Andando Dialer?

Discussion in 'adware, spyware & hijack cleaning' started by jamesslf, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. jamesslf

    jamesslf Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    4
    Can someone help me purge this?
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\andando\index.htm

    Logfile of HijackThis v1.97.5
    Scan saved at 1:40:22 PM, on 2/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\NTME\METHWNT.EXE
    C:\WINNT\System32\NTME\brad32.exe
    C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\bentaa\beremote.exe
    C:\WINNT\system32\BRMFRSMG.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\CFGSAFE\AUTOCHK.EXE
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
    C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\steve\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://fastwebfinder.com
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://download4.dialerconnection.com/download/dialer/cax.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.254.243.5/data/dialercab/IberoDialerHTML.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37853.5880439815
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://fastwebfinder.com
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts: 193.125.201.50 ie.search.msn.com

    O4 - HKLM\..\Run: [winmain] winmain.exe

    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://download4.dialerconnection.com/download/dialer/cax.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.254.243.5/data/dialercab/IberoDialerHTML.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll

    Reboot, and delete the file winmain.exe.

    This may be a hidden file. See HERE for how to show hidden files.
     
  3. jamesslf

    jamesslf Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    4
    Thank you for the Hijack This help.
    I could not find winmain.exe in my system though...
    I still have an aplication named Andando on my system. I have not been able to find informtion on it anywhere. Any ideas?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi jamesslf,

    What makes you think it´s an application?
    All I see is a local page being opened by IE.
    Is there anything else in that folder?

    Regards,

    Pieter
     
  5. jamesslf

    jamesslf Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    4
    Pieter,
    Andando shows up on my start menu pointing to IE.
    It has also created a folder on my C drive.
    When I place the curser over it in the start menu, it indicates that it is a dialer.
    It may not be an application...
    I just have not seen it before and I am wary of new items with all of the bad things going around.
    Also in the folder is:
    andando.per 1KB PER File
    imac 3KB Icon
    index 10KB HTML Document
    load 3KB Shockwave Flash Object

    and a series of GIFs

    Should I ignore/delete?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi jamesslf,

    Move the folder in it's entirity to another location.
    Preferably zipped up, but that´s not really necessary.
    If any files are in use, you will be prompted about it.
    If anything needs one of those files, you will get an error report.
    I can't imagine these files are necessary for your computer to function properly, but simply deleting them, might turn out to be a unpleasant way to be proved wrong.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.