1on1 dialer

Discussion in 'adware, spyware & hijack cleaning' started by sandanistarebel, Apr 21, 2004.

Thread Status:
Not open for further replies.
  1. sandanistarebel

    sandanistarebel Guest

    Hi,
    i've got this really annoying dialer, no idea how it got on to my pc but its here now + won't go away, the uninstall program blatantly doesn't work!! i've used adaware + cws shredder on my pc and shown below is my hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:18:56, on 21/04/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DISKSERV.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchalot.com/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchalot.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com/?IE6
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [b3dUpdate] C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p "C:\WINDOWS\BDE\Update" -s setup.cab
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
    O4 - HKLM\..\Run: [Microsoft® System Mapper] C:\WINDOWS\SYSTEM\SysMap.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\SBNET\SHOWBEHIND.EXE
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\svchost.exe /i
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Disk Master] C:\WINDOWS\diskserv.exe
    O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/?IE6
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.super-direct-downloads.de/freemp3z.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.4581018519
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\bla.MHT!http://216.115.95.98//1ble.chm::/wincfgid.exe

    any help you could give will be greatly appreciated!
    Thanks,
    John
     
    sandanistarebel, Apr 21, 2004
    #1
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi sandanistarebel,

    Welcome to Wilders.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchalot.com/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchalot.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchalot.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchalot.com/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchalot.com/?IE6
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchalot.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com

    O4 - HKLM\..\Run: [b3dUpdate] C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p "C:\WINDOWS\BDE\Update" -s setup.cab

    O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
    O4 - HKLM\..\Run: [Microsoft® System Mapper] C:\WINDOWS\SYSTEM\SysMap.exe

    O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\SBNET\SHOWBEHIND.EXE
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\svchost.exe /i

    O4 - HKCU\..\Run: [Disk Master] C:\WINDOWS\diskserv.exe
    O4 - HKCU\..\Run: [ssate.exe] C:\WINDOWS\SYSTEM\irun4.exe

    O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/?IE6
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com

    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.super-direct-downloads.de/freemp3z.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\bla.MHT!http://216.115.95.98//1ble.chm::/wincfgid.exe

    Download CWShredder and run. Be sure ALL other windows are closed use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\BDE\ <-- entire folder
    C:\PROGRAM FILES\COMMON FILES\CMEII\ <-- entire folder
    C:\WINDOWS\SYSTEM\SysMap.exe
    C:\WINDOWS\SBNET\ <-- entire folder
    C:\WINDOWS\svchost.exe <-- Only delete this one in the Windows folder, NOT the one in system.
    C:\WINDOWS\diskserv.exe
    C:\WINDOWS\SYSTEM\irun4.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
    puff-m-d, Apr 21, 2004
    #2
  3. sandanistarebel

    sandanistarebel Guest

    Hi,
    Thanks for your help + your quick reply, i really need to get this problem sorted as i reply on my pc to run my business. I could not locate the following files/folders and i had hidden files viewable:

    C:\WINDOWS\SYSTEM\SysMap.exe
    C:\WINDOWS\SBNET\ <-- entire folder
    C:\WINDOWS\svchost.exe <-- Only delete this one in the Windows folder, NOT the one in system. (i found a C:\_Restore\Temp\svchost.exe and a C:\Windows\APPLOG\svchost.LGC)
    C:\WINDOWS\SYSTEM\irun4.exe

    The new hijack this log is shown below:

    Logfile of HijackThis v1.97.7
    Scan saved at 22:23:52, on 21/04/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.4581018519
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab

    Is my system clean now?
    Does rundll32 have anything to do with this problem?
    And does nwiz.exe have anything to do with this problem as i saw from msconfig that it is in my startup and the command is nwiz.exe/install

    Thanks for all your help so far,
    John
     
    sandanistarebel, Apr 21, 2004
    #3
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi John,

    That is OK. Ad-Aware probably deleted the files.
    Yes, your system is now clean.
    No, that is a legit windows file that is both running your power profile and part of your nVidia graphics card.
    No, that is part of your nvidia graphics software.
    It was my pleasure ;) .

    Regards,
    Kent
     
    puff-m-d, Apr 21, 2004
    #4
  5. sandanistarebel

    sandanistarebel Guest

    Hi,
    Thanks for everything so far, i got this from another forum:

    "Let the Forum know regardless when you decide the outcome. The only problem is that the 1on1 does create a registry key(s), we know the key names and the folders that they are put in. the only problem is that these guys should have told you is that we are all searching for the executable file that puts the keys in there. Even if the keys are deleted, which people have done time over, the executable file dumpes them back in when it randomnly decides it wants to play out. Don't want to be a kill joy and I hope it works."

    any ideas?

    Thanks again for all your help, its really appreciated,
    John
     
    sandanistarebel, Apr 21, 2004
    #5
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi John,

    You removed the keys with HJT. Then I had you go back and delete the files themselves (executables). Your log and system should be clean. Are you still having problems? You should not be as long as you deleted all the files I asked you to and cleaned out all temp folders and caches, emptied the recycle bin, and cleaned your restore points. The files you looked for with hidden and system files shown and could not find were deleted by Ad-Aware.

    Regards,
    Kent
     
    puff-m-d, Apr 21, 2004
    #6
  7. sandanistarebel

    sandanistarebel Guest

    Hi,
    i haven't cleaned out the temp folders and caches yet, how do i do this, just by deleting all the files in the temp folder?
    Thanks
     
    sandanistarebel, Apr 21, 2004
    #7
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi sandanistarebel,

    The easiest way is in internet explorer click Tools >> Internet Options >> Temporary Internet Files >> Delete Files >> check "Delete offline content" >> OK

    HTH....

    Regaards,
    Kent
     
    puff-m-d, Apr 21, 2004
    #8
  9. sandanistarebel

    sandanistarebel Guest

    Hi,
    I've just run spybot S&D again + found the following registry keys:

    CoolWWWSearch.CameUp: Interface (Registry key, nothing done)
    HKEY_CLASSES_ROOT\Interface\{95B92D92-8B7D-4A19-A3F1-43113B4DBCAF}

    Global Internet Billing: User settings (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\GIB

    InternetWasher: File extension (Registry key, nothing done)
    HKEY_CLASSES_ROOT\.te

    Unknown: RAS profile (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\RemoteAccess\Profile\XXXServer

    Unknown: Settings (Registry value, nothing done)
    HKEY_USERS\.DEFAULT\RemoteAccess\Addresses\XXXServer


    --- Spybot-S&D version: 1.2 ---
    2004-02-26 Includes\Cookies.sbi
    2003-03-16 Includes\Temporary.sbi
    2004-02-29 Includes\Dialer.sbi
    2004-02-29 Includes\Hijackers.sbi
    2004-02-29 Includes\Malware.sbi
    2004-02-26 Includes\Keyloggers.sbi
    2004-03-09 Includes\Revision.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2004-02-26 Includes\Security.sbi
    2004-02-29 Includes\Spybots.sbi
    2004-02-26 Includes\Tracks.uti
    2004-02-29 Includes\Trojans.sbi

    does this mean that the 1on1 xxx server is still in my system somewhere?

    spy bot won't let me delete these entries so i'm going to try in safe mode.
    Thanks for all your help so far,
    John
     
    sandanistarebel, Apr 21, 2004
    #9
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi John,

    Those keys mainly look like leftovers from CoolWebSearch that did not get removed. There should be no files on your system corresponding to the reg keys as SpyBot only found the keys, no files.

    HTH....

    Regards,
    Kent
     
    puff-m-d, Apr 21, 2004
    #10
  11. sandanistarebel

    sandanistarebel Guest

    thanks a lot,
    sorry to keep going on at you, its just i'm really anxious not to get this dialler back again,
    thanks for all your help it is really really appreciated!!
     
    sandanistarebel, Apr 21, 2004
    #11
  12. sandanistarebel

    sandanistarebel Guest

    sandanistarebel, Apr 21, 2004
    #12
  13. sandanistarebel

    sandanistarebel Guest

    hi again,
    i also found sysinf.exe in my temp folder, it had the xxx server icon,
    is this thing definately removed from my system?
    thanks
     
    sandanistarebel, Apr 21, 2004
    #13
  14. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi,

    What the experts will probably need from u now is to post a Start Up List from HijackThis.

    Open HijackThis and in lower left corner click on "Config..." button. Then click on the "Misc Tools" button, and make sure that "List Also Minor Sections" has a check in the box (that is very important). Then click on the "Generate Startup" button and copy and paste the results.


    snowbound
     
    snowbound, Apr 21, 2004
    #14
  15. sandanistarebel

    sandanistarebel Guest

    Hi,
    here's the start up list from hijack this:

    StartupList report, 22/04/2004, 13:29:03
    StartupList version: 1.52
    Started from : C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\MY DOCUMENTS\JOHN'S FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    pop3trap.exe = "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    WebTrap.exe = "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    Gearbox = "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    LoadQM = loadqm.exe
    WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    nwiz = nwiz.exe /install
    SiSAudio = C:\WINDOWS\SYSTEM\MP_S3.exe
    Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
    QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 21/4/2004, 18:50:40)

    [rename]
    C:\WINDOWS\SYSTEM\IoSubSys\SmartVSD.VxD=C:\WINDOWS\SYSTEM\SmartVSD.VxD

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Maintenance-ScanDisk.job
    Maintenance-Defragment programs.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
    CODEBASE = http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [EPSImageControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPSCONTROL.DLL
    CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37971.4581018519

    [WScanCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBSCAN.DLL
    CODEBASE = http://www3.ca.com/virusinfo/webscan.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

    --------------------------------------------------
    End of report, 6,559 bytes
    Report generated in 0.089 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    Thanks for all your help guys!
    John
     
    sandanistarebel, Apr 22, 2004
    #15
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...