Dialer - Log

Discussion in 'adware, spyware & hijack cleaning' started by PeteRUK, May 6, 2004.

Thread Status:
Not open for further replies.
  1. PeteRUK

    PeteRUK Guest

    Hello

    I am having problems getting rid of the 1on1/XXX server dialer which has been causing me problems for a couple of days. I have run the latest versions of Spybot S&D and ad-aware on my system.

    I have also run some checks on my system and found the following suspicious files (locations in brackets):

    SVCHOST.EXE (C:\1386)

    SVCHOST.EXE-2DFBD18.PF (C:\WINDOWS\PREFETCH)

    I have also creating the following system log using Hijackthis:

    Logfile of HijackThis v1.97.7

    Scan saved at 20:48:58, on 05/05/2004

    Platform: Windows XP SP1 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\System32\DSentry.exe

    C:\Program Files\Common Files\Symantec Shared\ccApp.exe

    C:\Program Files\Real\RealPlayer\RealPlay.exe

    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

    C:\WINDOWS\csrss.exe

    C:\Program Files\Messenger\msmsgs.exe

    C:\Program Files\Digital Line Detect\DLG.exe

    C:\freeserve\freeserveconnectionkit\atdialler1.exe

    C:\Program Files\SECRETMAKER\secretmaker.exe

    C:\Program Files\Norton AntiVirus\navapsvc.exe

    C:\WINDOWS\wanmpsvc.exe

    C:\Documents and Settings\Peter Riddleston\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe

    O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe

    O9 - Extra button: Real.com (HKLM)

    O9 - Extra button: Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: Messenger (HKLM)



    I'd be really grateful if you could let me know what steps I need to take to clean my computer and how I will know that is clean.

    Many thanks in anticipation of your help.

    Kind regards.

    PeteR
     
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hello PeteRUK,

    Important: Create a folder on the C: drive called C:\HJT.
    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
    Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Delete the old copy please.

    Also, please do a direct copy and paste of the hijack log. Please read this for further guidence:
    http://tomcoyote.com/hjt/#copyandpaste

    After doing the above, post a new log and I or one of the other board staff will help you.
     
  3. PeteRUK

    PeteRUK Guest

    Thanks for your swift response Nick.

    I will do this and post a new log later today.

    PeteRUK
     
  4. PeteRUK

    PeteRUK Guest

    Log attached.

    Thanks for your help...

    Logfile of HijackThis v1.97.7
    Scan saved at 17:52:15, on 06/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\csrss.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\freeserve\freeserveconnectionkit\atdialler1.exe
    C:\Program Files\SECRETMAKER\secretmaker.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Peter Riddleston\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
    O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi PeteRUK,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)

    O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i

    Then reboot into safe mode and delete:
    C:\WINDOWS\csrss.exe <= NOTE: only the one in that folder

    Regards,

    Pieter
     
  6. PeteRUK

    PeteRUK Guest

    Thanks for your response Pieter - it is very much appreciated.

    Just to clarify with regard to unzipping hijackthis.exe into its own folder.... (I'm no expert so I thought it best to check....)

    I have saved hijackthis.exe into a folder on my C: drive - when I go into it it shows the zip file. Do I need to open the Zip file and then re-save it or is it ok to unzip the file each time I run Hijack this?

    Thanks again.

    Regards.

    Peter
     
  7. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
  8. PeteRUK

    PeteRUK Guest

    HotKiss Dialer

    Many thanks for your help with this. I have followed Nick and Pieter's advice and it appears to have solved the problem.

    I was at a loss as to how to get rid of this complete menace from my PC. I wanted to say thank you for your help and your patience in dealing with my queries (I am no computer expert!).

    You all deserve a huge amount of credit for the good work you do on this site.

    Kind regards.

    PeteRUK
     
Thread Status:
Not open for further replies.