask.exe” -atboottime - Not dangerous, but unnecessary. QuickTime
[Y] O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide - This entry was classified from our visitors as good.
[Y] O4 - HKLM..\Run: [CaISSDT] “D:\toepassingen\pestpatrol\caissdt.exe” - eTrust Internet Security Suite
[Y] O4 - HKLM..\Run: [eTrustPPAP] “D:\toepassingen\pestpatrol\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe” - PestPatrol real-time protection.
[Y] O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k - Not dangerous, but unnecessary.
[Y] O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe - This entry was classified from our visitors as good.
[Y] O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 - AdobeUpdateManager
[Y] O4 - HKCU..\Run: [Uniblue RegistryBooster2] D:\beheer\RegistryBooster 2\RegistryBooster.exe /S - Registry Booster
[Y] O4 - Global Startup: BTTray.lnk = ? - The entry is unnecessary and can be fixed. This entry was classified from our visitors as good.
[?] O4 - Global Startup: Kirby Alarm.lnk = D:\toepassingen\Kirby Alarm\kirbyalarm.exe - Unknown application.
Ken je dit, anders verwijderen.
[Y] O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\TOEPAS~1\msoffice\OFFICE11\EXCEL.EXE/3000 - The entry E&xport to Microsoft Excel has been identified as safe.
[Y] O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm - The entry Verzenden naar &Bluetooth has been identified as safe.
[Y] O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll - The entry has been identified as safe.
[Y] O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll - The entry Sun Java Console has been identified as safe.
[Y] O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\TOEPAS~1\msoffice\OFFICE11\REFIEBAR.DLL - The entry Onderzoek has been identified as safe.
[?] O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://169.254.136.244/xplugLite.cab - Check if you know this site and fix it if you do not. Unknown
ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
Deze Google Search redirect aanvinken en verwijderen
[Y] O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll - This entry was classified from our visitors as good.
[Y] O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe - This service (anbmServ.exe) was identified as a good one. This entry was classified from our visitors as good.
[Y] O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\beheer\avast\aswUpdSv.exe - This service (aswUpdSv.exe) was identified as a good one.
[Y] O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe - This service (Ati2evxx.exe) was identified as a good one. This entry was classified from our visitors as good.
[AVSCAN] O23 - Service: avast! Antivirus - ALWIL Software - D:\beheer\avast\ashServ.exe - This service (ashServ.exe) was identified as a good one.
[Y] O23 - Service: avast! Mail Scanner - Unknown owner - D:\beheer\avast\ashMaiSv.exe" /service (file missing) - This service (ashMaiSv.exe) was identified as a good one.
[Y] O23 - Service: avast! Web Scanner - Unknown owner - D:\beheer\avast\ashWebSv.exe" /service (file missing) - This service (ashWebSv.exe) was identified as a good one.
[Y] O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe - This service (btwdins.exe) was identified as a good one.
[Y] O23 - Service: GhostStartService - Symantec Corporation - D:\beheer\norton ghost\GhostStartService.exe - This service (GhostStartService.exe) was identified as a good one.
[Y] O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe - This service (wltrysvc.exe) was identified as a good one.
De cursieve kun je aanvinken, vergeet die twee andere niet te controleren of je ze je bekend voorkomen, anders laten staan.
Hijackthis draaien, de te verwijderen items aanvinken en enter ingeven.
[[[i]?] O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://169.254.136.244/xplugLite.cab - Check if you know this site and fix it if you do not. Unknown
Do you have a wireless web cam (possibly a security camera)?
Thanks for your help and analysis. A few days ago I really got tired of it and put a image, dated 05-2006, back to the C-partition. My problem of the emails was solved.
Still, I was under attack from http://gameglobin.info. I then blocked the URL at my modem/router (along with the url that causes a popup from winantiviruspro). I also find out that there was a setting at the modem called “Bypass Triangle Route” that was enabled. ( Select this check box to have the ZyXEL Device firewall permit the use of triangle route topology on the network. See the appendix for more on triangle route topology.
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to a LAN computer without passing through the router.
I disabled it.
Now I didn’t get any warnings or problems for two day’s. My problems seems to be over.