Anyone have more info on this one? Friend of a friend - in Europe lol - has it - they've cleaned it, but I think only this reg entry R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Plus18Point/Portal/portal.html and not the 3 others that seems associated according to what I've been able to find with google. Anyone know more that might be helpful? Of course, if they use Hijack this and clean the 4 entries likely associated, it might not come back.
Still looking but I did find one link that I'm attempting to translate. This link---> http://users.telenet.be/marcvn/spyware/1017921.htm
That's the one I had found where I saw the 4 entries - luckily enough the guys are Dutch - so it doesn't need translater ;-) Just kinda hoped maybe someone would be familiar with this one
Hi Detox, This link might help also. Pieter has a write up for that one in Post #21. https://www.wilderssecurity.com/showthread.php?t=15983
Plus18Point Switchdialer: Items in register installed by Plus18Point: HKEY_CLASSES_ROOT\.cxq HKEY_CLASSES_ROOT\.mxq HKEY_CLASSES_ROOT\Applications\srv2.exe HKEY_CLASSES_ROOT\Applications\srv2.exe\shell HKEY_CLASSES_ROOT\Classes HKEY_CLASSES_ROOT\Classes\shell HKEY_CLASSES_ROOT\Classes\shell\open HKEY_CLASSES_ROOT\Classes\shell\open\command HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-callswitch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/run.cxq HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/srv2.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Classes" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch HKEY_LOCAL_MACHINE\SOFTWARE\Plus18Point HKEY_LOCAL_MACHINE\SOFTWARE\SwitchDialer In File-systeem has been installed : c:\Documents and Settings\Gebruikersnaam\Local Settings\Temp\$Plus18Point c:\Program Files\Plus18Point c:\Documents and Settings\Gebruikersnaam\Bureaublad\More Games .lnk c:\WINDOWS\run.cxq c:\WINDOWS\srv2.exe c:\WINDOWS\Downloaded Program Files\srv2.inf c:\WINDOWS\system32\srv2.exe c:\WINDOWS\system32\CatRoot2\tmp.edb How to delete: Restart in Safe mode (press F8 due restart) Make hidden files visible in all maps: Start -> configurationsreen -> mapoptions -> view Undo check in "secure systemfiles hidden" buttom check "rev. system files" press OK. Remove these files: searche for: run.cxq, cxq, mxq, srv2.inf, srv2.exe, switchdialer, x-callswitch, Plus18Point, aswell for file-systeem in register (regedit) Clear Temp, history en Content.ie5. Temp -> C:\Documents and Settings\username\Local Settings\Temp Geschiedenis -> C:\Documents and Settings\username\Local Settings\history Content.ie5 -> C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5 Reset your home startpage and reboot in normale mode. greets, Cas
Well i did use hijackthis and delete the lines that included pluspoint18 deleted the main plus18point folder. After i did that everything was ok untill the reboot, everything was back. What i didnt know is that it uses srv2.exe as a system resource, since im using Radmin on 1 of the infected machines, i thought it was the radmin server program running. Note: the srv2.exe file has no icon, and can be found very quickly using the search option. The computer that was infected is clean now, i have installed several stuff like spywareblaster and guard, Ad-aware, Spybot incl teatimer. Im wondering how long it will take until that puter is full of "****" again since the owner practicly doesnt know bullocks bout puters...but getting tired of fixing it everytime
In case anyone was wondering - 4MOTION is my friend in Holland cleaning the PC of a friend of his. Gets complicated, don't it
