View Full Version : XP keeps trying to dial out
Hi all,
I'm assuming I have been the victim of some piece of scumware. Sometimes, particularly when looking at an email with active content, the computer attempts to connect the modem. Now, I have broadband and have disconnected the phone line, so it always fails... but I would like to kill it.
It says it is trying to connect with "SVcamera", which I can't find any reference to in device manager. I do have a webcam but it isn't called that.
Any ideas on where to start? AdAware can't find it.
Binoculars
27th Jan 2005, 14:01
I think most of us newly self crowned experts would recognise that as a dialler that Spybot should get rid of. Suggest you have a look at any of the recent threads on hijacks and if necessary run a HJT scan and post it. Lotsa luck.
It probably should, but every time I run Spybot, it crashes...
Lear_doctor
27th Jan 2005, 14:36
You could try ADAWARE, its pretty similar to SpyBot. You can get a copy from here
http://www.lavasoftusa.com/
That may run without crashing.
Also you could try Bazooka. It does not automatically clean problems, but does give you a good write up on how to do it. Good for nasty probs that Adaware and Spybot can't solve. You can get Bazooka at www.download.com. Just do a search for Bazooka Adware and Spyware Scanner
Hope the above helps
Regards
The Doc
I'd echo Binos' comment - post a Hijack This scan (search for Hijack This, and look for E-Liam's instructions on how to run it). Remember to click 'disable smilies in this post' before posting it, otherwise all those C: \s turn into C:\...
E-Liam
27th Jan 2005, 17:39
Hi MOR,
To save you looking, my very own C&P.. :ok: :)
Please download 'Hijack This!' from here (http://thespykiller.co.uk/hjttut.htm), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, check for updates by clicking on Config | Misc. Tools | Check for Updates and follow the prompts. Once updated click on Scan. When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
Cheers
Liam
Yes, I have AdAware and HijackThis (been down this road a few times before) So I'll update it and post the results.
Haven't tried Bazooka though, I'll download that.
Cheers, helpful dudes!
Right here ya go!
Logfile of HijackThis v1.99.0
Scan saved at 9:44:06 p.m., on 28/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\System32\\Ati2evxx.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\Program Files\\Sophos SWEEP for NT\\SWNETSUP.EXE
C:\\Program Files\\Sophos SWEEP for NT\\SWEEPSRV.SYS
C:\\WINDOWS\\System32\\tlntsvr.exe
C:\\Program Files\\Common Files\\Ulead Systems\\DVD\\ULCDRSvr.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\Ati2evxx.exe
C:\\WINDOWS\\system32\\wscntfy.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\RunDll32.exe
C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
C:\\Program Files\\QuickTime\\qttask.exe
C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe
C:\\WINDOWS\\system32\\CTHELPER.EXE
C:\\WINDOWS\\system32\\wduzwuty.exe
C:\\WINDOWS\\essspk.exe
C:\\WINDOWS\\DvzCommon\\DvzMsgr.exe
C:\\Program Files\\Sophos SWEEP for NT\\ICMON.EXE
C:\\Program Files\\WinZip\\WZQKPICK.EXE
C:\\Program Files\\Palm\\HOTSYNC.EXE
C:\\Program Files\\Paltalk\\pnetaware.exe
C:\\Program Files\\SpywareGuard\\sgmain.exe
C:\\Program Files\\SpywareGuard\\sgbhp.exe
L:\\Hijack This\\HijackThis.exe
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page_bak = http://www.trademe.co.nz/structure/my_bids_current.asp
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Window Title = selected by Simon
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\\WINDOWS\\ZServ.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\\Program Files\\SpywareGuard\\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\\Program Files\\Spybot - Search & Destroy\\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\\program files\\google\\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\\program files\\google\\googletoolbar2.dll
O4 - HKLM\\..\\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\\..\\Run: [ATIPTA] C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
O4 - HKLM\\..\\Run: [QuickTime Task] "C:\\Program Files\\QuickTime\\qttask.exe" -atboottime
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe
O4 - HKLM\\..\\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\\..\\Run: [UpdReg] C:\\WINDOWS\\UpdReg.EXE
O4 - HKLM\\..\\Run: [Jet Detection] "C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
O4 - HKLM\\..\\Run: [RealJukeboxSystray] C:\\Program Files\\Real\\RealJukebox\\tsystray.exe
O4 - HKLM\\..\\Run: [NeroFilterCheck] C:\\WINDOWS\\system32\\NeroCheck.exe
O4 - HKLM\\..\\Run: [nwpzccjlvprr] C:\\WINDOWS\\system32\\wduzwuty.exe
O4 - HKLM\\..\\Run: [satmat] C:\\WINDOWS\\satmat.exe
O4 - HKLM\\..\\Run: [farmmext] C:\\WINDOWS\\farmmext.exe
O4 - HKLM\\..\\Run: [EssSpkPhone] essspk.exe
O4 - Startup: HotSync Manager.lnk = C:\\Program Files\\Palm\\HOTSYNC.EXE
O4 - Startup: PalNetaware.lnk = C:\\Program Files\\Paltalk\\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\\Program Files\\SpywareGuard\\sgmain.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\\WINDOWS\\DvzCommon\\DvzMsgr.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\\Program Files\\Sophos SWEEP for NT\\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\\Program Files\\Microsoft Office\\Office10\\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\\Program Files\\WinZip\\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\\program files\\google\\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\\program files\\google\\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\\program files\\google\\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~2\\Office10\\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\\program files\\google\\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\\program files\\google\\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\npjpi142_06.dll
O9 - Extra \'Tools\' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O12 - Plugin for .pdf: C:\\Program Files\\Internet Explorer\\PLUGINS\\nppdf32.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: Ati HotKey Poller - Unknown - C:\\WINDOWS\\System32\\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\\WINDOWS\\system32\\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\\Program Files\\Common Files\\Macromedia Shared\\Service\\Macromedia Licensing.exe
O23 - Service: Sophos Anti-Virus Network - Sophos Plc - C:\\Program Files\\Sophos SWEEP for NT\\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\\Program Files\\Sophos SWEEP for NT\\SWEEPSRV.SYS
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\\Program Files\\Common Files\\Ulead Systems\\DVD\\ULCDRSvr.exe
OK, there's bad stuff here:
O4 - HKLM\\..\\Run: [satmat] C:\\WINDOWS\\satmat.exe
O4 - HKLM\\..\\Run: [farmmext] C:\\WINDOWS\\farmmext.exe
and I don't trust
O4 - HKLM\\..\\Run: [nwpzccjlvprr] C:\\WINDOWS\\system32\\wduzwuty.exe
either - however, i'll leave a fix to the experts...
E-Liam
28th Jan 2005, 09:08
Hi MOR,
Please download and run CCleaner (http://www.ccleaner.com/). If you have certain cookies you want to retain, then click on the Options button before running, and move across the ones that you want to keep...
Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\\WINDOWS\\ZServ.dll
O4 - HKLM\\..\\Run: [nwpzccjlvprr] C:\\WINDOWS\\system32\\wduzwuty.exe
O4 - HKLM\\..\\Run: [satmat] C:\\WINDOWS\\satmat.exe
O4 - HKLM\\..\\Run: [farmmext] C:\\WINDOWS\\farmmext.exe
O4 - Startup: PalNetaware.lnk = C:\\Program Files\\Paltalk\\pnetaware.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and please find and delete the following bolded files...
C:\WINDOWS\ZServ.dll
C:\WINDOWS\system32\\wduzwuty.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\farmmext.exe
..and this folder...
C:\Program Files\Paltalk\\
Then please boot back into normal mode and download AdAware SE from here (http://www.lavasoftusa.com/support/download/).
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed
3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot
5. Click on Proceed to save the settings.
6. Click Start and on the next screen choose:
· Use Custom Scanning Options
7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Next, please reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.
Click on Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.
Cheers
Liam
Ok, here is the latest logfile from HJT.
I did everything on the list apart from the online virus scan. Every time I tried to download the ActiveX control it seems to need, IE hung.
Also, the dialing problem is still there. I don't think it ever happens when I use Firefox, but if I use IE6 (which I have to in order to use the Trend Micros virus scanner), it tries to dial constantly (like every time I click on anything). I KNEW there was a reason I ditched IE6...
Just out of interest, what is svchost.exe in the list below? I only ask as whatever is doing the dialing is trying to connect to SVCamera... svc... geddit...
Good luck...
Logfile of HijackThis v1.99.0
Scan saved at 12:55:08 a.m., on 29/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\essspk.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
L:\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.trademe.co.nz/structure/my_bids_current.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = selected by Simon
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [ksszkbymjd] C:\WINDOWS\system32\wduzwuty.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sophos Anti-Virus Network - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
ExGrunt
28th Jan 2005, 11:41
From your description, there may be one last thing you might want to do. You said that the dialler was trying to connect to SVCamera.
Just check that there is not a network connection called SVCamera.
To do this click Start then Settings then Network connections. This will bring up a list of network connections, if there is one called SVCamera, right click it, which will bring up a context menu.
For interest, click Properties - this will bring up a dialog box with the phone number it was trying to connect to. If you post the country code, area code and number, we should be able to find out what sort of number it was trying to dial. Then click Cancel.
After that repeat the process above and this time select Delete from the context menu.
As a final thought, if you are on broadband and never going to use dialup again, in Internet Explorer click Tools then Internet Options then Connections and ensure that the radio button Never dial a connection is selected.
svchost.exe is part of windows networking.
Hope this helps
EG
Looking at the HJT log the following appears to have survived:
O4 - HKLM\..\Run: [ksszkbymjd] C:\WINDOWS\system32\wduzwuty.exe
You might want to look at what O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE is doing.
Well there was a dialup connection called SVCamera. I deleted it. I think I'll uninstall the modem, I never use it anyway.
As for the other, well, how do I see what O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE is doing? Click on it and see?
Thanks for the help!
ExGrunt
28th Jan 2005, 14:02
Right click on it then select properties. Select the Version tab. Click on the Company Name.
If it is not from a reputable company, I would disable it by renaming it updreg.ex_
If nothing goes wrong and the problem goes away, then you can delete it.
EG
Turns out it is a "Creative Registry Update" program, probably for my soundcard - it is from Creative Technologies Ltd, as is my soundcard.
Still wondering how to get rid of that persistent wduzwuty.exe ... any ideas on that?
Ta!
shaky
28th Jan 2005, 16:45
MOR
I see you use Firefox as your browser in which case you may wish to usethis (http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php) to do your TrendMicro scan. It uses Java rather than that nasty ActiveX and that will be one more reason not to use Internet Exploder.
OK, did that and it found a problem but couldn't fix it. Ah well. The file name was wuam.exe if anyone recognises it.
sprocket
29th Jan 2005, 12:04
MOR: A quick gooogle came up with this ..... The file name is in bold for clarity.
W32/Rbot-M is a worm which attempts to spread to remote network shares.
W32/Rbot-M contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in the
background as a service process.
W32/Rbot-M spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.
When W32/Rbot-M is run it copies itself to the Windows system folder with the
filename wuam.exe and deletes the original copy if that filename was wuam.exe.
In order to run automatically when Windows starts up W32/Rbot-M creates the
following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Time=wuam.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Time=wuam.exe.
W32/Rbot-M attempts to contact the host babe.thekiller
Go
HERE (http://www.sophos.com/virusinfo/analyses/w32rbotm.html) for removal info.