Andando Dialer?

Discussion in 'adware, spyware & hijack cleaning' started by jamesslf, Feb 26, 2004.

Thread Status:
Not open for further replies.
  1. jamesslf

    jamesslf Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    4
    Can someone help me purge this?
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\andando\index.htm

    Logfile of HijackThis v1.97.5
    Scan saved at 1:40:22 PM, on 2/26/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\NTME\METHWNT.EXE
    C:\WINNT\System32\NTME\brad32.exe
    C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\bentaa\beremote.exe
    C:\WINNT\system32\BRMFRSMG.EXE
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\CFGSAFE\AUTOCHK.EXE
    C:\Program Files\Common Files\efax\HotTray.exe
    C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
    C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\steve\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://fastwebfinder.com
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
    O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://download4.dialerconnection.com/download/dialer/cax.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.254.243.5/data/dialercab/IberoDialerHTML.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37853.5880439815
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://fastwebfinder.com
    R3 - URLSearchHook: (no name) - _{DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts: 193.125.201.50 ie.search.msn.com

    O4 - HKLM\..\Run: [winmain] winmain.exe

    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://download4.dialerconnection.com/download/dialer/cax.cab
    O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.254.243.5/data/dialercab/IberoDialerHTML.cab
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll

    Reboot, and delete the file winmain.exe.

    This may be a hidden file. See HERE for how to show hidden files.
     
  3. jamesslf

    jamesslf Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    4
    Thank you for the Hijack This help.
    I could not find winmain.exe in my system though...
    I still have an aplication named Andando on my system. I have not been able to find informtion on it anywhere. Any ideas?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jamesslf,

    What makes you think it´s an application?
    All I see is a local page being opened by IE.
    Is there anything else in that folder?

    Regards,

    Pieter
     
  5. jamesslf

    jamesslf Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    4
    Pieter,
    Andando shows up on my start menu pointing to IE.
    It has also created a folder on my C drive.
    When I place the curser over it in the start menu, it indicates that it is a dialer.
    It may not be an application...
    I just have not seen it before and I am wary of new items with all of the bad things going around.
    Also in the folder is:
    andando.per 1KB PER File
    imac 3KB Icon
    index 10KB HTML Document
    load 3KB Shockwave Flash Object

    and a series of GIFs

    Should I ignore/delete?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jamesslf,

    Move the folder in it's entirity to another location.
    Preferably zipped up, but that´s not really necessary.
    If any files are in use, you will be prompted about it.
    If anything needs one of those files, you will get an error report.
    I can't imagine these files are necessary for your computer to function properly, but simply deleting them, might turn out to be a unpleasant way to be proved wrong.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.