Hi,

I've been having trouble getting rid of the 1on1 dialler/XXXServer which seems to have installed itself on my PC.

Having read advice on another forum I have downloaded and run Ad-aware and Spybot S&D.

Here is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 13:38:21, on 09/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\MSREXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TEXTBRIDGE PLUS\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRUN4.EXE
C:\ESM2\STMS.EXE
C:\TBRIDGE\FLATBED.EXE
C:\ESM2\EBRR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PROFILES\TOYNE\MY DOCUMENTS\INTERNETSECURITY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F1 - win.ini: load=c:\windows\system\system.exe
F1 - win.ini: run=MSREXE.exe
O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Virgin Net User Check] C:\PROGRA~1\INTERN~1\CONNEC~2\vnet\runvnet.exe /c
O4 - HKLM\..\Run: [Intercent] C:\PROGRAM FILES\FINIWARE\INTERCENT 98\INTERCENT.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [WinLoader] MSREXE.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - User Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



Any help would be much appreciated.
Thanks,
Graham Toyne.
removed

Hi gmt1,

Please download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
Then click System Testing > Full System scan.
When it is done rightclick one of the entries in the bottom screen and choose save as txt.

Post the content of that file.

To make it easier to remove the trojans and worm, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
F1 - win.ini: load=c:\windows\system\system.exe
F1 - win.ini: run=MSREXE.exe
O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)

O4 - HKLM\..\Run: [WinLoader] MSREXE.exe

O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe

O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe

Then reboot.

Regards,

Pieter

Hi Pieter,

Thanks for your reply. I have been unsucessful in running TDS-3. I've downloaded and installed the program without any problems however when I double-click the icon on my desktop to run TDS-3 an error message appears: TDS-3 has performed an illegal operation and will be shutdown. 2 or 3 times I've uninstalled the program and downloaded it again but the same occurs.

I've downloaded and am running a firewall called ZoneAlarm and this seems to be keeping out intrusions - I'm not sure who from though!

I've also run latest versions of Ad-aware and Spybot S&D and here is the current HijackThis log:


Logfile of HijackThis v1.97.7
Scan saved at 21:35:12, on 09/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TEXTBRIDGE PLUS\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\ESM2\STMS.EXE
C:\TBRIDGE\FLATBED.EXE
C:\ESM2\EBRR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PROFILES\TOYNE\MY DOCUMENTS\INTERNETSECURITY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~2\tips\mouse\tips.exe
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Virgin Net User Check] C:\PROGRA~1\INTERN~1\CONNEC~2\vnet\runvnet.exe /c
O4 - HKLM\..\Run: [Intercent] C:\PROGRAM FILES\FINIWARE\INTERCENT 98\INTERCENT.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - User Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBAR\FSBAR.DLL/VSearch.htm
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38147.3100347222


Any other ideas?

Thanks again,
Graham.

Hi Graham,

Your log is clean. I'll move this thread to te DCS forum to see if they can sort out your problems with running TDS.
The trojans are dormant or your system and I would feel lots better if they were removed. And who know what else TDS finds.

Regards,

Pieter

Thanks for all your help Pieter, you guys do a great job!

Hi,

Please go to this page

http://tds.diamondcs.com.au/index.php?page=files

Download the MSVB6 Runtime SP6 and run it
Once its extracted, run the file contained within, which will install the update

Then reboot and try running TDS-3 again, if you get a crash, what does the error message give ? please paste the contents of the details..

I've noticed a few times that this worm C:\WINDOWS\SYSTEM\irun4.exe
will affect alot of security programs in 98/ME systems

we stopped it running before but the actual, file needs to be deleted from a 98 system

boot into safe mode and delete C:\WINDOWS\SYSTEM\irun4.exe


then see if TDS will run

Hi Gavin and dvk01,

I've followed all your advice but when I try to run TDS-3 I still get:
"This program has performed an illegal operation and will be shut down."

Here is a copy of the details:

TDS-3 caused an invalid page fault in
module CW3220MT.DLL at 0177:02304a89.
Registers:
EAX=bff89dac CS=0177 EIP=02304a89 EFLGS=00010292
EBX=0089e29c SS=017f ESP=007a0098 EBP=007a00d8
ECX=008a0000 DS=017f ESI=816802c8 FS=2187
EDX=388b5708 ES=017f EDI=022d7bb0 GS=0000
Bytes at CS:EIP:
83 3a 00 74 63 e8 39 10 00 00 64 8b 0d 04 00 00
Stack dump:
007a01a8 816802c8 0089e29c 00000000 00000000 00000000 00000000 00000000 00000000 0089e264 0089e2e8 00000000 0001001f 007a01c4 0089e29c 007a01a8


Graham.

Hi Graham,
during install of TDS, did you have all other programs closed, especially anti-virus scanners etc?
And did you reboot after install?
I'm not familiar with the file from the error message, don't know where it belongs, googling for it did not give a real answer yet. Is that file on your system?

Hi Jooske,

All other programs were closed as far as I know although the ZoneAlarm firewall I installed starts automatically on start-up. Have also downloaded Ad-aware, Spybot S&D, and Spyware Blaster. Not really sure how I should be using Spyware Blaster - is this a program that runs automatically?

Yes, did reboot after install of TDS-3.

I'm a bit of a novice so can't tell you much about the file CW3220MT.DLL however I did a search and it lives in the folder:
C:\ViaVoice\tts\eloq
I don't use ViaVoice so maybe I could just delete the file?

Graham.

-{ Quote: "

Not really sure how I should be using Spyware Blaster - is this a program that runs automatically?
" }-

answer here,

http://www.javacoolsoftware.info/kb/idx/0/005/article/

I'll leave your other enquiry to the TDS experts. ;)

Hope this helps.


snowbound

Thanks snowbound.

ViaVoice and its components should not be a problem, so don't delete it yet.
Did you also grab the speechpack for TDS from it's downloadpage?
In that is among others the spchapi.exe file, which adds existing speech engines on your system to TDS. After installing TDS and extracting that speechpack, run the spchapi.exe in the TDS directory and give it another try with TDS.
Let us know if that solved the problem please.

Hi Jooske,

I downloaded and ran the spchapi.exe as you suggested but still get the same error message appear when I try to run TDS.

I'm going on holiday for a week now but will get back on here as soon as I'm home as I'd like to clean-up my system as much as possible. Thanks for all your help so far.

Graham.

Thank you snowbound you answerd my questian!That is about Spyware Blaster!You are awsome!

Hi all,

I know you're probably fed up with me by now but I'm back! Any other ideas on how I can get TDS-3 to run?

Graham.

Was hoping in the meantime you checked all the required system files and had the other programs down wiht installing TDs, including your spywareblaster etc and all resident protection registry protection, scanners, etc.
Think FanK would advice to open your taskmanager and to close everything except systray and explorer before installing TDS or any other program, reboot and gtry to run it.
The dll you mentioned -- i've never seen it making any trouble, first time in akll those years i saw it mentioned, so not sure if that other program got corrupt somehow, maybe because of some infection or removing a file you needed.

Did an online scan find anything illigal on your system, like at http://housecall.antivirus.com for isntance?
If you run viavoice, does that run well?

Not sure if you installed TDS somwwhere in program files and if you tried to install it for instance in c:\

Can't imagine the speech part from TDS and viavoice would not cooperate:
look at www.microsoft.com/msagent and the third parties software pages they point to: -- the speech technology used in TDS is part of msagent.
The only part i can imagine, go into the windows control panel, speech console, disable there the speech controls and only choose the SAPI4 speech engine. Now try TDS again.